This module exploits an OS command injection vulnerability in a
web-accessible CGI script used to change passwords for locally-defined
proxy user accounts. Valid credentials for such an account are
Command execution will be in the context of the "nobody" account, but
this account had broad sudo permissions, including to run the script
/usr/local/bin/chrootpasswd (which changes the password for the Linux
root account on the system to the value specified by console input
once it is executed).
The password for the proxy user account specified will *not* be
changed by the use of this module, as long as the target system is
vulnerable to the exploit.
Very early versions of Endian Firewall (e.g. 1.1 RC5) require
HTTP basic auth credentials as well to exploit this vulnerability.
Use the USERNAME and PASSWORD advanced options to specify these values
Versions >= 3.0.0 still contain the vulnerable code, but it appears to
never be executed due to a bug in the vulnerable CGI script which also
prevents normal use (http://jira.endian.com/browse/UTM-1002).
Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug
Tested successfully against the following versions of EFW Community:
1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2.
Should function against any version from 1.1 RC5 to 2.2.x, as well as
2.4.1 and 2.5.x.