Command injection, SQLi, and hardcoded creds in Infoblox NETMRI. tsk tsk

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2025-32814

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2025-32813

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2025-32815

OMG I almost missed the ../

https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE-2024-54188

And we have a write-up now for these Infoblox NetMRI vulns.

https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

@cR0w @da_667 oh my god

@cR0w i read this and it makes me want to grab the hoe and spade and go offline forever.

@da_667 @cR0w @Dio9sys well, good news, bad news.
Good news: you are DEFINITELY going to be employed for a very long time.
Bad news: this isn't even the start of Infoblox's colossal fuckups under the hood.

@cR0w @da_667 @Dio9sys ha ha ha, oh boy, you haven't even begun to see it.

Let me put it this way. I had one of their VM IPAM boxes at one point. I think it took me 5 minutes to get root.

@cR0w This is even bigger clownshoes: https://<NETMRI_HOST>/webui/application/get_saml_request?saml_id=1%26http://$(whoami)

Are you kidding me

@cR0w Oh and NOPASSWD for sudo. Unbelievable.

@cR0w @da_667 @Dio9sys
I know one way was:

1. reboot
2. single user
3. victory

@cR0w @da_667 @Dio9sys
I think they fixed 'oh hey the first admin user is just root.' Maybe.
... okay yeah probably not.

@cR0w @da_667 @Dio9sys hey, at least we moved on from vCenter!

("lol python shell brb going to be root to unfuck systemd stupidity now.")

@nerdpr0f @cR0w And that's assuming CS degrees are involved. Coding bootcamps, etc. mention the word "security" and move on

@cR0w @nerdpr0f Sigh, don't I know it. Currently trying to address that shortcoming internally.

@mttaggart @cR0w I GET FREE ROOT YOU GET FREE ROOT EVERYBODY GETS FREE ROOT

@cR0w

@winterknight1337 @mttaggart @cR0w they're rooting for us.

@mttaggart @cR0w
🤡👍

@cR0w @winterknight1337 @mttaggart The 'strayan definition, right?

@cR0w @mttaggart

@mttaggart @cR0w You mean, like this?

@koneko @cR0w Yes

@cR0w i might have once coded root ssl key, company root to license products, in a binary, because Java is a shitshow, the Apache frameworkr are shitshows, the libraries are shitshows. Then why not coding shitshow... it was PR and Reviewed by two Seniors and the Lead, approved by the PM, and all the Company shitshow. I still can't believe it.