{ "Name": "LINKSYS TomatoUSB shell.cgi RCE", "Description": "

Tomato USB is an alternative Linux-based firmware for powering Broadcom-based ethernet routers. It is a modification of the famous Tomato firmware, with additional built-in support for USB port, wireless-N mode support, support for several newer router models, and various enhancements.

Login the LINKSYS TomatoUSB router

by defacult username and password(admin:admin)

Execute System Commands

", "Product": "LINKSYS TomatoUSB", "Homepage": "http://tomatousb.org/", "DisclosureDate": "2022-03-25", "Author": "atdpa4sw0rd@gmail.com", "FofaQuery": "banner=\"TomatoUSB\" || header=\"TomatoUSB\"", "GobyQuery": "banner=\"TomatoUSB\" || header=\"TomatoUSB\"", "Level": "2", "Impact": "

Login the LINKSYS TomatoUSB router

by defacult username and password(admin:admin)

Execute System Commands

", "Recommendation": "

1. Change the administrator password in a timely manner

2. Prohibit the public network from accessing the device

3. Update the latest system in time

", "References": [ "https://fofa.so/" ], "Is0day": false, "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "cat /etc/passwd", "show": "" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/test.php", "follow_redirect": true, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "test", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/test.php", "follow_redirect": true, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "test", "bz": "" } ] }, "SetVariable": [] } ], "Tags": [ "rce" ], "VulType": [ "rce" ], "CVEIDs": [ "" ], "CNNVD": [ "" ], "CNVD": [ "" ], "CVSSScore": "9.8", "Translation": { "CN": { "Name": "LINKSYS TomatoUSB 路由器后台命令执行", "Product": "LINKSYS TomatoUSB", "Description": "

Tomato USB是一种基于linux的替代固件,用于为基于broadcom的以太网路由器供电。它是著名的Tomato固件的一个修改,具有额外的内置支持USB端口,无线n模式支持,支持几种较新的路由器型号,以及各种增强功能。

LINKSYS TomatoUSB路由器登陆后,默认账号(admin:admin),执行命令

", "Recommendation": "

1、及时修改管理员密码

2、禁止公网访问设备

3、及时升级最新系统

", "Impact": "

可以通过默认口令登录设备

执行命令,反弹shell等危险操作

", "VulType": [ "命令执⾏" ], "Tags": [ "命令执⾏" ] }, "EN": { "Name": "LINKSYS TomatoUSB shell.cgi RCE", "Product": "LINKSYS TomatoUSB", "Description": "

Tomato USB is an alternative Linux-based firmware for powering Broadcom-based ethernet routers. It is a modification of the famous Tomato firmware, with additional built-in support for USB port, wireless-N mode support, support for several newer router models, and various enhancements.

Login the LINKSYS TomatoUSB router

by defacult username and password(admin:admin)

Execute System Commands

", "Recommendation": "

1. Change the administrator password in a timely manner

2. Prohibit the public network from accessing the device

3. Update the latest system in time

", "Impact": "

Login the LINKSYS TomatoUSB router

by defacult username and password(admin:admin)

Execute System Commands

", "VulType": [ "rce" ], "Tags": [ "rce" ] } }, "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }