module
Supermicro Onboard IPMI close_window.cgi Buffer Overflow
| Disclosed | Created |
|---|---|
| 2013-11-06 | 2018-05-30 |
Disclosed
2013-11-06
Created
2018-05-30
Description
This module exploits a buffer overflow on the Supermicro Onboard IPMI controller web
interface. The vulnerability exists on the close_window.cgi CGI application, and is due
to the insecure usage of strcpy. In order to get a session, the module will execute
system() from libc with an arbitrary CMD payload sent on the User-Agent header. This
module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
SMT_X9_214.
interface. The vulnerability exists on the close_window.cgi CGI application, and is due
to the insecure usage of strcpy. In order to get a session, the module will execute
system() from libc with an arbitrary CMD payload sent on the User-Agent header. This
module has been tested successfully on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
SMT_X9_214.
Authors
hdm x@hdm.io
juan vazquez juan.vazquez@metasploit.com
juan vazquez juan.vazquez@metasploit.com
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.