Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32429

An authentication-bypass issue in the component http://MYDEVICEIP/cgi-bin-sdb/ExportSettings.sh of Mega System Technologies Inc MSNSwitch MNT.2408 allows unauthenticated attackers to arbitrarily configure settings within the application, leading to remote code execution.

CVE
Open in Source
#vulnerability#web#google#rce#auth

CVE-2022-32429****Authentication Bypass and Remote Code Execution on MSNSwitch firmware MNT.2408****Affected Product:

The affected product is the MSNSwitch Internet-enabled power strip running firmware version MNT.2408. It is unknown if any previous versions are affected.

Vulnerability Type:

Authentication Bypass, Command Execution

Root Cause:

The vulnerability is an authentication bypass which allows the full configuration of the unit to be downloaded. The credentials obtained here can then be used via a local subnet vulnerability to obtain a full root shell on the device.

The authentication bypass is caused by a routing misconfiguration in the embedded “goahead” web browser. A trailing forward slash is omitted when the route for the cgi-bin directory is defined. This forward slash is present when the path is defined for authentication purposes. This misconfiguration causes URLs of the form http://{TARGET}:{PORT}/cgi-binANYSTRINGHERE to access the /cgi-bin/ directory without requiring authentication.

For instance, the device settings can be accessed at the URL: http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh

With credentials in hand, it is then possible to exploit a command injection flaw in the /cgi-bin/upgrade.cgi script to execute arbitrary commands on the device. This flaw is caused by insufficient sanitization of a user specified field.

Impact:

An attacker can remotely obtain the access credentials for the device itself as well as for other services that the device may be connected to. If configured, this can include Google accounts, accounts for various dynamic DNS providers, other email accounts and Skype/SMS account information. In addition, the attacker will have control over the device itself, including the ability to power cycle connected devices.

The command execution vulnerability is less significant, as it requires the attacker to be on the same subnet as the device. However, if an attacker is in that position, they can obtain full root shell access.

POC Code:CVE-2022-32429-POC.py

Related news

MSNSwitch Firmware MNT.2408 Remote Code Execution

MSNSwitch Firmware MNT.2408 suffers from a remote code execution vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE