RCE in Gocloud Routers (authenticated) - (CVE-2020-8949)

### - RCE in Gocloud Routers (authenticated) - (CVE-2020-8949) [ ](https://1.bp.blogspot.com/-qbJ_w3wRXw0/XkGnx8dqbHI/AAAAAAAAAw8/qCZmp_YbVHEmdcHIesX2xEB1jvY1sfrdwCLcBGAsYHQ/s1600/1.png)[ ](https://1.bp.blogspot.com/-qbJ_w3wRXw0/XkGnx8dqbHI/AAAAAAAAAw8/qCZmp_YbVHEmdcHIesX2xEB1jvY1sfrdwCLcBGAsYHQ/s1600/1.png)[ ](https://1.bp.blogspot.com/-qbJ_w3wRXw0/XkGnx8dqbHI/AAAAAAAAAw8/qCZmp_YbVHEmdcHIesX2xEB1jvY1sfrdwCLcBGAsYHQ/s1600/1.png) [](https://images.seebug.org/1583429187859-w331s) The following Gould routes are vulnerable to OS command Injection: ** ****Affected Versions:** - _GOCLOUD S2A_WL - Firmware Version 4.2.7.16471_ - _GOCLOUD S2A \- Firmware Version 4.2.7.17278 _ - _GOCLOUD S2A \- Firmware Version 4.3.0.15815 _ - _GOCLOUD S2A \- Firmware Version 4.3.0.17193_ - _GOCLOUD S3A (K2P MTK Version) - Firmware Version 4.2.7.16528 _ - _GOCLOUD S3A \- Firmware Version 4.3.0.16572_ - _GOCLOUD ISP3000 Intel(R) Xeon(R) E5-2660 - Firmware Version 4.3.0.17190_ [](https://images.seebug.org/1583429195125-w331s) [](https://images.seebug.org/1583429208434-w331s) It seems that these routers are widely used in China, and they are also vulnerable to injecting commands in the systemtools diagnostic function Within the "ping" function in the url, it is possible to inject commands by escaping with ";" at the beginning and end of the injected command **for example:** _**http://x.x.x.x:8088/cgi-bin/webui/admin/tools/app_ping/diag_ping/**_ **;df;** _/5/56/false.com_ This must be executed once the application is authenticated. [](https://images.seebug.org/1583429217753-w331s) [](https://images.seebug.org/1583429220621-w331s) [](https://images.seebug.org/1583429236877-w331s) [](https://images.seebug.org/1583429241559-w331s) I encountered the problem that some characters gave me problems, such as "/", so I used base64 to encode the payload [](https://images.seebug.org/1583429247018-w331s) **CVE-2020-8949** ** **By: @Linuxmonr4