Published: 24/04/2000 Updated: 17/09/2016
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The passwd.php3 CGI script in the Red Hat Piranha Virtual Server Package allows local users to execute arbitrary commands via shell metacharacters.

Affected Products

Vendor Product Versions


## # $Id: piranha_passwd_execrb 10729 2010-10-18 15:41:13Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' ...

Metasploit Modules

RedHat Piranha Virtual Server Package passwd.php3 Arbitrary Command Execution

This module abuses two flaws - a metacharacter injection vulnerability in the HTTP management server of RedHat 6.2 systems running the Piranha LVS cluster service and GUI (rpm packages: piranha and piranha-gui). The vulnerability allows an authenticated attacker to execute arbitrary commands as the Apache user account (nobody) within the /piranha/secure/passwd.php3 script. The package installs with a default user and password of piranha:q which was exploited in the wild.

msf > use exploit/linux/http/piranha_passwd_exec
      msf exploit(piranha_passwd_exec) > show targets
      msf exploit(piranha_passwd_exec) > set TARGET <target-id>
      msf exploit(piranha_passwd_exec) > show options
            ...show and set options...
      msf exploit(piranha_passwd_exec) > exploit