WANem v2.3 multiple vulnerabilities

WANem v2.3 allows unauthenticated remote attackers to gain root access.

Software Link: http://wanem.sourceforge.net/

Vendor Notification: 2012-08-16 - Notified

# 0x00 # Privilege Escalataion

The 'dosu' binary file is setuid 'root'. It executes arbitrary commands supplied in argument 1.

The following proof of concept is available:

# 0x01 # Arbitrary Command Execution

It is possible to execute arbitrary commands remotely as the 'www-data' user by injecting commands into the 'pc' parameter of '/var/www/WANem/result.php'

Combining this issue with the privilege escalation vulnerability allows unauthorized remote root access.

The following proof of concept is available:

wanem-2.3-remote-root.py exploit

# 0x02 # Cross-Site Scripting (XSS)

The following proof of concept is avilable:

Reference

# OWASP: Command Injection

# OWASP: Cross-Site Scripting (XSS)

Appendix

[PoC] wanem-2.3-remote-root.py

[TXT] WANem v2.3 multiple vulnerabilities