Sunday, January 19, 2020

[Comtech] Multiple Authenticated RCE on FX-1010 Fetch URL and Poll Routes CVE-2020-7243 CVE-2020-7244)

[Comtech] Multiple Authenticated RCE on FX-1010 Fetch URL and Poll Routes

The web application used for the management and administration of Compression Bandwidth Optimization Platform has a critical vulnerability that allow to an attacker to do a Remote Code Execution with root access. That is, the application allows to gain full control over the server.

Comtech FX-1010


Vendor WebSite:
http://www.comtechtel.com/


You can search for vulnerable sites on google with the following dork “Comtech FX Series” or maybe in shodan if you want.

We need to use the default comtech credentials to access on the administration panel (comtech:comtech)



RCE PoC #1


 Go to the Menu and click on Operations > Diagnostics > Fetch URL



On URL input we can put a site name like "www.google.cl" but we can add other command behind of “;” in this case, we are going to use an “id” command.
When we press OK, the result show us the user and groups.


 Now we create a python script to get a reverse shell with full control of the system.



 RCE PoC #2

 Go to the Menu and click on Operations > Diagnostics > Poll Routes


  

On Router IP Address input we can use an IP but we can add other command behind of ";" in this case, we are going to use an "id" command.


When we press OK, the result show us the user and groups.


  Now we create a python script to get a reverse shell with full control of the system.




Happy Hacking




[Comtech] Authenticated RCE on Comtech Stampede FX-1010 (CVE-2020-7242)

[Comtech] Authenticated RCE on Comtech Stampede FX-1010 (
CVE-2020-7242)

The web application used for the management and administration of Compression Bandwidth Optimization Platform has a critical vulnerability that allow to an attacker to do a Remote Code Execution with root access. That is, the application allows to gain full control over the server.

Comtech Stampede FX-1010


Vendor WebSite:
http://www.comtechtel.com/


You can search for vulnerable sites on google with the following dork “Comtech FX Series” or maybe in shodan if you want.

We need to use the default comtech credentials to access on the administration panel (comtech:comtech)


 Go to the Menu and click on Operations > Diagnostics > Trace Route



 
On target IP Address input we can Trace Route an IP but we can add other command behind of “;” in this case, we are going to use an “whoami” command.




 When we press OK, the result show us the username "comtech".



Now we create a python script to get a reverse shell with full control of the system.




 Getting the reverse shell.



 Happy hacking.









 

 


 
biz.