diff --git a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md index a4960686f0..59b189e30a 100644 --- a/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md +++ b/documentation/modules/exploit/linux/http/geutebruck_testaction_exec.md @@ -1,34 +1,41 @@ ## Vulnerable Application -The following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5: -Encoder and E2 Series Camera models: -G-Code: - EEC-2xxx -G-Cam: - EBC-21xx - EFD-22xx - ETHC-22xx - EWPC-22xx +The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25, +firmware version 1.12.13.2 or firmware version 1.12.14.5: +* Encoder and E2 Series Camera models: + * G-Code: + * EEC-2xxx + * G-Cam: + * EBC-21xx + * EFD-22xx + * ETHC-22xx + * EWPC-22xx Many brands use the same firmware: -UDP Technology (which is also the supplier of the firmware for the other vendors) -Ganz -Visualint -Cap -THRIVE Intelligence -Sophus -VCA -TripCorps -Sprinx Technologies -Smartec -Riva + * UDP Technology (which is also the supplier of the firmware for the other vendors) + * Ganz + * Visualint + * Cap + * THRIVE Intelligence + * Sophus + * VCA + * TripCorps + * Sprinx Technologies + * Smartec + * Riva -This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware. +This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5. ### Description -This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface. -Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03 +This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the +`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`. +This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to +inject a new line character, followed by the command they wish to execute, at which point the server will +then interpret the new string as a separate command to be executed. Successful exploitation will result in +remote code execution as the `root` user. + +Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03. ## Verification Steps @@ -58,7 +65,6 @@ The password of the username used to authenticate on the admin page. **Default: ``` msf5 > use exploit/linux/http/geutebruck_testaction_exec -msf5 exploit(linux/http/geutebruck_testaction_exec) > msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping payload => cmd/unix/reverse_netcat_gaping msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root