Ruijie NBR Series Routers Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in Ruijie NBR series routers, specifically in the NBR2000G, NBR1300G, and NBR1000 models. The vulnerability arises in the /WEB_VMS/LEVEL15/ endpoint, where an unauthenticated attacker can retrieve administrative account credentials in plaintext. This is achieved by sending a crafted POST request with modified Cookie headers and specially formatted parameters. The issue stems from inadequate authentication checks and flawed backend logic, allowing direct access to sensitive user data.

Impact

Exploitation of this vulnerability leads to unauthorized access to administrative credentials, allowing attackers to gain elevated privileges on the affected router.

Reproduction

To reproduce this vulnerability, modify the Cookie headers to include 'auth' and 'user' values. Then, send a POST request to the '/WEB_VMS/LEVEL15/' endpoint with the 'command' parameter set to 'show webmaster users', the 'strurl' parameter set to 'exec' with a specific control character, the 'mode' parameter set to 'PRIV_EXEC', and the 'signname' parameter set to 'Red-Giant'. This will result in the disclosure of the admin account's username and password.