CVE-2015-5453
published 2015-07-08CVE-2015-5453: Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to…
PriorityP262medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
57.31%
99.0th percentile
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | xcs | — | — |
| watchguard | xcs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookiesid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(...)↗
- →Detect SQLi exploitation attempt via the session cookie: look for HTTP requests to /borderpost/imp/compose.php3 where the 'sid' cookie contains SQL metacharacters (e.g., single quote or URL-encoded semicolon followed by INSERT statements targeting sds_users table). ↗
- →Detect OS command injection via GET requests to /ADMIN/mailqueue.spl where the 'id' parameter begins with a semicolon (shell metacharacter), e.g., ?f=dnld&id=;<command>. ↗
- →Successful exploitation results in command execution as uid=65534 (nobody). Monitor web server logs for responses containing 'uid=65534' from /ADMIN/mailqueue.spl. ↗
- →Vulnerability check probe: HTTP request to /borderpost/imp/compose.php3 with cookie sid=1' (single quote). A response body containing 'unterminated quoted string' confirms the SQLi is present. ↗
- →Post-exploitation payload delivery: watch for outbound curl requests from the appliance to attacker-controlled URLs, followed by execution of randomly named binaries dropped in /tmp/. ↗
- →The exploit targets Watchguard XCS 9.2 and 10.0 before build 150522 over HTTPS (port 443). Scope detection rules to these versions and this port. ↗
- ·The exploit chain combines two vulnerabilities: an unauthenticated SQL injection (to add a rogue admin user) and an authenticated OS command injection. Detection must cover both stages independently, as an attacker with pre-existing valid credentials can skip the SQLi stage and go directly to command injection. ↗
- ·The backdoor username and password default to 'backdoor'/'backdoor' in the Metasploit module but are configurable; do not rely solely on credential-based detection for the added rogue account. ↗
- ·The password hash uses a device-specific salting scheme (BorderWare prefix + suffix salts + double MD5). Detection of newly inserted sds_users rows or login attempts with this hash pattern may be more reliable than password value matching. ↗
- ·The dropped payload filename is randomly generated (8 lowercase alpha characters) under /tmp/, making static filename-based detection unreliable; use behavioral detection for execution of binaries from /tmp/. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Watchguard XCS - Remote Command Execution (Metasploit)
exploitdb·2015-09-28
CVE-2015-5453 Watchguard XCS - Remote Command Execution (Metasploit)
Watchguard XCS - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Watchguard XCS Remote Command Execution',
'Description' => %q{
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a
remote attacker may insert a valid web user into the appliance database, and get access
to the web interface. On the other hand, a vulnerability in the web interface allows the
attacker to inject operating system commands as the 'nobody' user.
},
'Author' =>
[
'Daniel Jensen ' # discovery and Metasploit module
],
'License'
Metasploit
Watchguard XCS Remote Command Execution
metasploit
Watchguard XCS Remote Command Execution
Watchguard XCS Remote Command Execution
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual appliance to gain command execution. By exploiting an unauthenticated SQL injection, a remote attacker may insert a valid web user into the appliance database, and get access to the web interface. On the other hand, a vulnerability in the web interface allows the attacker to inject operating system commands as the 'nobody' user.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132498/Watchguard-XCS-10.0-SQL-Injection-Command-Execution.htmlhttp://packetstormsecurity.com/files/133721/Watchguard-XCS-Remote-Command-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/freebsd/http/watchguard_cmd_exechttp://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdfhttp://www.securityfocus.com/bid/75516http://www.watchguard.com/support/release-notes/xcs/10/en-US/EN_Release_Notes_XCS_v10_0_Security_Hotfix/EN_Release_Notes_XCS_v10_0_Security_Hotfix.pdfhttp://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNotes_XCS_9_2_Security_Hotfix/EN_Release_Notes_XCS_v9_2_Security_Hotfix.pdfhttps://www.exploit-db.com/exploits/38346/http://packetstormsecurity.com/files/132498/Watchguard-XCS-10.0-SQL-Injection-Command-Execution.htmlhttp://packetstormsecurity.com/files/133721/Watchguard-XCS-Remote-Command-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/freebsd/http/watchguard_cmd_exechttp://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdfhttp://www.securityfocus.com/bid/75516http://www.watchguard.com/support/release-notes/xcs/10/en-US/EN_Release_Notes_XCS_v10_0_Security_Hotfix/EN_Release_Notes_XCS_v10_0_Security_Hotfix.pdfhttp://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNotes_XCS_9_2_Security_Hotfix/EN_Release_Notes_XCS_v9_2_Security_Hotfix.pdfhttps://www.exploit-db.com/exploits/38346/
2015-07-08
Published