third release module with minor text changes

rapid7 · Oct 31, 2023 · ad6e461 · ad6e461
1 parent bfff35e
commit ad6e461
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/...mentation/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258.md b/...mentation/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258.md
@@ -7,14 +7,15 @@ This is caused by a piece of demonstration code which is present in `lib/icepay/
 The parameter to `exec()` includes the `GET` parameter `democ`, which is controlled by the user.
 
 An unauthenticated user is able to execute arbitrary OS commands.
-The commands run with the privileges of the web server process, typically `www-data`.
+The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
 At a minimum, this allows an attacker to compromise the billing system and its database.
 
 See this [attackerkb article](https://attackerkb.com/topics/DFUJhaM5dL/cve-2023-30258) for more information.
 
 ## Installation
 This module has been tested on:
 - Debian 12.2 running on  VirtualBox 7 with MagnusBilling 7 installed.
+- CentOS 7 running on  VirtualBox 7 with MagnusBilling 6 installed.
 
 ### Installation steps
 * Install Debian 11 or later on VirtualBox.

diff --git a/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb b/modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb
@@ -26,12 +26,12 @@ def initialize(info = {})
           The parameter to exec() includes the GET parameter `democ`, which is controlled by the user and
           not properly sanitised/escaped.
           After successful exploitation, an unauthenticated user is able to execute arbitrary OS commands.
-          The commands run with the privileges of the web server process, typically `www-data`.
+          The commands run with the privileges of the web server process, typically `www-data` or `asterisk`.
           At a minimum, this allows an attacker to compromise the billing system and its database.
 
           The following MagnusBilling applications are vulnerable:
           - MagnusBilling application version 6 (all versions);
-          - MagnusBilling application up to version 7.x and including commit 7af21ed620;
+          - MagnusBilling application up to version 7.x without commit 7af21ed620 which fixes this vulnerability;
         },
         'License' => MSF_LICENSE,
         'Author' => [