CVE-2013-3502
published 2013-05-08CVE-2013-3502: monarch_scan.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands, and…
PriorityP358medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
53.71%
98.9th percentile
monarch_scan.cgi in the MONARCH component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands, and consequently obtain sensitive information, by leveraging a JOSSO SSO cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gwos | groundwork_monitor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to /monarch/monarch_scan.cgi containing multiple 'args' query parameters, especially where the last 'args' value contains shell metacharacters (e.g., semicolons, pipes, backticks). ↗
- →Flag HTTP requests to /monarch/monarch_scan.cgi that carry a JOSSO_SESSIONID cookie and originate from unexpected source IPs or user roles, as the vulnerability is exploitable by any authenticated user regardless of privilege level. ↗
- →Check the Referer header on requests to monarch_scan.cgi for the value matching /portal/auth/portal/groundwork-monitor/auto-disc, which is the static Referer set by the Metasploit module. ↗
- →Fingerprint vulnerable GroundWork instances by checking HTTP responses for the string 'GroundWork.*6\.7\.0' on the login page /josso/signon/login.do. ↗
- →The server banner 'Apache-Coyote/1.1' is used by the exploit module to fingerprint the target; correlate this with other indicators when triaging alerts. ↗
- ·The exploit requires prior authentication; a valid JOSSO session token (JOSSO_SESSIONID) must be obtained via /josso/signon/usernamePasswordLogin.do before the command injection payload is delivered. Detection rules must account for this authenticated pre-condition. ↗
- ·The Metasploit module was tested specifically on GroundWork 6.7.0-br287-gw1571 running on an Ubuntu 10.04 VM appliance; payload compatibility options (generic telnet netcat perl python) reflect this environment. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GroundWork - 'monarch_scan.cgi' OS Command Injection (Metasploit)
exploitdb·2013-04-25
CVE-2013-3502 GroundWork - 'monarch_scan.cgi' OS Command Injection (Metasploit)
GroundWork - 'monarch_scan.cgi' OS Command Injection (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote\/1\.1/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "GroundWork monarch_scan.cgi OS Command Injection",
'Description' => %q{
This module exploits a vulnerability found in GroundWork 6.7.0. This software
is used for network, application and cloud monitoring. The vulnerability exists in
the monarch_scan.cgi, where user controlled input is used in the perl
Metasploit
GroundWork monarch_scan.cgi OS Command Injection
metasploit
GroundWork monarch_scan.cgi OS Command Injection
GroundWork monarch_scan.cgi OS Command Injection
This module exploits a vulnerability found in GroundWork 6.7.0. This software is used for network, application and cloud monitoring. The vulnerability exists in the monarch_scan.cgi where user controlled input is used in the perl qx function. This allows any remote authenticated attacker, regardless of privileges, to inject system commands and gain arbitrary code execution. The module has been tested successfully on GroundWork 6.7.0-br287-gw1571 as distributed within the Ubuntu 10.04 based VM appliance.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/25001http://www.kb.cert.org/vuls/id/345260https://kb.groundworkopensource.com/display/SUPPORT/SA6.7.0-1+Some+web+components+allow+bypass+of+role+access+controlshttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txthttp://www.exploit-db.com/exploits/25001http://www.kb.cert.org/vuls/id/345260https://kb.groundworkopensource.com/display/SUPPORT/SA6.7.0-1+Some+web+components+allow+bypass+of+role+access+controlshttps://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130308-0_GroundWork_Monitoring_Multiple_critical_vulnerabilities_wo_poc_v10.txt
2013-05-08
Published