CVE-2013-6881
published 2014-01-07CVE-2013-6881: CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1)…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
12.61%
95.7th percentile
CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) sector size or (2) skip count fields for the forensic imaging task.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cru-inc | ditto_forensic_fieldstation_firmware | <= 2013jun30a | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect command injection attempts via shell metacharacters in the 'sector size' or 'skip count' fields of the forensic imaging task HTTP request to the Ditto web application. ↗
- →The web server (lighthttpd) and PHP engine run as root; any successful injection yields immediate full system access — treat any web-originated process spawned as root as high-severity. ↗
- →Alert on SSH login attempts using the default credential pair 'ditto'/'ditto', especially from network-adjacent hosts, as this account has passwordless sudo. ↗
- →Flag presence or execution of 'netcat' on the Ditto device, as it is an unneeded daemon that can facilitate lateral movement or data exfiltration. ↗
- →Monitor for 'dd if=/dev/zero of=/dev/sda' or similar dd commands targeting source/evidence block devices, which could indicate exploitation of the missing write-block controls. ↗
- ·The firmware version 2013Oct15a is the patched release; devices running firmware older than this date remain vulnerable to CVE-2013-6881 command injection. ↗
- ·SSHd on the Ditto binds to the 'source' network port (intended for evidence/suspect networks), greatly expanding the attack surface for the default-credential issue. ↗
- ·The embedded Linux system partition is mounted writable, enabling persistent malware deployment if the device is compromised. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/124420/Ditto-Forensic-FieldStation-2013Oct15a-XSS-CSRF-Command-Execution.htmlhttp://seclists.org/fulldisclosure/2013/Dec/80http://secunia.com/advisories/55989http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013jun30a/http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013oct15a/http://www.exploit-db.com/exploits/30396http://packetstormsecurity.com/files/124420/Ditto-Forensic-FieldStation-2013Oct15a-XSS-CSRF-Command-Execution.htmlhttp://seclists.org/fulldisclosure/2013/Dec/80http://secunia.com/advisories/55989http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013jun30a/http://www.cru-inc.com/support/software-downloads/ditto-firmware-updates/ditto-firmware-release-notes-2013oct15a/http://www.exploit-db.com/exploits/30396
2014-01-07
Published