module
Aerohive NetConfig 10.0r8a LFI and log poisoning to RCE
| Disclosed | Created |
|---|---|
| 2020-02-17 | 2021-11-12 |
Disclosed
2020-02-17
Created
2021-11-12
Description
This module exploits LFI and log poisoning vulnerabilities
(CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a
build-242466 and older in order to achieve unauthenticated remote
code execution as the root user. NetConfig is the Aerohive/Extreme
Networks HiveOS administrative webinterface. Vulnerable versions
allow for LFI because they rely on a version of PHP 5 that is
vulnerable to string truncation attacks. This module leverages this
issue in conjunction with log poisoning to gain RCE as root.
Upon successful exploitation, the Aerohive NetConfig application
may hang for as long as the spawned shell remains open. For the
Linux target, the MeterpreterTryToFork option (enabled by default)
will likely prevent this. If the app hangs, closing the session
should render it responsive again.
The module provides an automatic cleanup option to clean the log.
However, this option is disabled by default because any modifications
to the /tmp/messages log, even via sed, may render the target
(temporarily) unexploitable. This state can last over an hour.
This module has been successfully tested against Aerohive NetConfig
versions 8.2r4 and 10.0r7a.
(CVE-2020-16152) in Aerohive NetConfig, version 10.0r8a
build-242466 and older in order to achieve unauthenticated remote
code execution as the root user. NetConfig is the Aerohive/Extreme
Networks HiveOS administrative webinterface. Vulnerable versions
allow for LFI because they rely on a version of PHP 5 that is
vulnerable to string truncation attacks. This module leverages this
issue in conjunction with log poisoning to gain RCE as root.
Upon successful exploitation, the Aerohive NetConfig application
may hang for as long as the spawned shell remains open. For the
Linux target, the MeterpreterTryToFork option (enabled by default)
will likely prevent this. If the app hangs, closing the session
should render it responsive again.
The module provides an automatic cleanup option to clean the log.
However, this option is disabled by default because any modifications
to the /tmp/messages log, even via sed, may render the target
(temporarily) unexploitable. This state can last over an hour.
This module has been successfully tested against Aerohive NetConfig
versions 8.2r4 and 10.0r7a.
Authors
Erik de Jong
Erik Wynter
Erik Wynter
Platform
Linux,Unix
Architectures
armle, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.