Note: The interface requires login authentication. The description in this section includes only part of the vulnerability exploitation process.Īn interface named wget_test.asp test exists on the RUJIE router device, which accepts URLs passed in from the page for wget testing (the testing function is eventually implemented through a script named wget_test.sh), but it does not perform special character checks on the incoming parameters, leading to command injection. To avoid abuse, we are not disclosing the full details. Vulnerability Analysis Vulnerability TypeĬommand injection vulnerability Vulnerability details The vendor confirmed the existence of the vulnerability and informed that it has stopped maintaining this version of the device, and the manufacturer believes that it can be mitigated by changing the default password, so it does not intend to provide a new patch to fix the vulnerability.We notified the vendor of the vulnerability.
We noticed Mirai_ptea_Rimasuta starting to use exploit.Note another mirai variant, mirai_aurora, first exploited this RUIJIE vulnerability to spread.Mirai_ptea_Rimasuta now has builtin mechanism to check if the running environment is a sandbox, it also encrypts the network traffic to counter the network level detection. _- you guys didnt pick up on the name? really? its ``RI-MA-SU-TA``. It is interesting to note that the author included this paragraph in one of the updated samples. But clearly we underestimated the group behind this family, which has in fact been very active and was recently observed to be spreading using a 0day vulnerability in the RUIJIE NBR700 series routers. At first we thought it was a short-lived botnet that would soon disappear so we just gave it a generic name. In July 2021 we blogged about Mirai_ptea, a botnet spreading through an undisclosed vulnerability in KGUARD DVR.
0 kommentar(er)
