#VU8052 OS command injection in NVG599
Published: August 31, 2017 / Updated: August 31, 2017
Vulnerability identifier: #VU8052
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
NVG599
NVG599
Software vendor:
Arris
Arris
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The weakness exist due to a command injection flaw in “caserver” https server. A remote attacker can send a specially crafted network request to the modem's 49955 port, download busybox with netcat (mips-BE) from an http server (no SSL support) via wget and execute arbitrary commands or launch a reverse shell.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exist due to a command injection flaw in “caserver” https server. A remote attacker can send a specially crafted network request to the modem's 49955 port, download busybox with netcat (mips-BE) from an http server (no SSL support) via wget and execute arbitrary commands or launch a reverse shell.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit