Brendan Scarvell

9 exploits Active since Mar 2019
CVE-2019-10655 WRITEUP CRITICAL WORKING POC
Grandstream GAC2500/GXP2200/GVC3202/GXV3275/GXV3240 < 1.0.3.219 - Unauthenticated RCE via getlogcat
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.
CVSS 9.8
CVE-2019-10656 WRITEUP HIGH WORKING POC
Grandstream GWN7000 Firmware < 1.0.6.32 - Authenticated Remote Code Execution via uci.apply API
Grandstream GWN7000 before 1.0.6.32 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/uci.apply update_nds_webroot_from_tmp API call.
CVSS 8.8
CVE-2019-10657 WRITEUP MEDIUM WORKING POC
Grandstream GWN7000 < 1.0.6.32 and GWN7610 < 1.0.8.18 - Authenticated Password Exposure via Ubus UCI Config Request
Grandstream GWN7000 before 1.0.6.32 and GWN7610 before 1.0.8.18 devices allow remote authenticated users to discover passwords via a /ubus/uci.apply config request.
CVSS 6.5
CVE-2019-10658 WRITEUP HIGH WORKING POC
Grandstream GWN7610 < 1.0.8.18 - Authenticated Remote Code Execution via update_nds_webroot_from_tmp API
Grandstream GWN7610 before 1.0.8.18 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the filename in a /ubus/controller.icc.update_nds_webroot_from_tmp update_nds_webroot_from_tmp API call.
CVSS 8.8
CVE-2019-10659 WRITEUP HIGH WORKING POC
Grandstream GXV3370 < 1.0.1.41 and WP820 < 1.0.3.6 - Authenticated Remote Code Execution via Logcat Priority Field
Grandstream GXV3370 before 1.0.1.41 and WP820 before 1.0.3.6 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in a /manager?action=getlogcat priority field.
CVSS 8.8
CVE-2019-10660 WRITEUP HIGH WORKING POC
Grandstream GXV3611IR_HD < 1.0.3.23 - Authenticated OS Command Injection via logserver Parameter
Grandstream GXV3611IR_HD before 1.0.3.23 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the /goform/systemlog?cmd=set logserver field.
CVSS 8.8
CVE-2019-10661 WRITEUP CRITICAL WORKING POC
Grandstream GXV3611IR_HD Firmware < 1.0.3.23 - Unauthenticated Root Access via Default Credentials
On Grandstream GXV3611IR_HD before 1.0.3.23 devices, the root account lacks a password.
CVSS 9.8
CVE-2019-10662 WRITEUP HIGH WORKING POC
Grandstream UCM62xx IP PBX sendPasswordEmail RCE
Grandstream UCM6204 before 1.0.19.20 devices allow remote authenticated users to execute arbitrary code via shell metacharacters in the backupUCMConfig file-backup parameter to the /cgi? URI.
CVSS 8.8
CVE-2019-10655 METASPLOIT CRITICAL ruby WORKING POC
Grandstream GAC2500/GXP2200/GVC3202/GXV3275/GXV3240 < 1.0.3.219 - Unauthenticated RCE via getlogcat
Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited remotely or via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.
CVSS 9.8