CVE-2013-3632
published 2014-09-29CVE-2013-3632: The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
56.84%
98.9th percentile
The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.
Detection & IOCsextracted from sources · hover to see the quote
command{"service":"Cron","method":"set","params":{"enable":true,"minute":"*","hour":"*","dayofmonth":"*","month":"*","dayofweek":"*","username":"root","command":"↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rpc.php"; http.request_body; content:"|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|"; startswith; fast_pattern; content:"|22|username|22 3a 20 22|root|22|"; content:"|22|command|22 3a 20 22|"; reference:cve,2013-3652; reference:url,attackerkb.com/topics/zl1kmXbAce/cve-2013-3632; classtype:trojan-activity; sid:2054658; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, tls_state TLSDecrypt, created_at 2024_07_24, cve CVE_2013_3652, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_24;)
bytes
|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|
- →Detect exploit by matching HTTP POST to /rpc.php with a JSON body beginning with the Cron service 'set' method call, specifically targeting the 'username' field set to 'root' and presence of a 'command' field.
- →Exploitation requires prior authentication; monitor for POST to /rpc.php with JSON body containing service 'Authentication' and method 'login' immediately followed by a Cron 'set' request from the same session/cookie. ↗
- →The exploit sets all cron time fields to wildcard '*' (minute, hour, dayofmonth, month, dayofweek) to trigger execution every minute — alert on cron entries with all-wildcard scheduling submitted via rpc.php. ↗
- →All OpenMediaVault versions including the latest release 7.4.2-2 are reported vulnerable; treat any authenticated POST to /rpc.php invoking the Cron 'set' method as suspicious regardless of version. ↗
- ·The Snort/Suricata rule references CVE-2013-3652 in its metadata/SID but the attackerkb reference URL points to CVE-2013-3632; verify the correct CVE when deploying this rule to avoid mis-attribution.
- ·The rule requires TLS decryption to be effective against HTTPS-protected OpenMediaVault instances, as indicated by the tls_state metadata.
- ·Default credentials used by the Metasploit module are username 'admin' and password 'openmediavault'; detections or alerting on default-credential login attempts to /rpc.php may yield high-confidence signals. ↗
- ·The exploit requires a WfsDelay of 60 seconds (one full minute) before the cron job fires; correlation rules should account for this delay between the POST request and any resulting reverse-shell callback. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9xh9-rv54-r5w7: The Cron service in rpc
ghsa_unreviewed·2022-05-17
CVE-2013-3632 [HIGH] GHSA-9xh9-rv54-r5w7: The Cron service in rpc
The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.
Red Hat
openstack-neutron: regression of fix for CVE-2013-6433
vendor_redhat·2014-09-12·CVSS 7.6
CVE-2014-3632 [HIGH] openstack-neutron: regression of fix for CVE-2013-6433
openstack-neutron: regression of fix for CVE-2013-6433
The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression.
It was discovered that the openstack-neutron package in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6 was released with a sudoers file containing a configuration error. This error caused OpenStack Networking to be vulnerable to the CVE-2013-6433 issue.
Package: openstack-neutron (Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7) - Not affect
Suricata
ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
suricata·2024-07-24·CVSS 4.3
CVE-2013-3652 [MEDIUM] ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Openmediavault Crontab Manipulation Remote Code Execution/Privilege Escalation (CVE-2013-3652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rpc.php"; http.request_body; content:"|7b 22|service|22 3a 20 22|Cron|22 2c 20 22|method|22 3a 20 22|set|22 2c 20 22|params|22 3a 20 7b 22|"; startswith; fast_pattern; content:"|22|username|22 3a 20 22|root|22|"; content:"|22|command|22 3a 20 22|"; reference:cve,2013-3652; reference:url,attackerkb.com/topics/zl1kmXbAce/cve-2013-3632; classtype:trojan-activity; sid:2054658; rev:1; metadata:affected_product Web_Server_Applications, attack
Exploit-DB
OpenMediaVault Cron - Remote Command Execution (Metasploit)
exploitdb·2013-10-31
CVE-2013-3632 OpenMediaVault Cron - Remote Command Execution (Metasploit)
OpenMediaVault Cron - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'OpenMediaVault Cron Remote Command Execution',
'Description' => %q{
OpenMediaVault allows an authenticated user to create cron jobs as aribtrary users on the system.
An attacker can abuse this to run arbitrary commands as any user available on the system (including root).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Brandon Perry ' # Discovery / msf module
],
'References' =>
[
['CVE', '2013-3632'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
],
'Privileged' => true,
'DefaultOptions' => { 'WfsDelay
Metasploit
OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
metasploit
OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.
http://osvdb.org/99143http://www.exploit-db.com/exploits/29323http://www.securityfocus.com/bid/62873https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treatshttp://osvdb.org/99143http://www.exploit-db.com/exploits/29323http://www.securityfocus.com/bid/62873https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-onehttps://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treatshttps://packetstormsecurity.com/files/179859
2014-09-29
Published