CVE-2017-6900

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue is with the login script and wrongpass Python script used for authentication. When calling wrongpass, the variables $VAL0 and $VAL1 should be enclosed in quotes to prevent the potential for Bash command injection. Further to this, VAL0 and VAL1 should be sanitised to ensure they do not contain malicious characters. Passing it the username of '-' will cause it to time out and log the user in because of poor error handling. This will log the attacker in as an administrator where the telnet / ssh services can be enabled, and the credentials for local users can be reset. Also, login.cgi accepts the username as a GET parameter, so login can be achieved by browsing to the /cgi-bin/login.cgi?username=-%20a URI.

Se descubrió un problema en Riello NetMan 204 14-2 y 15-2. El problema está relacionado con la secuencia de comandos de inicio de sesión y la secuencia de comandos de Python utilizada incorrectamente para la identificación. Al llamar a paso incorrecto, las variables $ VAL0 y $ VAL1 deben incluirse entre comillas para evitar el potencial de inyección del comando Bash. Además de esto, VAL0 y VAL1 deben limpiarse para garantizar que no contengan caracteres maliciosos. Al pasarle el nombre de usuario de '-', se cerrará el tiempo de espera y el usuario iniciará sesión debido a un mal manejo de errores. Esto registrará al atacante como administrador, donde los servicios de telnet / ssh se pueden habilitar, y las credenciales de los usuarios locales se pueden restablecer. Además, login.cgi acepta el nombre de usuario como un parámetro GET, por lo que el inicio de sesión se puede lograr al buscar en la URI /cgi-bin/login.cgi?username=-%20a.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-03-14 CVE Reserved
2019-07-03 CVE Published
2023-03-07 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors

CAPEC

References (2)

URL	Tag	Source
https://blog.synack.co.uk/2017/01/31/my-first-exploit-db-post	Broken Link
https://web.archive.org/web/20170205100702/https://blog.synack.co.uk/2017/01/31/my-first-exploit-db-post	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Riello-ups Search vendor "Riello-ups"	Netman 204 Firmware Search vendor "Riello-ups" for product "Netman 204 Firmware"	14-2 Search vendor "Riello-ups" for product "Netman 204 Firmware" and version "14-2"	-	Affected	in	Riello-ups Search vendor "Riello-ups"	Netman 204 Search vendor "Riello-ups" for product "Netman 204"	-	-	Safe
Riello-ups Search vendor "Riello-ups"	Netman 204 Firmware Search vendor "Riello-ups" for product "Netman 204 Firmware"	15-2 Search vendor "Riello-ups" for product "Netman 204 Firmware" and version "15-2"	-	Affected	in	Riello-ups Search vendor "Riello-ups"	Netman 204 Search vendor "Riello-ups" for product "Netman 204"	-	-	Safe