| Real Name | ribeirux |
|---|---|
| Email address | private |
| First Active | 2012-08-17 |
| Last Active | 2022-05-11 |
Full write up on the unauthenticated remote code execution and privilege escalation vulnerability in Cisco Prime Infrastructure.
058c3b31f20e8b93b4afb321381169fdced8081ba43437d03d084b037fa8cc10Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow an unauthenticated attacker to achieve remote code execution. The first flaw is a file upload vulnerability that allows the attacker to upload and execute files as the Apache Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions in a SUID binary. This Metasploit module exploits these vulnerabilities to achieve unauthenticated remote code execution as root on the CPI default installation. This Metasploit module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions might also be affected, although 3.4.0.0.348 is the latest at the time of writing.
d4ddf2dda84d92bb39709e2fad5c269d7848c88a7bfbb904dd9732556b6c1a55IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.
3d8c4d902558e74f1ecb7dc3aab2036af92311ee73dceacaf719150db4d51a4cIBM QRadar SIEM versions prior to 7.3.1 Patch 3 or 7.2.8 Patch 28 suffer from authentication bypass, code execution, and privilege escalation vulnerabilities.
09d2ce6f6bb5af6c230e14fb58055683cecf02e7b8d5fa6519e44d12f4118a15DrayTek Vigor ACS server, a remote enterprise management system for DrayTek routers, uses a vulnerable version of the Adobe / Apache Flex Java library that has a deserialisation vulnerability. This can be exploited by an unauthenticated attacker to achieve remote code execution as root / SYSTEM on all versions until 2.2.2. Exploit code included.
60c785cb65ea73995e98356a426bb3d66989648127e57b852b5e6e7136b2cfa1The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a POST in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the POST request to enable a special command mode. This command mode can then be abused by sending a UDP packet to infosvr, which is running on port UDP 9999 to directly execute commands as root. This exploit leverages that to start telnetd in a random port, and then connects to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
6da7c92100a89101fa69018aa3816aa9505957ebeb1384b2e303db3bf235ef0cBMC Track-It! version 11.4 suffers from remote code execution and credential disclosure vulnerabilities.
730930cd82684c933b0bc63f3b3b94295c0661fa95347f9c3091dffb51321802AsusWRT Router versions prior to 3.0.0.4.380.7743 suffer from an unauthenticated LAN remote code execution vulnerability.
d1c7e3083bad3b151c9ec2e284e0a81a21a91275554106af01e0a4934e1d7a8eThe NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Brute-forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be brute-forced. This Metasploit module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses.
9a070ce74f71e2662326a2f24f0e886e3c26c8510e555c2e622810bbc7f545edTrueOnline is a major ISP in Thailand, and it distributes a customized version of the ZyXEL P660HN-T v2 router. This customized version has an authenticated command injection vulnerability in the remote log forwarding page. This can be exploited using the "supervisor" account that comes with a default password on the device. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. Note that the inline payloads work best. There are Turkish and other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other P660HN-T v2 in other countries might be vulnerable too.
de84bdde92bf9435c86a7ac81b6e5ba2f27918ee7e44aeb7bf13b6c9f8eae47cTrueOnline is a major ISP in Thailand, and it distributes a customized version of the Billion 5200W-T router. This customized version has at least two command injection vulnerabilities, one authenticated and one unauthenticated, on different firmware versions. This Metasploit module will attempt to exploit the unauthenticated injection first, and if that fails, it will attempt to exploit the authenticated injection. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. There are other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other Billion 5200W-T in other countries might be vulnerable too.
99d03703568f8b1eedaa7f5fc6cf867d738c77fb56d8b79d2b1ae985377b6d1bTrueOnline is a major ISP in Thailand, and it distributes a customised version of the ZyXEL P660HN-T v1 router. This customised version has an unauthenticated command injection vulnerability in the remote log forwarding page. This Metasploit module was tested in an emulated environment, as the author doesn't have access to the Thai router any more. Any feedback should be sent directly to the module's author, as well as to the Metasploit project. There are other language strings in the firmware, so it is likely that this firmware is not only distributed in Thailand. Other P660HN-T v1 in other countries might be vulnerable too.
