[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2023-28130 - Hostname injection leads to Remote Code Execution RCE (Authenticated)

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] CVE-2023-28130 - Hostname injection leads to Remote Code Execution RCE (Authenticated)
From: Rick Verdoes via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Thu, 27 Jul 2023 08:33:47 +0000

 =========================
Exploit Title: Hostname injection leads to Remote Code Execution RCE 
(Authenticated)
Product: Gaia Portal
Vendor: Checkpoint
Vulnerable Versions: R81.20 < Take 14, R81.10 < Take 95, R81 < Take 82 and 
R80.40 < Take 198
Tested Version: R81.10 (take 335)
Advisory Publication: July 27, 2023
Latest Update: July 72, 2023
Vulnerability Type: Improper Control of Generation of Code (Code Injection) 
[CWE-94]
CVE Reference: CVE-2023-28130
CVSS Severity: High
CVSS Score: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Impact score: 8.4
Credit: Rick Verdoes & Danny de Weille (Hackify | pentests.nl)
=========================

 I. BACKGROUND
-------------------------
Check Point Gaia Portal is an advanced web-based interface designed for the 
configuration of the Gaia platform, a security operating system that combines 
the strengths of both SecurePlatform and IPSO operating systems. The Gaia 
Portal allows for nearly all system configuration tasks to be performed through 
this interface.

 II. VULNERABILITY
-------------------------
Check Point Gaia Portal has a vulnerability which allows an authenticated user 
with write permissions on the DNS settings to inject commands in a cgi script, 
leading to remote code execution on the operating system. The vulnerability 
lies in the parameter hostname in the web request /cgi-bin/hosts_dns.tcl, which 
is susceptible to command injection. This can be exploited by any user with a 
valid session, as long as the user has write permissions on the DNS settings. 
The injected commands are executed by the user 'Admin'.

 III. Proof of Concept
-------------------------
hostname=name|`COMMAND`&domainname=test.local&save=1

 IV. Impact
-------------------------
Successful exploitation allows a remote authenticated attacker to execute 
commands on the operating system.

 V. References
-------------------------
Security advisories:
https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-point-gaia-portal/
https://support.checkpoint.com/results/sk/sk181311

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Unauthorized MFA Code Delivery in EmpowerID
Next by Date: [FD] Trovent Security Advisory 2303-01 / CVE-2023-36255 / Authenticated remote code execution in Eramba
Previous by thread: [FD] Unauthorized MFA Code Delivery in EmpowerID
Next by thread: [FD] Trovent Security Advisory 2303-01 / CVE-2023-36255 / Authenticated remote code execution in Eramba
Index(es):
- Date
- Thread