CVE-2007-3010
CVE-2007-3010
In short
A tool used to manage Alcatel phone systems has a flaw that lets attackers run any command they want on the server by sending specially crafted requests. This is critical because attackers can take complete control of the system without needing permission.
Technical detail
masterCGI in Alcatel OmniPCX Enterprise's Unified Maintenance Tool (R7.1 and earlier) fails to properly sanitize the user parameter in ping actions, allowing OS command injection via shell metacharacters. Remote unauthenticated attackers can exploit this to achieve arbitrary command execution with system privileges. The vulnerability stems from insufficient input validation (CWE-77) before passing user input to shell operations.
Summary generated and translated by AI from the official description.
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user parameter during a ping action.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
exploitdbwww.exploit-db.com/exploits/16857unverifiedexploitdbwww.exploit-db.com/exploits/30591unverifiedexploitdbwww.exploit-db.com/exploits/10031unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://marc.info/?l=full-disclosure&m=119002152126755&w=2http://osvdb.org/40521http://secunia.com/advisories/26853https://exchange.xforce.ibmcloud.com/vulnerabilities/36632https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2007-3010http://www1.alcatel-lucent.com/psirt/statements/2007002/OXEUMT.htmhttp://www.redteam-pentesting.de/advisories/rt-sa-2007-001.phphttp://www.securityfocus.com/archive/1/479699/100/0/threadedhttp://www.securityfocus.com/bid/25694http://www.vupen.com/english/advisories/2007/3185