A security researcher at Netsecfish has discovered a critical command injection vulnerability (CVE-2024-12987) affecting the web management interface of DrayTek gateway devices. This vulnerability impacts over 66,000 internet-connected devices and allows remote attackers to execute arbitrary commands. The flaw resides in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where improper sanitization of the session parameter allows for command injection attacks.
| Product | DrayTek Vigor |
| Date | 2025-01-10 15:58:02 |
| Information |
|
Technical Summary
A command injection vulnerability exists in DrayTek Vigor2960 and Vigor300B devices running software version 1.5.1.4. The vulnerability occurs due to improper input sanitization of the ‘session’ parameter in the web management interface, within the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint.
The vulnerability can be exploited by sending a specially crafted HTTP request with a maliciously formatted session parameter. The injected payload follows the format: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0\xb4%52$c%52$c<INJECTED_COMMAND>. Successful exploitation requires the use of the HTTP/1.0 protocol.
Affected Products:
- DrayTek Vigor2960 (Version 1.5.1.4)
- DrayTek Vigor300B (Version 1.5.1.4)
Impact:
Successful exploitation could allow attackers to:
- Execute arbitrary system commands remotely
- Manipulate device configurations
- Extract sensitive information
- Potentially compromise internal networks
Technical Details:
- Entry point:
/cgi-bin/mainfunction.cgi/apmcfgupload - Vulnerable parameter:
session - Required protocol: HTTP/1.0
- Payload format:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0\xb4%52$c%52$c<INJECTED_COMMAND>
Recommendations
Administrators should:
- Apply input validation to all CGI script parameters
- Restrict access to the web management interface
- Monitor and apply firmware updates when available
- Implement an IP whitelist for management access
[Callforaction-THREAT-Footer]
