Smartphone Pentest Framework (SPF) versions 0.1.3, 0.1.4 suffers from OS Command Injection [CWE-78]. High-Tech Bridge Security Research Lab discovered multiple vulnerabilities (Multiple OS Command Execution Vulnerabilities) in Smartphone Pentest Framework (SPF), which could be exploited to get control over a penetration testers's machine remotely.
According to High-Tech Bridge's Advisory HTB23127, multiple Perl scripts in the "/frameworkgui/" directory do not perform sanitation of user-supplied input passed as argument to the "system()" function, so that it becomes possible to inject and execute arbitrary OS commands on the target system with privileges of the web server user.
Due to unfixed CSRF vulnerability (3) in HTB23123 is possible exploit the vulnerabilities, exists in "SEAttack.pl" script (due to insufficient validation of user-supplied input passed via the "hostingPath" parameter), "CSAttack.pl" script due to insufficient validation of user-supplied input passed via the "hostingPath", "attachMobileModem.pl" script due to insufficient validation of user-supplied input passed via the "appURLPath".
This vulnerabilities are unpatched at this time, as a temporary solution remove or disable SPF's GUI.
Full advisory: High-Tech Bridge Advisory HTB23127 - Multiple Vulnerabilities in Smartphone Pentest Framework (SPF).
No comments:
Post a Comment