cbcvebase.
CVE-2007-3010
published 2007-09-18

CVE-2007-3010: masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
97.41%
99.9th percentile
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action.

Affected

1 ranges
VendorProductVersion rangeFixed in
al-enterpriseomnipcx_enterprise_communication_server<= 7.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/masterCGI
url/cgi-bin/masterCGI?ping=nomip&user=;id;
commandGET /cgi-bin/masterCGI?ping=nomip&user=;${cmd}; HTTP/1.1
port443
othershodan: title:"OmniPCX for Enterprise"
yara
regex: uid=[0-9]+.*gid=[0-9]+.*
  • Look for HTTP GET requests to /cgi-bin/masterCGI with both 'ping=nomip' and shell metacharacters (semicolons) in the 'user' parameter, indicating command injection attempts.
  • Spaces in injected commands are replaced with ${IFS} to bypass filtering; detect URL-encoded or literal '${IFS}' in the 'user' parameter of requests to masterCGI.
  • The exploit targets HTTPS (port 443) by default; monitor SSL/TLS traffic to the OmniPCX web interface for requests matching the masterCGI injection pattern.
  • Response body containing 'uid=' and 'gid=' output (from injected 'id' command) confirms successful exploitation; alert on such patterns in HTTP 200 responses from masterCGI.
  • Use Shodan/FOFA queries to identify exposed OmniPCX instances: title:"OmniPCX for Enterprise" or app="Alcatel_Lucent-OmniPCX-Enterprise".
  • The vulnerability is unauthenticated; any request to masterCGI with the 'ping' action and a 'user' parameter containing semicolons or other shell metacharacters should be treated as a high-confidence attack indicator.
  • ·The Metasploit module only supports command-line (non-interactive) payloads; reverse/bind shells are killed by the httpd process after the HTTP 200 OK response is sent.
  • ·Exploitation yields only 'httpd' user privileges, not root; post-exploitation privilege escalation would be required for full system compromise.
  • ·The module defaults to SSL on port 443; non-SSL or non-standard port deployments require manual configuration adjustment.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.