cbcvebase.
CVE-2012-0261
published 2013-12-31

CVE-2012-0261: license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell…

PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.95%
99.4th percentile
license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action.

Affected

6 ranges
VendorProductVersion rangeFixed in
op5monitor<= 5.5.1
op5monitor
op5monitor
op5monitor
op5monitor
op5system-portal<= 1.6.1

Detection & IOCsextracted from sources · hover to see the quote

path/license.php
commandtimestamp=1317050333`ping -c 10 127.0.0.1`&action=install&install=Install
commandtimestamp=1317050333`<payload>`&action=install&install=Install
  • Detect POST requests to /license.php containing shell metacharacters (backticks) in the 'timestamp' parameter combined with 'action=install', indicating command injection exploitation.
  • Monitor HTTPS POST traffic to /license.php with a POST body matching the pattern: timestamp=<digits>`<command>`&action=install&install=Install
  • A timing-based check (delay >= 5 seconds) using 'ping -c 10 127.0.0.1' injected into the timestamp parameter can be used to confirm vulnerability; detect anomalous ICMP loopback activity from the web server process.
  • Payload delivery requires cmd-type payloads using perl, ruby, or python; monitor for child processes of the web server spawning perl/ruby/python interpreters following a POST to /license.php.
  • ·The exploit targets HTTPS (port 443) exclusively; HTTP traffic inspection alone will not capture this attack.
  • ·The bad characters for payloads are backtick, backslash, and pipe; payloads using these characters will be filtered by the exploit module, so detection rules should account for alternative encoding or substitution.
  • ·Confirmed vulnerable versions are 5.3.5, 5.4.0, 5.4.2, 5.5.0, and 5.5.1; versions at or above 5.5.3 (system-portal 1.6.2) are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.