CVE-2019-16305

In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://freetom.github.io/0day/2019/09/14/MobaXterm-command-exec-in-protocol-handler.html	Exploit

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:a:mobatek:mobaxterm:11.1:::::::*
	cpe:2.3:a:mobatek:mobaxterm:12.1:::::::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-09-14 15:15

Updated : 2023-12-10 12:59

NVD link : CVE-2019-16305

Mitre link : CVE-2019-16305

CVE.ORG link : CVE-2019-16305

JSON object : View

Products Affected

microsoft

windows

mobatek

mobaxterm

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2019-16305", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-09-14T15:15:10.503", "references": [{"url": "https://freetom.github.io/0day/2019/09/14/MobaXterm-command-exec-in-protocol-handler.html", "tags": ["Exploit"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "In MobaXterm 11.1 and 12.1, the protocol handler is vulnerable to command injection. A crafted link can trigger a popup asking whether the user wants to run MobaXterm to handle the link. If accepted, another popup appears asking for further confirmation. If this is also accepted, command execution is achieved, as demonstrated by the MobaXterm://`calc` URI."}, {"lang": "es", "value": "En MobaXterm versiones 11.1 y 12.1, el manejador de protocolo es vulnerable a la inyecci\u00f3n de comandos. Un enlace dise\u00f1ado puede activar una ventana emergente que pregunta al usuario si desea ejecutar MobaXterm para manejar el enlace. Si es aceptado, aparece otra ventana emergente preguntando confirmaci\u00f3n adicional. Si esto es tambi\u00e9n aceptado, es alcanzada una ejecuci\u00f3n de comando, como es demostrado por el URI MobaXterm://\"calc\"."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mobatek:mobaxterm:11.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6AA3BCD-F818-4FFC-97F8-5F45F7A3DDC0"}, {"criteria": "cpe:2.3:a:mobatek:mobaxterm:12.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "68EA9D95-F323-4891-B42F-8F1F0FF6264A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}