0ec8cd4f941f9ce9beafa6da206e70eb9f5c14a6da5fdf46f3c0c173761cf5d6TrueOnline is a Thai ISP that distributes customized versions of ZyXEL and Billion routers - customized with vulnerabilities that is. The routers contain several default administrative accounts and command injections that can be abused by authenticated and unauthenticated attackers.
10903d4befe721f251a632833452082ea225e42bdd36042d0be7edf4cbdab914Netgear WNR2000 suffers from a remote code execution vulnerability and various other security issues.
4d840ad95b6a4e6ffcfbdc06d54203748e463cde9adb5d6be5be3a975216ee2eSeveral Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices. The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions.
f09dc3e03a56a9a9441af1cc6229aa3bd868aca364888ba73e07ec9a07559e11A stack buffer overflow affects several D-Link routers and can be exploited by an unauthenticated attacker. The interesting thing about this vulnerability is that it affects both ARM and MIPS devices, so exploitation is slightly different for each type.
cb979ec54ab67f3c6ce43a8df2d9651d4f4b33a1511fd13e636ea603d7c292d6This Metasploit module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to upload text files by using a directory traversal attack on the FileUploadServlet servlet. A JSP file can be uploaded that then drops and executes a malicious payload, achieving code execution under the user which the WebNMS server is running. This Metasploit module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
3487474dddb39cb18412107fef3b60ba87315ceeb45fdeb39935f59439c71a93The NVRmini 2 Network Video Recorder and the ReadyNAS Surveillance application are vulnerable to an unauthenticated remote code execution on the exposed web administration interface. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2 and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
4ba89f6c713b97601f4d0f7f4247df8839c79b72366474692143a9ce61a45d08The NVRmini 2 Network Video Recorder, Crystal NVR and the ReadyNAS Surveillance application are vulnerable to an authenticated remote code execution on the exposed web administration interface. An administrative account is needed to exploit this vulnerability. This results in code execution as root in the NVRmini and the 'admin' user in ReadyNAS. This exploit has been tested on several versions of the NVRmini 2, Crystal and the ReadyNAS Surveillance. It probably also works on the NVRsolo and other Nuuo devices, but it has not been tested in those devices.
c1fe6b091d64c6ffde8067884a1a1cfdb89fc96e74975fa66a11765b3d24a22fWebNMS Framework versions 5.2 and 5.2 SP1 suffer from directory traversal, code execution, weak obfuscation, and user impersonation vulnerabilities.
9dac125470dd3174093290f26e3dd75ee6cf75cba7fee3ad35151a45855d5c0aNUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS suffer from multiple security issues that result in remote code execution, backdoor access, buffer overflow, and various other vulnerabilities.
bf5b9b9d392b13530fe4985e7374bba1178cae9346921dade84d3c31ba0891fcThis Metasploit module exploits an authenticated arbitrary file upload via directory traversal to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in Windows and Linux installations of Novell ServiceDesk, as well as the Virtual Appliance provided by Novell.
afb4d4be28fcad92ea6a38d635b3b06845a31d2df0ef58120226aa7d288d0c15Novell Service Desk versions 7.1.0 and below suffer from code execution, information disclosure, cross site scripting, remote file upload, HQL injection, and traversal vulnerabilities.
c58735b33740e5edd50a8cae45802afa2db11198bcbbc4f1e7779e1640bb8f1cNetgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This Metasploit module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
21b61eacb45384fca46646a93d57a232dc9d4a63ea542dc6fb29807e1a4dc643Netgear Pro NMS 300 suffers from code execution and arbitrary file download vulnerabilities.
bd8afe526581d0c940240674b8f3e8ad40ed6f11a99c8f7c416c4282267549ff
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed