CVE-2021-40222 PoC — Rittal CMC PU III 操作系统命令注入漏洞

Source

https://github.com/asang17/CVE-2021-40222

Associated Vulnerability

Title:Rittal CMC PU III 操作系统命令注入漏洞 (CVE-2021-40222)
Description:Rittal CMC PU III是德国威图（Rittal）公司的一个监控系统。 Rittal CMC PU III Web management V3.11.00_2版本存在安全漏洞，该漏洞源于Web应用程序无法清理网络TCP/IP配置页上的用户输入。攻击者可利用该漏洞在TCP/IP配置对话框的PU主机名字段中引入shell代码来创建反向shell,以root用户身份在设备上插入命令，一旦收到数据就会执行这些命令。该问题已在V3.17.10版本修复

Description

Remote Code Execution at Rittal

Readme

# CVE-2021-40222
**Application**: Rittal CMC PU III Web management

**Devices**: CMC PU III 7030.000

**Software Revision**: V3.11.00_2

**Hardware Revision**: V3.00

**Attack type**: Remote Code Execution

**Solution**: Update to Software Revision V3.17.10 or later

**Summary**: Web application fails to sanitize user input on Network TCP/IP configuration page. This allows the attacker to inject commands as root on the device which will be executed once the data is received after a few seconds. An attacker can create a backdoor in the device or just execute a reverse shell which connects to the attacker machine. Successful exploitation requires admin access to the management of the device with a valid or hijacked session.

**Timeline**:
* 2021-08-03 Issues discovered
* 2021-08-08 First contact with vendor via e-mail
* 2021-08-23 Second contact with vendor via e-mail
* 2021-09-01 Vulnerability patch confirmed

File Snapshot


 [4.0K]  /data/pocs/60a7c64bffb6d2cd9add08c2a52e37cd5409f452
├── [382K]  RCE IN RITTAL CMC III.pdf
├── [1.9M]  RCE.mp4
└── [ 922]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!