CVE-2019-10655
published 2019-03-30CVE-2019-10655: Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.35%
96.4th percentile
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | gac2500_firmware | <= 1.0.3.35 | — |
| grandstream | gvc3202_firmware | < 1.0.3.51 | 1.0.3.51 |
| grandstream | gxp2200_firmware | <= 1.0.3.27 | — |
| grandstream | gxv3240_firmware | < 1.0.3.219 | 1.0.3.219 |
| grandstream | gxv3275_firmware | < 1.0.3.219 | 1.0.3.219 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests to /manager?action=getlogcat containing shell metacharacters in the 'priority' parameter, combined with an oversized or 93-character alphanumeric 'phonecookie' cookie value. ↗
- →Detect exploitation attempts by monitoring HTTP requests to /manager?action=settimezone containing shell metacharacters or command injection payloads in the 'timezone' parameter. ↗
- →Alert on HTTP requests to Grandstream lighttpd web interfaces where the 'phonecookie' cookie appears in an Accept HTTP header within an XMLHttpRequest, which is the CSRF/remote delivery vector for this exploit. ↗
- →Flag unauthenticated requests to the /manager endpoint on Grandstream GAC2500, GXP2200, GVC3202, GXV3275, GXV3240, GXV3175, and GXV3140 devices, especially those carrying oversized phonecookie values (93+ alphanumeric characters). ↗
- ·The exploit chain requires two conditions simultaneously: a shell metacharacter injection in the vulnerable action parameter AND a 93-character alphanumeric phonecookie buffer overflow to bypass authentication. Detection rules should account for both conditions together to reduce false positives. ↗
- ·The Metasploit module targets GXV3175v2 (fw 1.0.1.19) and GXV3140 (fw 1.0.1.27) via the settimezone vector, while the NVD entry references getlogcat on GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240. Detection coverage should span both action endpoints across all affected model families. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q9j6-px2x-x688: Grandstream GAC2500 1
ghsa_unreviewed·2022-05-13
CVE-2019-10655 [CRITICAL] CWE-119 GHSA-q9j6-px2x-x688: Grandstream GAC2500 1
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.
VulnCheck
Grandstream gac2500_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-10655 [CRITICAL] Grandstream gac2500_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Grandstream gac2500_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.
Affected: Grandstream gac2500_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the produ
No detection rules found.
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
http://packetstormsecurity.com/files/165643/Grandstream-GXV3175-Unauthenticated-Command-Execution.htmlhttp://packetstormsecurity.com/files/165931/Grandstream-GXV31XX-settimezone-Unauthenticated-Command-Execution.htmlhttps://github.com/scarvell/grandstream_exploitshttps://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1http://packetstormsecurity.com/files/165643/Grandstream-GXV3175-Unauthenticated-Command-Execution.htmlhttp://packetstormsecurity.com/files/165931/Grandstream-GXV31XX-settimezone-Unauthenticated-Command-Execution.htmlhttps://github.com/scarvell/grandstream_exploitshttps://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=23920&dl=1
2019-03-30
Published
Exploited in the wild