cbcvebase.
CVE-2013-3632
published 2014-09-29

CVE-2013-3632: The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
56.84%
98.9th percentile
The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.

Detection & IOCsextracted from sources · hover to see the quote

command{"service":"Cron","method":"set","params":{"enable":true,"minute":"*","hour":"*","dayofmonth":"*","month":"*","dayofweek":"*","username":"root","command":"
command{"service":"Authentication","method":"login","params":{"username":"...","password":"..."}}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rpc.php"; http.request_body; content:"|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|"; startswith; fast_pattern; content:"|22|username|22 3a 20 22|root|22|"; content:"|22|command|22 3a 20 22|"; reference:cve,2013-3652; reference:url,attackerkb.com/topics/zl1kmXbAce/cve-2013-3632; classtype:trojan-activity; sid:2054658; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, tls_state TLSDecrypt, created_at 2024_07_24, cve CVE_2013_3652, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_24;)
bytes
|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|
  • Detect exploit by matching HTTP POST to /rpc.php with a JSON body beginning with the Cron service 'set' method call, specifically targeting the 'username' field set to 'root' and presence of a 'command' field.
  • Exploitation requires prior authentication; monitor for POST to /rpc.php with JSON body containing service 'Authentication' and method 'login' immediately followed by a Cron 'set' request from the same session/cookie.
  • The exploit sets all cron time fields to wildcard '*' (minute, hour, dayofmonth, month, dayofweek) to trigger execution every minute — alert on cron entries with all-wildcard scheduling submitted via rpc.php.
  • All OpenMediaVault versions including the latest release 7.4.2-2 are reported vulnerable; treat any authenticated POST to /rpc.php invoking the Cron 'set' method as suspicious regardless of version.
  • ·The Snort/Suricata rule references CVE-2013-3652 in its metadata/SID but the attackerkb reference URL points to CVE-2013-3632; verify the correct CVE when deploying this rule to avoid mis-attribution.
  • ·The rule requires TLS decryption to be effective against HTTPS-protected OpenMediaVault instances, as indicated by the tls_state metadata.
  • ·Default credentials used by the Metasploit module are username 'admin' and password 'openmediavault'; detections or alerting on default-credential login attempts to /rpc.php may yield high-confidence signals.
  • ·The exploit requires a WfsDelay of 60 seconds (one full minute) before the cron job fires; correlation rules should account for this delay between the POST request and any resulting reverse-shell callback.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.