Sangfor EDR 3.2.17R1/3.2.21 - Remote Code Execution

What is "Sangfor EDR 3.2.17R1/3.2.21 - Remote Code Execution?"

The "Sangfor EDR 3.2.17R1/3.2.21 - Remote Code Execution" module is designed to detect a critical vulnerability in the Sangfor EDR software versions 3.2.17R1 and 3.2.21. This vulnerability allows remote unauthenticated users to execute arbitrary commands on the target system. The severity of this vulnerability is classified as critical.

This module was authored by pikpikcu.

Impact

If successfully exploited, this vulnerability can lead to unauthorized remote code execution on the target system. Attackers can leverage this to gain full control over the affected system, potentially compromising sensitive data, disrupting operations, or launching further attacks.

How the module works?

The module sends an HTTP POST request to the "/api/edr/sangforinter/v2/cssp/slog_client" endpoint with a specific token. It then applies two matching conditions to determine if the vulnerability is present:

- The module checks the response body for the presence of the regex pattern "root:.*:0:0:". If this pattern is found, it indicates that the vulnerability exists. - The module also verifies that the response status code is 200, indicating a successful request.

If both conditions are met, the module reports the vulnerability.

For more information, you can refer to the following reference: https://www.cnblogs.com/0day-li/p/13650452.html