CVE-2020-35729
published 2020-12-27CVE-2020-35729: KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.99%
99.7th percentile
KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| klogserver | klog_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|"; startswith; content:"%22%26"; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031590; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_29;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|unsafe+"; startswith; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031591; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_29;)
- →Monitor for HTTP POST requests to /actions/authenticate.php containing shell metacharacters (e.g., %22%26, double-quote and ampersand) in the `user` POST body parameter, which is the injection point. ↗
- →A non-302 HTTP response to a POST to /actions/authenticate.php indicates the target is vulnerable; a 302 redirect indicates it is not. Use this response-code delta for detection/confirmation. ↗
- →Blind command injection can be confirmed via a time-delay check: inject `sleep` into the `user` parameter and observe response latency (40-second sleep used in public PoC). ↗
- →The exploit runs commands as the `apache` user; however, the sudo configuration allows apache to run any command as root without a password, so post-exploitation process trees rooted at apache with sudo/root children are highly suspicious. ↗
- →The Metasploit module uses a wget-based cmdstager (flavor: :wget) to deliver the payload; monitor for wget processes spawned by the apache user following a POST to authenticate.php. ↗
- →The exploit URL-encodes spaces as `+` and forward slashes as `%2F`, and replaces semicolons with `%0A`; look for these encoding patterns in POST bodies targeting authenticate.php. ↗
- →The nuclei PoC detection uses a base64-encoded canary: POST body contains `echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d` and checks for `poc-testing` in the response.
- ·The exploit requires SSL (HTTPS) by default on port 443; detection rules or network sensors must inspect TLS-decrypted traffic to match the POST body patterns. ↗
- ·The Snort rules carry 'confidence Medium' metadata, meaning they may produce false positives in environments with legitimate applications that POST to similarly named endpoints.
- ·The vulnerability affects KLog Server versions 2.4.1 and prior; the CPE scope is cpe:2.3:a:klogserver:klog_server:2.4.1.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)
suricata·2021-01-29·CVSS 9.8
CVE-2020-35729 [CRITICAL] ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)
ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|"; startswith; content:"%22%26"; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031590; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_29;)
Suricata
ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)
suricata·2021-01-29·CVSS 9.8
CVE-2020-35729 [CRITICAL] ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)
ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|unsafe+"; startswith; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031591; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_29;)
Exploit-DB
Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)
exploitdb·2021-01-25
CVE-2020-35729 Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)
Klog Server 2.4.1 - Unauthenticated Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Klog Server Unauthenticated Command Injection Vulnerability',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability in Klog Server MSF_LICENSE,
'Author' =>
[ 'B3KC4T', # Vulnerability discovery
'Metin Yunus Kandemir', # Metasploit module
],
'References' =>
[
['CVE', '2020-35729'],
['URL', 'https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection']
],
'DefaultOptions' =>
{
'HttpClientTimeout' => 2,
},
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X64 ],
'Targets' => [
['Klog Server 2.4.1 (
Exploit-DB
Klog Server 2.4.1 - Command Injection (Unauthenticated)
exploitdb·2021-01-05
CVE-2020-35729 Klog Server 2.4.1 - Command Injection (Unauthenticated)
Klog Server 2.4.1 - Command Injection (Unauthenticated)
---
# Exploit Title: Klog Server 2.4.1 - Command Injection (Unauthenticated)
# Date: 22.12.2020
# Exploit Author: b3kc4t (Mustafa GUNDOGDU)
# Vendor Homepage: https://www.klogserver.com/
# Version: 2.4.1
# Tested On: Ubuntu 18.04
# CVE: 2020-35729
# Description: https://github.com/mustgundogdu/Research/tree/main/KLOG_SERVER
"""
~ VULNERABILITY DETAILS ~
#
The Klog Server runs the injected os commands on the server , causing os command
injection vulnerability.
#
The following python code will inject os command payload and can be relaized reverse
shell connection.And you can be added payload except the default payload plugin.
##USAGE##
$sudo nc -nlvp 98
$sudo python klog_exploit.py --exploit --url https://10.10.56.51:443/actions/
Metasploit
Klog Server authenticate.php user Unauthenticated Command Injection
metasploit
Klog Server authenticate.php user Unauthenticated Command Injection
Klog Server authenticate.php user Unauthenticated Command Injection
This module exploits an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and prior. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Klog Server version 2.4.1 virtual appliance.
Nuclei
Klog Server <=2.41 - Unauthenticated Command Injection
nuclei·CVSS 9.8
CVE-2020-35729 [CRITICAL] Klog Server <=2.41 - Unauthenticated Command Injection
Klog Server =2.42) or apply the vendor-supplied patch.
reference:
- https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection
- https://nvd.nist.gov/vuln/detail/CVE-2020-35729
- https://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/Exploit_Code
- https://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/README.md
- https://github.com/Z0fhack/Goby_POC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-35729
cwe-id: CWE-78
epss-score: 0.89753
epss-percentile: 0.99567
cpe: cpe:2.3:a:klogserver:klog_server:2.4.1:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: klogserver
product: klog_server
tags: cve,cve2020,klog,rce,klogserver,vuln
variables:
dummy: "{{to_lower(rand_text_alpha(5))}}"
http:
- method
http://packetstormsecurity.com/files/160798/Klog-Server-2.4.1-Command-Injection.htmlhttp://packetstormsecurity.com/files/161123/Klog-Server-2.4.1-Command-Injection.htmlhttp://packetstormsecurity.com/files/161410/Klog-Server-2.4.1-Command-Injection.htmlhttps://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/Exploit_Codehttps://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/README.mdhttp://packetstormsecurity.com/files/160798/Klog-Server-2.4.1-Command-Injection.htmlhttp://packetstormsecurity.com/files/161123/Klog-Server-2.4.1-Command-Injection.htmlhttp://packetstormsecurity.com/files/161410/Klog-Server-2.4.1-Command-Injection.htmlhttps://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/Exploit_Codehttps://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/README.md
2020-12-27
Published