CVE-2018-17431

An unauthenticated remote attacker sends a crafted HTTPS request to the `/manage/webshell/u` path on the Comodo UTM Firewall's web management port. The attacker supplies a URL-encoded command sequence in the `k` parameter (e.g., `%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a` to disable SSH) and an integer value for `s`, `w`, `h`, `l`, and `_` parameters [ref_id=1]. No authentication or session token is required, allowing arbitrary command execution on the firewall appliance.

The vulnerability resides in the `/manage/webshell/u` endpoint of the Comodo UTM Firewall Web Console. The endpoint accepts a `k` parameter containing URL-encoded commands, along with `s`, `w`, `h`, `l`, and `_` parameters, and executes those commands without authentication [ref_id=1].

The advisory states that Comodo released a patch on 2018-11-23 for versions before 2.7.0 and 1.5.0 [ref_id=1]. No patch diff is provided in the bundle, but the remediation presumably adds authentication checks to the `/manage/webshell/u` endpoint or removes the unauthenticated web shell interface entirely. Users should upgrade to Comodo UTM Firewall version 2.7.0 or later.

1. Identify a target Comodo UTM Firewall (version before 2.7.0) with its web management interface reachable. 2. Construct a URL-encoded command sequence (e.g., URL-encode `service\nssh\ndisable\n` to `%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a`). 3. Send a GET request to `https://[target]:10443/manage/webshell/u?s=4&w=100&h=24&k=[encoded_command]&l=21&_=1534440840152`. 4. Send a second request with `k=%0a` (an extra newline) to execute the command. 5. Observe the "Configuration has been altered" response confirming execution [ref_id=1].