CVE-2021-33393
CVE-2021-33393
lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfire/backup/bin/backup.pl is owned by the root account. It might be owned by an unprivileged account, which could potentially be used to install a Trojan horse backup.pl script that is later executed by root. Similar problems with the ownership/permissions of other files may be present as well.
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/joaoaugustom/IPFire_2.25_RCE_Authenticated★ 1cve_referencepacketstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49869unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/163158/IPFire-2.25-Remote-Code-Execution.htmlhttps://github.com/ipfire/ipfire-2.x/commit/6769d909306d7bdc43d64598872126fcf1b217f6https://github.com/ipfire/ipfire-2.x/commits/master?since=2021-05-17&until=2021-05-17https://github.com/MucahitSaratar/ipfire-2-25-auth-rce