CVE-2012-0261
published 2013-12-31CVE-2012-0261: license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell…
PriorityP278critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
73.95%
99.4th percentile
license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| op5 | monitor | <= 5.5.1 | — |
| op5 | monitor | — | — |
| op5 | monitor | — | — |
| op5 | monitor | — | — |
| op5 | monitor | — | — |
| op5 | system-portal | <= 1.6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /license.php containing shell metacharacters (backticks) in the 'timestamp' parameter combined with 'action=install', indicating command injection exploitation. ↗
- →Monitor HTTPS POST traffic to /license.php with a POST body matching the pattern: timestamp=<digits>`<command>`&action=install&install=Install ↗
- →A timing-based check (delay >= 5 seconds) using 'ping -c 10 127.0.0.1' injected into the timestamp parameter can be used to confirm vulnerability; detect anomalous ICMP loopback activity from the web server process. ↗
- →Payload delivery requires cmd-type payloads using perl, ruby, or python; monitor for child processes of the web server spawning perl/ruby/python interpreters following a POST to /license.php. ↗
- ·The exploit targets HTTPS (port 443) exclusively; HTTP traffic inspection alone will not capture this attack. ↗
- ·The bad characters for payloads are backtick, backslash, and pipe; payloads using these characters will be filtered by the exploit module, so detection rules should account for alternative encoding or substitution. ↗
- ·Confirmed vulnerable versions are 5.3.5, 5.4.0, 5.4.2, 5.5.0, and 5.5.1; versions at or above 5.5.3 (system-portal 1.6.2) are patched. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'license.php' Remote Command Execution (Metasploit)
exploitdb·2015-01-25
CVE-2012-0261 OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'license.php' Remote Command Execution (Metasploit)
OP5 5.3.5/5.4.0/5.4.2/5.5.0/5.5.1 - 'license.php' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'OP5 license.php Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary root command execution vulnerability in the
OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5,
5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
},
'Author' => [ 'Peter Osterberg ' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2012-0261'],
['OSVDB', '78064'],
['URL', 'http://secunia.com/advisories/47417/'],
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'BadCh
Metasploit
OP5 license.php Remote Command Execution
metasploit
OP5 license.php Remote Command Execution
OP5 license.php Remote Command Execution
This module exploits an arbitrary root command execution vulnerability in the OP5 Monitor license.php. Ekelow has confirmed that OP5 Monitor versions 5.3.5, 5.4.0, 5.4.2, 5.5.0, 5.5.1 are vulnerable.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2012/Jan/62http://secunia.com/advisories/47417http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdfhttp://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/http://www.osvdb.org/78064https://bugs.op5.com/view.php?id=5094http://seclists.org/fulldisclosure/2012/Jan/62http://secunia.com/advisories/47417http://www.ekelow.se/file_uploads/Advisories/ekelow-aid-2012-01.pdfhttp://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appliance/http://www.osvdb.org/78064https://bugs.op5.com/view.php?id=5094
2013-12-31
Published