CVE-2020-15920
published 2020-07-24CVE-2020-15920: There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root)…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
98.24%
99.9th percentile
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| midasolutions | eframework | <= 2.9.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /PDC/ajaxreq.php with the DIAGNOSIS=PING parameter and shell metacharacters (e.g., semicolons, encoded characters %3B) injected into the PARAM parameter, indicating OS command injection attempts. ↗
- →Alert on HTTP responses to /PDC/ajaxreq.php containing the pattern 'root:.*:0:0:' in the body, which indicates successful /etc/passwd exfiltration via command injection. ↗
- →Detect exploitation via the Google dork 'Server: Mida eFramework' to identify exposed instances; correlate with POST traffic to /PDC/ajaxreq.php. ↗
- →The apache user on vulnerable appliances can execute any command as root without a password via sudo, so monitor for privilege escalation from the apache process to root following web requests to ajaxreq.php. ↗
- ·No authentication is required to exploit this vulnerability; the vulnerable endpoint /PDC/ajaxreq.php is fully unauthenticated, meaning network-level access alone is sufficient for exploitation. ↗
- ·The Nuclei template uses a single POST request for detection; the DIAGNOSIS parameter must be set to PING and the PARAM parameter carries the injected payload, so detection rules should account for both parameters being present. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-87c7-xx7r-6cw2: There is an OS Command Injection in Mida eFramework through 2
ghsa_unreviewed·2022-05-24
CVE-2020-15920 [HIGH] CWE-78 GHSA-87c7-xx7r-6cw2: There is an OS Command Injection in Mida eFramework through 2
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.
VulnCheck
midasolutions eframework Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-15920 [CRITICAL] midasolutions eframework Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
midasolutions eframework Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
There is an OS Command Injection in Mida eFramework through 2.9.0 that allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges. No authentication is required.
Affected: midasolutions eframework
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2020-15920; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-28&host_type=src&vulnerability=cve-2020-15920;
No detection rules found.
Exploit-DB
Mida eFramework 2.9.0 - Remote Code Execution
exploitdb·2020-08-27·CVSS 9.8
CVE-2020-15920 [CRITICAL] Mida eFramework 2.9.0 - Remote Code Execution
Mida eFramework 2.9.0 - Remote Code Execution
---
# Exploit Title: Mida eFramework 2.9.0 - Remote Code Execution
# Google Dork: Server: Mida eFramework
# Date: 2020-08-27
# Exploit Author: elbae
# Vendor Homepage: https://www.midasolutions.com/
# Software Link: http://ova-efw.midasolutions.com/
# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
# Version: ','\n')
print(line+"\n{0}\n".format(pretty_output)+line)
def main():
print_info()
print_disclaimer()
parser = argparse.ArgumentParser()
parser.add_argument("target", type=str, help="the complete target URL")
parser.add_argument("cmd", type=str, help="the command you want to run")
args = parser.parse_args()
pwn(args.target, args.cmd)
if __name__ == '__main__':
main()
Nuclei
Mida eFramework <=2.9.0 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2020-15920 [CRITICAL] Mida eFramework <=2.9.0 - Remote Command Execution
Mida eFramework <=2.9.0 - Remote Command Execution
Mida eFramework through 2.9.0 allows an attacker to achieve remote code execution with administrative (root) privileges. No authentication is required.
Template:
id: CVE-2020-15920
info:
name: Mida eFramework <=2.9.0 - Remote Command Execution
author: dwisiswant0
severity: critical
description: Mida eFramework through 2.9.0 allows an attacker to achieve remote code execution with administrative (root) privileges. No authentication is required.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
remediation: |
Upgrade Mida eFramework to a version higher than 2.9.0 to mitigate the vulnerability.
reference:
- https://elbae.github.io/jekyll/update/2020/07/14/vu
Metasploit
Mida Solutions eFramework ajaxreq.php Command Injection
metasploit
Mida Solutions eFramework ajaxreq.php Command Injection
Mida Solutions eFramework ajaxreq.php Command Injection
This module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The `ajaxreq.php` file allows unauthenticated users to inject arbitrary commands in the `PARAM` parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158991/Mida-eFramework-2.9.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/159194/Mida-Solutions-eFramework-ajaxreq.php-Command-Injection.htmlhttps://elbae.github.io/jekyll/update/2020/07/14/vulns-01.htmlhttp://packetstormsecurity.com/files/158991/Mida-eFramework-2.9.0-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/159194/Mida-Solutions-eFramework-ajaxreq.php-Command-Injection.htmlhttps://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
2020-07-24
Published
Exploited in the wild