CVE-2020-35846
published 2020-12-30CVE-2020-35846: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
93.20%
99.8th percentile
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agentejo | cockpit | < 0.11.2 | 0.11.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP response body contains the string 'password_verify() expects parameter' when the NoSQL injection payload is successful against /auth/check ↗
- →Exploit sends a POST request to /auth/check with Content-Type: application/json and a NoSQL $eq operator payload in the 'auth' field to bypass authentication ↗
- →Shodan fingerprint for Cockpit CMS instances: search for http.favicon.hash:688609340 or http.html:"cockpit" ↗
- →FOFA fingerprint for Cockpit CMS instances: icon_hash=688609340 or body="cockpit" ↗
- →Metasploit module exploits NoSQLi to retrieve user list and password reset tokens, then uses command injection for RCE — all via HTTP against Cockpit CMS 0.10.0–0.11.1 ↗
- →NoSQL injection payload using $func operator sent to /auth/requestreset endpoint to enumerate usernames ↗
- →NoSQL injection payload using $func operator sent to /auth/resetpassword endpoint to dump password reset tokens ↗
- →Response pattern to detect successful username enumeration via NoSQLi: regex matches 'string(<N>) "<username>"' in the HTTP response body ↗
- ·Vulnerability affects Cockpit CMS versions 0.10.0 through 0.11.1 inclusive; version 0.11.2 and later are patched ↗
- ·The injection point is the Controller/Auth.php check function; the $eq and $func NoSQL operators are the primary attack vectors ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
exploitdb·2021-08-10·CVSS 9.8
CVE-2020-35848 [CRITICAL] Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
---
# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
# Date: 06-08-2021
# Exploit Author: Brian Ombongi
# Vendor Homepage: https://getcockpit.com/
# Version: Cockpit 0.11.1
# Tested on: Ubuntu 16.04.7
# CVE : CVE-2020-35847 & CVE-2020-35848
#!/usr/bin/python3
import json
import re
import requests
import random
import string
import argparse
def usage():
guide = 'python3 exploit.py -u '
return guide
def arguments():
parse = argparse.ArgumentParser(usage=usage())
parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True)
return parse.parse_args()
def test_connection(url):
try:
get = requests.get(url)
if get.status_code ==
Nuclei
Agentejo Cockpit < 0.11.2 - NoSQL Injection
nuclei·CVSS 9.8
CVE-2020-35846 [CRITICAL] Agentejo Cockpit < 0.11.2 - NoSQL Injection
Agentejo Cockpit < 0.11.2 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
Template:
id: CVE-2020-35846
info:
name: Agentejo Cockpit < 0.11.2 - NoSQL Injection
author: dwisiswant0
severity: critical
description: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php check function. The $eq operator matches documents where the value of a field equals the specified value.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, or data manipulation.
remediation: |
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate the vulnerability.
reference:
- h
Metasploit
Cockpit CMS NoSQLi to RCE
metasploit
Cockpit CMS NoSQLi to RCE
Cockpit CMS NoSQLi to RCE
This module exploits two NoSQLi vulnerabilities to retrieve the user list, and password reset tokens from the system. Next, the USER is targetted to reset their password. Then a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it, the command injection provides a no disk write method which is more stealthy. Cockpit CMS 0.10.0 - 0.11.1, inclusive, contain all the necessary vulnerabilities for exploitation.
Nuclei
Agentejo Cockpit Security Checks
nuclei·CVSS 9.8
CVE-2020-35846 [CRITICAL] Agentejo Cockpit Security Checks
Agentejo Cockpit Security Checks
A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target.
Template:
id: cockpit-workflow
info:
name: Agentejo Cockpit Security Checks
author: dwisiswant0
description: A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target.
workflows:
- template: http/technologies/cockpit-detect.yaml
subtemplates:
- template: http/cves/2020/CVE-2020-35846.yaml
- template: http/cves/2020/CVE-2020-35847.yaml
- template: http/cves/2020/CVE-2020-35848.yaml
http://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.htmlhttps://getcockpit.com/https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59afhttps://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24bhttp://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.htmlhttps://getcockpit.com/https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59afhttps://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b
2020-12-30
Published