cbcvebase.
CVE-2013-3502
published 2013-05-08

CVE-2013-3502: monarch_scan.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands, and…

PriorityP358medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
53.71%
98.9th percentile
monarch_scan.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands, and consequently obtain sensitive information, by leveraging a JOSSO SSO cookie.

Affected

1 ranges
VendorProductVersion rangeFixed in
gwosgroundwork_monitor

Detection & IOCsextracted from sources · hover to see the quote

path/monarch/monarch_scan.cgi
path/josso/signon/login.do
path/josso/signon/usernamePasswordLogin.do
cookieJOSSO_SESSIONID=<token>
cookieJOSSO_SESSIONID_josso=<[A-F0-9]+>
commandargs=<rand>&args=<rand>&args=<command>;
  • Detect exploitation attempts by monitoring HTTP GET requests to /monarch/monarch_scan.cgi containing multiple 'args' query parameters, especially where the last 'args' value contains shell metacharacters (e.g., semicolons, pipes, backticks).
  • Flag HTTP requests to /monarch/monarch_scan.cgi that carry a JOSSO_SESSIONID cookie and originate from unexpected source IPs or user roles, as the vulnerability is exploitable by any authenticated user regardless of privilege level.
  • Check the Referer header on requests to monarch_scan.cgi for the value matching /portal/auth/portal/groundwork-monitor/auto-disc, which is the static Referer set by the Metasploit module.
  • Fingerprint vulnerable GroundWork instances by checking HTTP responses for the string 'GroundWork.*6\.7\.0' on the login page /josso/signon/login.do.
  • The server banner 'Apache-Coyote/1.1' is used by the exploit module to fingerprint the target; correlate this with other indicators when triaging alerts.
  • ·The exploit requires prior authentication; a valid JOSSO session token (JOSSO_SESSIONID) must be obtained via /josso/signon/usernamePasswordLogin.do before the command injection payload is delivered. Detection rules must account for this authenticated pre-condition.
  • ·The Metasploit module was tested specifically on GroundWork 6.7.0-br287-gw1571 running on an Ubuntu 10.04 VM appliance; payload compatibility options (generic telnet netcat perl python) reflect this environment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.