CVE-2020-14947
published 2020-06-30CVE-2020-14947: OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.48%
97.0th percentile
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ocsinventory-server | — | — |
| factorfx | open_computer_software_inventory_next_generation | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /index.php?function=admin_conf containing the parameter SNMP_MIB_DIRECTORY with shell metacharacters (e.g. semicolons, pipes, backticks) — this is the injection point used to plant the payload. ↗
- →Monitor POST requests to /index.php?function=SNMP_config with parameter update_snmp=send — this is the trigger step that causes the injected SNMP_MIB_DIRECTORY value to be executed via get_mib_oid. ↗
- →Alert on the SNMP_MIB_DIRECTORY field containing shell metacharacters (e.g. ';') followed by network tools such as ncat/nc/bash, indicating an attempted reverse shell injection. ↗
- →The exploit follows a multi-step CSRF token harvesting sequence: it GETs admin_conf, POSTs to switch to SNMP onglet, then injects payload — look for this rapid sequential access pattern from a single session. ↗
- →The vulnerable code path is get_mib_oid in ms_snmp_config.php passing mib_file unsanitised to CommandLine.php — monitor process spawning from the web server process involving shell commands after SNMP MIB upload/config actions. ↗
- ·Exploitation requires valid OCS Inventory NG credentials — the attacker must authenticate before injecting the payload. Brute-force or credential stuffing attempts against /index.php may precede exploitation. ↗
- ·The vulnerability is confirmed only in OCS Inventory NG version 2.7; the exploit was tested on Ubuntu 18.04 with PHP 7.2.24. Patched packages are available in Debian bookworm, bullseye, and sid. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fpv5-6hr5-69rv: OCS Inventory NG 2
ghsa_unreviewed·2022-05-24
CVE-2020-14947 [MEDIUM] CWE-78 GHSA-fpv5-6hr5-69rv: OCS Inventory NG 2
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
OSV
CVE-2020-14947: OCS Inventory NG 2
osv·2020-06-30·CVSS 8.8
CVE-2020-14947 [HIGH] CVE-2020-14947: OCS Inventory NG 2
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
Debian
CVE-2020-14947: ocsinventory-server - OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to...
vendor_debian·2020·CVSS 8.8
CVE-2020-14947 [HIGH] CVE-2020-14947: ocsinventory-server - OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to...
OCS Inventory NG 2.7 allows Remote Command Execution via shell metacharacters to require/commandLine/CommandLine.php because mib_file in plugins/main_sections/ms_config/ms_snmp_config.php is mishandled in get_mib_oid.
Scope: local
bookworm: resolved
bullseye: resolved
sid: resolved
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158293/OCS-Inventory-NG-2.7-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1-LVfL5ui5m2QfQxr0fDopzSECd4fTNrQ/view?usp=sharinghttps://gist.github.com/mhaskar/233436d3096d4a7beafe36ff61dc2c73https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/da72e0fddaeceee44fbbd7241e07e5d53d1eee64https://shells.systems/ocs-inventory-ng-v2-7-remote-command-execution-cve-2020-14947/http://packetstormsecurity.com/files/158293/OCS-Inventory-NG-2.7-Remote-Code-Execution.htmlhttps://drive.google.com/file/d/1-LVfL5ui5m2QfQxr0fDopzSECd4fTNrQ/view?usp=sharinghttps://gist.github.com/mhaskar/233436d3096d4a7beafe36ff61dc2c73https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/da72e0fddaeceee44fbbd7241e07e5d53d1eee64https://shells.systems/ocs-inventory-ng-v2-7-remote-command-execution-cve-2020-14947/
2020-06-30
Published