Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
10
CVSSv2

CVE-2020-16152

Published: 14/11/2021 Updated: 18/11/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Extremenetworks

Vulnerability Summary

The NetConfig UI administrative interface in Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine up to and including 10.0r8a allows malicious users to execute PHP code as the root user via remote HTTP requests that insert this code into a log file and then traverse to that file.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

extremenetworks aerohive netconfig

extremenetworks aerohive netconfig 10.0r8a

Exploits

Exploit DB: Aerohive NetConfig 10.0r8a Local File Inclusion / Remote Code Execution
This Metasploit module exploits local file inclusion and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 100r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface Vulnerable versions allow for ...
Exploit DB: Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE
This module exploits LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 100r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface Vulnerable versio ...

Metasploit Modules

Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE

This module exploits LFI and log poisoning vulnerabilities (CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a build-242466 and older in order to achieve unauthenticated remote code execution as the root user. NetConfig is the Aerohive/Extreme Networks HiveOS administrative webinterface. Vulnerable versions allow for LFI because they rely on a version of PHP 5 that is vulnerable to string truncation attacks. This module leverages this issue in conjunction with log poisoning to gain RCE as root. Upon successful exploitation, the Aerohive NetConfig application may hang for as long as the spawned shell remains open. For the Linux target, the MeterpreterTryToFork option (enabled by default) will likely prevent this. If the app hangs, closing the session should render it responsive again. The module provides an automatic cleanup option to clean the log. However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed, may render the target (temporarily) unexploitable. This state can last over an hour. This module has been successfully tested against Aerohive NetConfig versions 8.2r4 and 10.0r7a.

msf > use exploit/unix/webapp/aerohive_netconfig_lfi_log_poison_rce
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > show targets
    ...targets...
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > set TARGET < target-id >
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > show options
    ...show and set options...
msf exploit(aerohive_netconfig_lfi_log_poison_rce) > exploit

Github Repositories

https://github.com/eriknl/CVE-2020-16152

Explanation and PoC for CVE-2020-16152

CVE-2020-16152 Summary Product vendor Aerohive Networks / Extreme Networks Product name HiveOS / IQ Engine Product Version Tested on 100r8a build-242466 and older The Aerohive/Extreme Networks HiveOS administrative webinterface (NetConfig) is vulnerable to LFI because it uses an old version of PHP vulnerable to string truncation attacks An attacker is able to

https://github.com/Nate0634034090/nate158g-m-w-n-l-p-d-a-o-e

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::H…

nate158g-m-w-n-l-p-d-a-o-e This module requires Metasploit: metasploitcom/download# Current source: githubcom/rapid7/metasploit-framework##class MetasploitModule &lt; Msf::Exploit::Remote Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote:

References

CWE-829http://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.htmlhttps://gtacknowledge.extremenetworks.com/articles/Vulnerability_Notice/VN-2020-001https://nvd.nist.govhttps://github.com/eriknl/CVE-2020-16152https://packetstormsecurity.com/files/164957/Aerohive-NetConfig-10.0r8a-Local-File-Inclusion-Remote-Code-Execution.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook