CVE-2014-5073
published 2014-08-29CVE-2014-5073: vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the…
PriorityP278high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.45%
99.4th percentile
vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmturbo | operations_manager | <= 4.6 | — |
| vmturbo | operations_manager | — | — |
| vmturbo | operations_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to /cgi-bin/vmtadmin.cgi with callType=DOWN and actionType=CFGBACKUP, especially where the fileDate parameter contains shell metacharacters such as backticks or backtick-wrapped command strings. ↗
- →Fingerprint vulnerable VMTurbo instances by sending a GET request to /cgi-bin/vmtadmin.cgi?callType=ACTION&actionType=VERSIONS and parsing the response for the pattern vmtbuild:<digits>,vmtrelease:<version>,vmtbits:<digits>,osbits:<digits>; versions prior to 4.6 build 28657 are vulnerable. ↗
- →The vulnerability is a blind OS command injection — no command output is returned in the HTTP response. Detection should rely on out-of-band indicators (e.g., unexpected outbound connections, DNS lookups, or new processes spawned by the CGI process) rather than response content inspection. ↗
- →The exploit requires no authentication. Any unauthenticated HTTP GET to the vulnerable endpoint with a crafted fileDate parameter should be treated as a high-confidence attack indicator. ↗
- ·The Metasploit module uses a printf-based CmdStager (flavor: printf) to stage ELF payloads onto the target; detection rules should account for sequences of short printf commands written to a temp path followed by a chmod/exec sequence. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
VMTurbo Operations Manager 4.6 - 'vmtadmin.cgi' Remote Command Execution (Metasploit)
exploitdb·2014-08-14
CVE-2014-5073 VMTurbo Operations Manager 4.6 - 'vmtadmin.cgi' Remote Command Execution (Metasploit)
VMTurbo Operations Manager 4.6 - 'vmtadmin.cgi' Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'VMTurbo Operations Manager 4.6 vmtadmin.cgi Remote Command Execution',
'Description' => %q{
VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated
OS Command injection in the web interface. Use reverse payloads for the most
reliable results. Since it is a blind OS command injection vulnerability,
there is no output for the executed command when using the cmd generic payload.
Port binding payloads are disregarded due to the restrictive firewall settings.
This module has been tested successfully on VMTurbo O
Metasploit
VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution
metasploit
VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution
VMTurbo Operations Manager vmtadmin.cgi Remote Command Execution
VMTurbo Operations Manager 4.6 and prior are vulnerable to unauthenticated OS Command injection in the web interface. Use reverse payloads for the most reliable results. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the cmd generic payload. Port binding payloads are disregarded due to the restrictive firewall settings. This module has been tested successfully on VMTurbo Operations Manager versions 4.5 and 4.6.
No writeups or analysis indexed.
http://disse.cting.org/2014/07/30/vmturbo-operation-manager-remote-command-execution/http://packetstormsecurity.com/files/127864/VMTurbo-Operations-Manager-4.6-vmtadmin.cgi-Remote-Command-Execution.htmlhttp://secunia.com/advisories/58880http://secunia.com/secunia_research/2014-8/http://www.exploit-db.com/exploits/34335http://www.osvdb.org/109572http://www.securityfocus.com/bid/69225https://exchange.xforce.ibmcloud.com/vulnerabilities/95319http://disse.cting.org/2014/07/30/vmturbo-operation-manager-remote-command-execution/http://packetstormsecurity.com/files/127864/VMTurbo-Operations-Manager-4.6-vmtadmin.cgi-Remote-Command-Execution.htmlhttp://secunia.com/advisories/58880http://secunia.com/secunia_research/2014-8/http://www.exploit-db.com/exploits/34335http://www.osvdb.org/109572http://www.securityfocus.com/bid/69225https://exchange.xforce.ibmcloud.com/vulnerabilities/95319
2014-08-29
Published