[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2023-28130 - Hostname injection leads to Remote Code Execution RCE (Authenticated)
From: Rick Verdoes via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-07-27 8:33:47
Message-ID: VI1PR10MB1757A8E490F45BC69A5950028101A () VI1PR10MB1757 ! EURPRD10 ! PROD ! OUTLOOK ! COM
[Download RAW message or body]
=========================
Exploit Title: Hostname injection leads to Remote Code Execution RCE (Authenticated)
Product: Gaia Portal
Vendor: Checkpoint
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and R80.40 < Take 198
Tested Version: R81.10 (take 335)
Advisory Publication: July 27, 2023
Latest Update: July 72, 2023
Vulnerability Type: Improper Control of Generation of Code (Code Injection) [CWE-94]
CVE Reference: CVE-2023-28130
CVSS Severity: High
CVSS Score: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Impact score: 8.4
Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)
=========================
I. BACKGROUND
-------------------------
Check Point Gaia Portal is an advanced web-based interface designed for the configuration of \
the Gaia platform, a security operating system that combines the strengths of both \
SecurePlatform and IPSO operating systems. The Gaia Portal allows for nearly all system \
configuration tasks to be performed through this interface.
II. VULNERABILITY
-------------------------
Check Point Gaia Portal has a vulnerability which allows an authenticated user with write \
permissions on the DNS settings to inject commands in a cgi script, leading to remote code \
execution on the operating system. The vulnerability lies in the parameter hostname in the web \
request /cgi-bin/hosts_dns.tcl, which is susceptible to command injection. This can be \
exploited by any user with a valid session, as long as the user has write permissions on the \
DNS settings. The injected commands are executed by the user 'Admin'.
III. Proof of Concept
-------------------------
hostname=name|`COMMAND`&domainname=test.local&save=1
IV. Impact
-------------------------
Successful exploitation allows a remote authenticated attacker to execute commands on the \
operating system.
V. References
-------------------------
Security advisories:
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/
https://support.checkpoint.com/results/sk/sk181311
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic