AT&T Arbitrary Code Execution Vulnerability

Last updated on Aug 2, 2021 1 min read

Recently, I found an interesting issue Remote Code Execution for AT&T  bug bounty program.

But before going into this let’s understand Arbitrary Code Execution -

Arbitrary Code Execution also know as command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.

Issue was reported on October 21, 2014 to AT&T Security Team.
Resolved on Jan 27, 2015 by AT&T

The issue which I found was straight forward and needs no explanation

:)

I was able to execute the OS level command on the System below is the step wise screenshot of the Attack.

Step 1- Affected Page

step 1

 

Step 2 Capture Request

Step 2 Capture Request

Step 3 Highlighted vulnerable parameter

Step 3 Highlighted vulnerable parameter

Step 4 Modified password to execute code

Step 4 Modified password to execute code

step 5 code execution successful

step 5 code execution successful

Response from AT&T Team

Screen Shot 2016-07-26 at 6

Vinesh Redkar
Vinesh Redkar
Senior Security Researcher

Security professional with over 9 years of experience in the security domain across various industries such as Finance, Insurance, Telecom, and government