This is a generic arbitrary file overwrite technique, which typically results in remote command execution. This targets a simple yet widespread vulnerability that has been seen affecting a variety of popular products including HP, Amazon, Apache, Cisco, etc. The idea is that often archive extraction libraries have no mitigations against directory traversal attacks. If an application uses it, there is a risk when opening an archive that is maliciously modified, and results in the embedded payload to be written to an arbitrary location (such as a web root), and results in remote code execution.
ff948c64df1f6f021439eaa12e78eb94Cisco Content Security Virtual Appliance M380 IronPort remote cross site host modification demo exploit.
a98fd2e94251ea2edc1d831fe438607dMany Cisco devices such as Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, Cisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, and Cisco 160W suffer from having hard-coded credentials, known GNU glibc, known BusyBox, and IoT Inspector identified vulnerabilities.
c446ad84eeb90a116264677ada159562Cisco Email Security Virtual Appliance C380 IronPort remote host header injection exploit.
59fdeb6b686e0eb34a78c58ed8e75d61Cisco Email Security Virtual Appliance C300V IronPort remote host header injection exploit.
58c6e4353b033250b2b8241c3f4cd6e3Cisco Content Security Management Virtual Appliance M600V IronPort remote host header injection exploit.
229be091f2335df90cbf4ec41f426693Cisco IronPort C350 remote host header injection exploit.
5d3d449bc480bc3b9513a64b866d4390Cisco Email Security Virtual Appliance C370 IronPort remote host header injection exploit.
250531d59b2fbec5011f1896e26b6647Cisco Email Security Virtual Appliance C600V IronPort remote host header injection exploit.
fb41282af3b637cdf7710214c3675f01Cisco C690 Email Security Appliance version 11.0.2-044 IronPort remote host header injection exploit.
01e124610488c96055cc20617b17d833Cisco Email Security Virtual Appliance C100V IronPort remote host header injection exploit.
483058c8b4dc3d3438f5659205199510Cisco C170 Email Security Appliance version 10.0.3-003 IronPort remote host header injection exploit.
4cf229797e034faae84bece5e94cfe54Cisco M1070 Content Security Management Appliance IronPort remote host header injection exploit.
ec4e8152d383453c9248650b56aa9185The Cisco UCS Director virtual appliance contains two flaws that can be combined and abused by an attacker to achieve remote code execution as root. The first one, CVE-2019-1937, is an authentication bypass, that allows the attacker to authenticate as an administrator. The second one, CVE-2019-1936, is a command injection in a password change form, that allows the attacker to inject commands that will execute as root. This module combines both vulnerabilities to achieve the unauthenticated command injection as root. It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.
a147290750eba4c14c3f5dfe91e25f2aThis Metasploit module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.
119059667e4c122ab82b873c814ccde3A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected. Note: successful exploitation may not result in a session, and as such, on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
f2ecfadb9d5292bc0aad449c38fa7ae1Cisco IronPort C150 suffers from a remote host header injection vulnerability.
feac5342eb54086bd1e887565be25065Cisco (Titsco) Email Security Appliance (IronPort) C160 suffers from a host header injection vulnerability.
3e9f7dedb2e2db7c3663786c9765d891Cisco UCS Director, Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data suffer from default password, authentication bypass, and command injection vulnerabilities.
1b836f2892c60e53c35da6adba11922eThis Metasploit module exploits a security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
c246cc914671c2270e2048bf01fba028Cisco Catalyst 3850 Series Device Manager version 3.6.10E suffers from a cross site request forgery vulnerability.
bf640f52455eebc617b1932da2a81ef2Cisco Wireless Controller version 3.6.10E suffers from a cross site request forgery vulnerability.
bb26d39cc95d12f76bb67164e18c9fa0Cisco Small Business switches versions 200, 300, and 500 suffer from information leakage and open redirection vulnerabilities.
eb2b5e1203a3fa2ae1b9100c12d53de7Cisco Data Center Network Manager (DCNM) versions 11.1(1) and below suffer from authentication bypass, arbitrary file upload, arbitrary file download, and information disclosure vulnerabilities.
2bd84aa0b859d4eb5b1a69ff91efea19This Metasploit module exploits a vulnerability found in Cisco Prime Infrastructure. The issue is that the TarArchive Java class the HA Health Monitor component uses does not check for any directory traversals while unpacking a Tar file, which can be abused by a remote user to leverage the UploadServlet class to upload a JSP payload to the Apache Tomcat's web apps directory, and gain arbitrary remote code execution. Note that authentication is not required to exploit this vulnerability.
6a669bb3bf795d44702236698b246f05
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed