Menu

Search for hundreds of thousands of exploits

"AudioCode 400HD - Command Injection"

Author

Exploit author

Sysdream

Platform

Exploit platform

cgi

Release date

Exploit published date

2019-01-14

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# [CVE-2018-10093] Remote command injection vulnerability in AudioCode IP phones

## Description

The AudioCodes 400HD series of IP phones consists in a range of
easy-to-use, feature-rich desktop devices for the service provider
hosted services, enterprise IP telephony and contact center markets.

The CGI scripts used on the 420HD phone (web interface) do not filter
user inputs correctly. Consequently, an authenticated attacker could
inject arbitrary commands (Remote Code Execution) and take full control
over the device. For example, it is possible to intercept live
communications.

## Vulnerability records


**CVE ID**: CVE-2018-10093

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-78

**CVSS Base Score**: 7.2

**CVSS Vector String**:
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RC:C


## Details

The script `command.cgi`, used for system monitoring and diagnostics, is
vulnerable to a remote command execution attack.

Visiting the `/command.cgi?cat%20/etc/passwd` gives the following result:

```
admin:$1$FZ6rOGS1$54ZXSmjh7nod.kXFRyLx70:0:0:root:/:/bin/sh
```

Note that the vulnerable page is only available to authenticated users
(in possession of the admin configuration password).

## Timeline (dd/mm/yyyy)

* 06/03/2018 : Initial discovery
* 17/04/2018 : Vendor contact
* 17/05/2018 : Vendor technical team aknowledgment
* 07/01/2019 : Vendor recommendation to mitigate the issue
* 10/01/2019 : Public disclosure

## Fixes

AudioCodes recommends to change the default admin credentials to
mitigate the issue.

## Affected versions

Theses vulnerabilities have only been tested on the 420HD phone
(firmware version: 2.2.12.126).

## Credits

a.baube at sysdream dot com
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2019-01-14 "AudioCode 400HD - Command Injection" webapps cgi Sysdream
2018-05-30 "Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection" webapps php Sysdream
2018-01-05 "Gespage 7.4.8 - SQL Injection" webapps jsp Sysdream
2017-10-02 "UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape" local linux Sysdream
2017-10-02 "phpCollab 2.5.1 - SQL Injection" webapps php Sysdream
2017-10-02 "phpCollab 2.5.1 - Arbitrary File Upload" webapps php Sysdream
2017-10-02 "UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation" local linux Sysdream
2017-05-05 "ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities" webapps php Sysdream
2017-03-27 "EyesOfNetwork (EON) 5.0 - Remote Code Execution" webapps php Sysdream
2017-03-27 "Nuxeo 6.0/7.1/7.2/7.3 - Remote Code Execution (Metasploit)" webapps jsp Sysdream
2017-03-27 "EyesOfNetwork (EON) 5.0 - SQL Injection" webapps php Sysdream
2016-10-20 "SPIP 3.1.2 - Cross-Site Request Forgery" webapps php Sysdream
2016-10-20 "SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution" webapps php Sysdream
2016-10-20 "SPIP 3.1.1/3.1.2 - File Enumeration / Path Traversal" webapps php Sysdream
2016-07-06 "OpenFire 3.10.2 < 4.0.1 - Multiple Vulnerabilities" webapps jsp Sysdream
2016-02-26 "Zimbra 8.0.9 GA - Cross-Site Request Forgery" webapps linux Sysdream
2016-02-26 "Centreon 2.5.3 - Remote Command Execution" webapps php Sysdream
2016-02-26 "Proxmox VE 3/4 - Insecure Hostname Checking Remote Command Execution" remote linux Sysdream 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected