CVE-2012-3811
published 2012-07-03CVE-2012-3811: Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012…
PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.88%
99.1th percentile
Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avaya | ip_office_customer_call_reporter | — | — |
| avaya | ip_office_customer_call_reporter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multipart/form-data POST requests to ImageUpload.ashx — this is the upload vector used by the exploit ↗
- →A successful upload response contains the JSON key-value pair '"Key":"RadUAG_success","Value":true' — detect this in server responses to identify successful exploitation ↗
- →The exploit uploads an ASPX-wrapped EXE payload (exe_aspx format) — look for .aspx file uploads to the Wallboard application directory ↗
- →The Metasploit module targets the default URI path '/' for Avaya CCR — monitor all HTTP methods to ImageUpload.ashx regardless of base path ↗
- →Affected versions confirmed in exploit testing are 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2 — prioritize detection on these versions ↗
- ·The exploit requires no authentication — the vulnerability is an authentication bypass, meaning no credentials are needed to reach ImageUpload.ashx ↗
- ·Patched versions are 7.0.5.8 Q1 2012 Maintenance Release and 8.0.9.13 Q1 2012 Maintenance Release — detections should focus on unpatched instances below these versions ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Avaya IP Office Customer Call Reporter - 'ImageUpload.ashx' Remote Command Execution (Metasploit)
exploitdb·2012-10-10
CVE-2012-3811 Avaya IP Office Customer Call Reporter - 'ImageUpload.ashx' Remote Command Execution (Metasploit)
Avaya IP Office Customer Call Reporter - 'ImageUpload.ashx' Remote Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'uri'
require 'msf/core'
class Metasploit3 'Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution',
'Description' => %q{
This module exploits an authentication bypass vulnerability on Avaya IP Office
Customer Call Reporter, which allows a remote user to upload arbitrary files
through the ImageUpload.ashx component. It can be abused to upload and execute
arbitrary ASP .NET code. The vulnerability has been tested successf
Metasploit
Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution
metasploit
Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution
Avaya IP Office Customer Call Reporter ImageUpload.ashx Remote Command Execution
This module exploits an authentication bypass vulnerability on Avaya IP Office Customer Call Reporter, which allows a remote user to upload arbitrary files through the ImageUpload.ashx component. It can be abused to upload and execute arbitrary ASP .NET code. The vulnerability has been tested successfully on Avaya IP Office Customer Call Reporter 7.0.4.2 and 8.0.8.15 on Windows 2003 SP2.
No writeups or analysis indexed.
2012-07-03
Published