CVE-2020-35847
published 2020-12-30CVE-2020-35847: Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
98.29%
99.9th percentile
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| agentejo | cockpit | < 0.11.2 | 0.11.2 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: 'string\([0-9]{1,3}\)(\s)?"([A-Za-z0-9-.@\s-]+)"'- →Detect NoSQL injection attempts against Cockpit CMS by monitoring POST requests to /auth/requestreset or /auth/resetpassword with JSON bodies containing '$func' operator keys (e.g., {"$func": "var_dump"}). ↗
- →Exploit responses containing var_dump-style output (matching regex 'string\([0-9]{1,3}\)\s*"([\w-]+)"') in the HTTP body indicate successful NoSQL injection and data exfiltration of usernames or reset tokens. ↗
- →Identify Cockpit CMS instances as attack targets using Shodan favicon hash 688609340 or FOFA icon_hash=688609340. ↗
- →The full exploit chain targets /auth/requestreset (user enumeration), /auth/resetpassword (token dump), and /auth/newpassword (user detail extraction) in sequence — alert on rapid sequential POST requests to all three endpoints from the same source IP. ↗
- →Content-Type: application/json is used in all exploit requests; correlate with the $func NoSQL operator in the JSON body to reduce false positives. ↗
- ·The vulnerability affects Cockpit CMS versions 0.10.0 through 0.11.1 inclusive; version 0.11.2 and later are patched. Ensure detection rules are scoped to these versions where version fingerprinting is available. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
exploitdb·2021-08-10·CVSS 9.8
CVE-2020-35848 [CRITICAL] Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
---
# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
# Date: 06-08-2021
# Exploit Author: Brian Ombongi
# Vendor Homepage: https://getcockpit.com/
# Version: Cockpit 0.11.1
# Tested on: Ubuntu 16.04.7
# CVE : CVE-2020-35847 & CVE-2020-35848
#!/usr/bin/python3
import json
import re
import requests
import random
import string
import argparse
def usage():
guide = 'python3 exploit.py -u '
return guide
def arguments():
parse = argparse.ArgumentParser(usage=usage())
parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True)
return parse.parse_args()
def test_connection(url):
try:
get = requests.get(url)
if get.status_code ==
Metasploit
Cockpit CMS NoSQLi to RCE
metasploit
Cockpit CMS NoSQLi to RCE
Cockpit CMS NoSQLi to RCE
This module exploits two NoSQLi vulnerabilities to retrieve the user list, and password reset tokens from the system. Next, the USER is targetted to reset their password. Then a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it, the command injection provides a no disk write method which is more stealthy. Cockpit CMS 0.10.0 - 0.11.1, inclusive, contain all the necessary vulnerabilities for exploitation.
Nuclei
Agentejo Cockpit Security Checks
nuclei·CVSS 9.8
CVE-2020-35846 [CRITICAL] Agentejo Cockpit Security Checks
Agentejo Cockpit Security Checks
A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target.
Template:
id: cockpit-workflow
info:
name: Agentejo Cockpit Security Checks
author: dwisiswant0
description: A simple workflow that runs all Agentejo Cockpit related nuclei templates on a given target.
workflows:
- template: http/technologies/cockpit-detect.yaml
subtemplates:
- template: http/cves/2020/CVE-2020-35846.yaml
- template: http/cves/2020/CVE-2020-35847.yaml
- template: http/cves/2020/CVE-2020-35848.yaml
Nuclei
Agentejo Cockpit <0.11.2 - NoSQL Injection
nuclei·CVSS 9.8
CVE-2020-35847 [CRITICAL] Agentejo Cockpit <0.11.2 - NoSQL Injection
Agentejo Cockpit <0.11.2 - NoSQL Injection
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
Template:
id: CVE-2020-35847
info:
name: Agentejo Cockpit <0.11.2 - NoSQL Injection
author: dwisiswant0
severity: critical
description: |
Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php resetpassword function of the Auth controller.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary NoSQL queries, potentially leading to unauthorized access, data manipulation, or denial of service.
remediation: |
Upgrade Agentejo Cockpit to version 0.11.2 or later to mitigate this vulnerability.
reference:
- https://swarm.ptsecurity.com/rce-cockpit-cms
http://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163762/Cockpit-CMS-0.11.1-NoSQL-Injection.htmlhttps://getcockpit.com/https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59afhttps://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24bhttp://packetstormsecurity.com/files/162282/Cockpit-CMS-0.11.1-NoSQL-Injection-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/163762/Cockpit-CMS-0.11.1-NoSQL-Injection.htmlhttps://getcockpit.com/https://github.com/agentejo/cockpit/commit/2a385af8d80ed60d40d386ed813c1039db00c466https://github.com/agentejo/cockpit/commit/33e7199575631ba1f74cba6b16b10c820bec59afhttps://github.com/agentejo/cockpit/commit/79fc9631ffa29146e3124ceaf99879b92e1ef24b
2020-12-30
Published