CVE-2012-3001
published 2012-10-22CVE-2012-3001: Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection…
PriorityP272high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
27.31%
97.8th percentile
Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability."
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mutiny | standard | <= 4.5-1.10 | — |
| mutiny | standard | — | — |
| mutiny | standard | — | — |
| mutiny | standard | — | — |
| mutiny | standard | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /interface/logon.do followed by GET/POST to /interface/admin/cgi-bin/netconfig — this is the two-step exploit chain: authenticate then inject via the netmasketh0 parameter. ↗
- →Flag POST requests to /interface/admin/cgi-bin/netconfig where the 'netmasketh0' parameter contains shell metacharacters (e.g., semicolons, backticks, pipe characters) — this is the injection point for command execution. ↗
- →Alert on HTTP responses containing the string ': Mutiny : Login @ mutiny' to fingerprint exposed Mutiny appliance admin interfaces. ↗
- →Monitor for ELF binary drops or execution from /tmp/ on Linux hosts running Mutiny, as the Linux Payload target writes and executes an ELF file from /tmp/. ↗
- →Watch for writes to /opt/MUTINYJAVA/nemobjects/config/interface/eth0/0/netmask and unexpected modifications to ifcfg-eth0, which are artifacts of post-exploitation cleanup by the Metasploit module. ↗
- →Injected commands are executed with root privileges; monitor for unexpected /etc/init.d/network restart calls originating from the Mutiny web process. ↗
- ·Exploitation requires valid credentials to the Mutiny admin interface; default credentials (admin/mutiny) are used by the Metasploit module and should be checked/changed. ↗
- ·The vulnerability affects Mutiny versions prior to 4.5-1.12; the Metasploit module was confirmed working on Mutiny 4.2-1.05. ↗
- ·The default base path for the Mutiny interface is /interface/; this may vary in non-default deployments. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mutiny - Remote Command Execution (Metasploit)
exploitdb·2013-03-25
CVE-2012-3001 Mutiny - Remote Command Execution (Metasploit)
Mutiny - Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Mutiny Remote Command Execution',
'Description' => %q{
This module exploits an authenticated command injection vulnerability in the
Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit
the vulnerability the mutiny user must have access to the admin interface. The
injected commands are executed with root privileges. This module has been tested
successfully on Mutiny 4.2-1.05.
},
'Author' =>
[
'Christopher Campbell', # Vulnerability discover
Metasploit
Mutiny Remote Command Execution
metasploit
Mutiny Remote Command Execution
Mutiny Remote Command Execution
This module exploits an authenticated command injection vulnerability in the Mutiny appliance. Versions prior to 4.5-1.12 are vulnerable. In order to exploit the vulnerability the mutiny user must have access to the admin interface. The injected commands are executed with root privileges. This module has been tested successfully on Mutiny 4.2-1.05.
No writeups or analysis indexed.
http://osvdb.org/86570http://secunia.com/advisories/51094http://www.kb.cert.org/vuls/id/841851http://www.mutiny.com/releasehistory.phphttp://www.securityfocus.com/bid/56165http://osvdb.org/86570http://secunia.com/advisories/51094http://www.kb.cert.org/vuls/id/841851http://www.mutiny.com/releasehistory.phphttp://www.securityfocus.com/bid/56165
2012-10-22
Published