Untangle NGFW v12.1.0 beta execEvil() authenticated root CI exploit.

Untangle NGFW v12.1.0 beta execEvil() authenticated root CI exploit.

Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit.
A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).

Disclosure Timeline:
22/4/2016: Attempted to contact vendor after discovery of vulnerabilities
6/5/2016: No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
12/5/2016: US-CERT confirms contacting vendor
16/6/2016: US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
27/6/2016: Public disclosureungtangle

Usage:

Script:

Source: https://github.com/3xocyte