CVE-2017-6900
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue is with the login script and wrongpass Python script used for authentication. When calling wrongpass, the variables $VAL0 and $VAL1 should be enclosed in quotes to prevent the potential for Bash command injection. Further to this, VAL0 and VAL1 should be sanitised to ensure they do not contain malicious characters. Passing it the username of '-' will cause it to time out and log the user in because of poor error handling. This will log the attacker in as an administrator where the telnet / ssh services can be enabled, and the credentials for local users can be reset. Also, login.cgi accepts the username as a GET parameter, so login can be achieved by browsing to the /cgi-bin/login.cgi?username=-%20a URI.
Se descubrió un problema en Riello NetMan 204 14-2 y 15-2. El problema está relacionado con la secuencia de comandos de inicio de sesión y la secuencia de comandos de Python utilizada incorrectamente para la identificación. Al llamar a paso incorrecto, las variables $ VAL0 y $ VAL1 deben incluirse entre comillas para evitar el potencial de inyección del comando Bash. Además de esto, VAL0 y VAL1 deben limpiarse para garantizar que no contengan caracteres maliciosos. Al pasarle el nombre de usuario de '-', se cerrará el tiempo de espera y el usuario iniciará sesión debido a un mal manejo de errores. Esto registrará al atacante como administrador, donde los servicios de telnet / ssh se pueden habilitar, y las credenciales de los usuarios locales se pueden restablecer. Además, login.cgi acepta el nombre de usuario como un parámetro GET, por lo que el inicio de sesión se puede lograr al buscar en la URI /cgi-bin/login.cgi?username=-%20a.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-03-14 CVE Reserved
- 2019-07-03 CVE Published
- 2024-08-05 CVE Updated
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-255: Credentials Management Errors
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://blog.synack.co.uk/2017/01/31/my-first-exploit-db-post | Broken Link | |
https://web.archive.org/web/20170205100702/https://blog.synack.co.uk/2017/01/31/my-first-exploit-db-post | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Riello-ups Search vendor "Riello-ups" | Netman 204 Firmware Search vendor "Riello-ups" for product "Netman 204 Firmware" | 14-2 Search vendor "Riello-ups" for product "Netman 204 Firmware" and version "14-2" | - |
Affected
| in | Riello-ups Search vendor "Riello-ups" | Netman 204 Search vendor "Riello-ups" for product "Netman 204" | - | - |
Safe
|
Riello-ups Search vendor "Riello-ups" | Netman 204 Firmware Search vendor "Riello-ups" for product "Netman 204 Firmware" | 15-2 Search vendor "Riello-ups" for product "Netman 204 Firmware" and version "15-2" | - |
Affected
| in | Riello-ups Search vendor "Riello-ups" | Netman 204 Search vendor "Riello-ups" for product "Netman 204" | - | - |
Safe
|