CVE-2020-13167
published 2020-05-19CVE-2020-13167: Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
95.42%
99.9th percentile
Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netsweeper | netsweeper | <= 6.4.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%27{{url_encode(hex_encode(cmd))}}%27.decode%28%27hex%27%29%29%23&timeout=5↗
- →Exploit requests target /webadmin/tools/unixlogin.php with a crafted 'password' parameter containing Python injection payload (import os;os.system(...)) and a whitelisted Referer header pointing to /webadmin/admin/service_manager_data.php. ↗
- →Look for HTTP GET requests to /webadmin/tools/unixlogin.php where the 'password' parameter contains URL-encoded Python metacharacters such as %3Bimport%20os%3Bos.system (';import os;os.system'). ↗
- →Post-exploitation artifact: a file written to /usr/local/netsweeper/webadmin/out can be used to confirm successful RCE; monitor for unexpected file creation in that path. ↗
- →A follow-up GET to /webadmin/out returning HTTP 200 with attacker-controlled content confirms successful code execution; correlate the two requests in web logs. ↗
- →The exploit runs as root on CentOS-based Netsweeper appliances; any suspicious process spawned by the web server (e.g., os.system calls) should be treated as high-severity. ↗
- ·Although the original advisory lists versions 6.4.3 and prior as vulnerable, version 6.4.4 has also been confirmed exploitable in testing. ↗
- ·The Referer header used for authentication bypass is described as 'random whitelisted', meaning multiple Referer values may be accepted; detections relying solely on a single Referer value may miss variants. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cq58-5c97-qv25: Netsweeper through 6
ghsa_unreviewed·2022-05-24
CVE-2020-13167 [HIGH] CWE-74 GHSA-cq58-5c97-qv25: Netsweeper through 6
Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
VulnCheck
netsweeper netsweeper Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-13167 [CRITICAL] netsweeper netsweeper Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
netsweeper netsweeper Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
Affected: netsweeper netsweeper
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2020-13167; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_ty
No detection rules found.
Metasploit
Netsweeper WebAdmin unixlogin.php Python Code Injection
metasploit
Netsweeper WebAdmin unixlogin.php Python Code Injection
Netsweeper WebAdmin unixlogin.php Python Code Injection
This module exploits a Python code injection in the Netsweeper WebAdmin component's unixlogin.php script, for versions 6.4.4 and prior, to execute code as the root user. Authentication is bypassed by sending a random whitelisted Referer header in each request. Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs. Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has been confirmed exploitable.
Nuclei
Netsweeper <=6.4.3 - Python Code Injection
nuclei·CVSS 9.8
CVE-2020-13167 [CRITICAL] Netsweeper <=6.4.3 - Python Code Injection
Netsweeper =6.4.4) to mitigate this vulnerability.
reference:
- https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
- https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
- https://nvd.nist.gov/vuln/detail/CVE-2020-13167
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Elsfa7-110/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-13167
cwe-id: CWE-78
epss-score: 0.9279
epss-percentile: 0.9976
cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: netsweeper
product: netsweeper
tags: cve2020,cve,netsweeper,rce,python,webadmin,vkev,vuln
variables:
rand_str: "{{randstr}}"
cmd: 'echo "{{ba
No writeups or analysis indexed.
2020-05-19
Published
Exploited in the wild