CVE-2021-33221 PoC — CommScope Ruckus IoT Controller 访问控制错误漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-33221.yaml

Associated Vulnerability

Title:CommScope Ruckus IoT Controller 访问控制错误漏洞 (CVE-2021-33221)
Description:Commscope CommScope Ruckus IoT Controller是美国康普（Commscope）公司的一款物联网控制器。与SmartZone控制器集成的虚拟控制器，可为非Wi-Fi设备执行连接，设备和安全管理功能。 CommScope Ruckus IoT Controller 1.7.1.0 版本及之前版本中存在访问控制错误漏洞，该漏洞源于系统中有三个 API 端点无需身份验证即可访问，其中两个端点会导致信息泄漏和计算/存储资源的消耗，不需要身份验证的第三个 API 端点允许物联网控制

Description

CommScope Ruckus IoT Controller is susceptible to information disclosure vulnerabilities because a 'service details' API endpoint discloses system and configuration information to an attacker without requiring authentication. This information includes DNS and NTP servers that the devices use for time and host resolution. It also includes the internal hostname and IoT Controller version. A fully configured device in production may leak other, more sensitive information (API keys and tokens).

File Snapshot


 id: CVE-2021-33221

info:
  name: CommScope Ruckus IoT Controller - Information Disclosure
  author:

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!