CVE-2014-5470
published 2024-06-21CVE-2014-5470: Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.01%
95.0th percentile
Actual Analyzer through 2014-08-29 allows code execution via shell metacharacters because untrusted input is used for part of the input data passed to an eval operation.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests to aa.php that include an 'ant' cookie with shell metacharacters (backticks, semicolons, pipe characters, etc.). ↗
- →Flag HTTP requests to aa.php with the 'anp' GET parameter combined with suspicious 'ant', 'anw', or 'anm' cookie values containing backtick or command-substitution patterns. ↗
- →A successful exploit response returns HTTP 302 with a Content-Type header matching 'image'; alert on this response pattern from aa.php following a request with shell-metacharacter cookies. ↗
- →Monitor for unauthenticated POST requests to view.php with the parameter 'act=vis_grpg' and 'grpg=201', which is used by the exploit to enumerate monitored hostnames prior to payload delivery. ↗
- →The exploit falls back to targeting '127.0.0.1' and 'localhost' as analytics hosts; requests to aa.php with anp=127.0.0.1 or anp=localhost alongside suspicious cookies are strong indicators of exploitation. ↗
- ·The default TARGETURI is '/lite/', so all vulnerable paths are relative to this base; deployments under a different base path will have different absolute URLs for aa.php, view.php, admin.php, and code.php. ↗
- ·The exploit requires a valid hostname or IP that is actively monitored by ActualAnalyzer (the 'anp' parameter); if no monitored host is found automatically, exploitation will fail unless ANALYZER_HOST is set manually. ↗
- ·The vulnerability affects ActualAnalyzer version 2.81 and prior; the module was tested on versions 2.81 and 2.75 on Ubuntu. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ActualAnalyzer - 'ant' Cookie Command Execution (Metasploit)
exploitdb·2014-12-16
CVE-2014-5470 ActualAnalyzer - 'ant' Cookie Command Execution (Metasploit)
ActualAnalyzer - 'ant' Cookie Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "ActualAnalyzer 'ant' Cookie Command Execution",
'Description' => %q{
This module exploits a command execution vulnerability in
ActualAnalyzer version 2.81 and prior.
The 'aa.php' file allows unauthenticated users to
execute arbitrary commands in the 'ant' cookie.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Benjamin Harris', # Discovery and exploit
'Brendan Coles ' # Metasploit
],
'References' =>
[
['EDB', '34450'],
['OSVDB', '110601']
],
'Payload' =>
{
'Space' => 4096, # HTTP cookie
'DisableNops' => true,
'BadChars' => "\x00"
},
'Arch' => ARCH_CMD,
Metasploit
ActualAnalyzer 'ant' Cookie Command Execution
metasploit
ActualAnalyzer 'ant' Cookie Command Execution
ActualAnalyzer 'ant' Cookie Command Execution
This module exploits a command execution vulnerability in ActualAnalyzer version 2.81 and prior. The 'aa.php' file allows unauthenticated users to execute arbitrary commands in the 'ant' cookie.
No writeups or analysis indexed.
2024-06-21
Published