Saturday, March 7, 2020

[bwa] Multiple vulnerabilities in "DiREX-Pro"

Multiple vulnerabilities (Unauthenticated) in device type DVR, vendor bwa (http://www.meinbwa.de

Model Vulnerable, DiREX-Pro


POCS: 


1) Full Path Disclosure (FPD)

Sending Crafted HTTP requests




2) Password harcoded 



USERS  PASSWORDS
===================
user        user
archive   archive
admin     admin


2) Remote Code Execution (RCE): 

First need  download firmware:




Decompiled firmware analysis





PAYLOAD: 
PKG=;sh -c '/bin/ls -la /usr/local/www/cgi-bin/>/usr/local/www/out2';# 


Response



Other example: read /etc/passwd



Saludos,

Tuesday, February 25, 2020

[Septentrio] Multiple Unauthenticated Vulnerabilities in PolarRx5 GNSS Receiver


PolaRx5 is a versatile and robust multi-frequency GNSS reference receiver. The unique design of its tracking provides measurements with the lowest noise on the market while constantly monitoring and protecting against interference, multipath and other environmental effects. The PolaRx5 is developed specifically to support the most demanding applications for the earth science community offering a select range of advanced features which enable maximum accuracy and functionality. Powered by Septentrio’s next generation multi-frequency engine, the PolaRx5 offers 544 hardware channels for robust and high quality GNSS tracking. 

Septentrio.com Polarx-5 





The tested version of the device was PolarRx5-3022831



1. Path Traversal

Affected URLS:
 
    http://x.x.x.x/ascii=ldi%2CDSK1%2C../../../../ 
    http://x.x.x.x/status?p=../../../../../../../../../../../../../../../../../../../../../../../some_internal_file


Description:

In an unauthenticated session, you can browse many sections of the web associated to the device, there is a section where you can list and download files from the filesystem, these files are located at the "Disk Contents" subsection of the "Logging" menu.




Looking for the requests that the webpage generates I've noticed that in a parameter of a request the name of the folder that I've clicked in the frontend was reflected there:



So basically I changed the file name with the typical path traversal payload:




And amazingly the contents of the filesystem's root was displayed in clear text



2. Local File Inclusion

Affected URLs:
 
http://x.x.x.x/status?p=filename

Description:


This vulnerability is similar to the last, also unauthenticated, but with the difference that. I was able to retrieve the content of a system file.

First we must go to the URI /scr?fra0=afterupgrade.html, there is a link to the device identification info, when we click the link we can notice that in the URL now the Path is "status" with a parameter named "p".








On this parameter ("p"), if we put some path traversal payloads and appending at the end for example "/etc/shadow", we can retrieve the contents of the mentioned file





@xpl0ited1

Wednesday, February 12, 2020

[EVERTZ] - Path Transversal && Arbitrary File Upload = SHELL





The 3080IPX is an integrated multicast label switching fabric that unlocks the advantage of 10GE and 1GE signaling without sacrifi cing fl exibility and ease control necessary for video LAN/WAN transport applications.

The 7801FC VistaLINK® Frame Controller card provides a single point of access to communicate with VistaLINK®-capable modules. The 7801FC VistaLINK® Frame Controller provides a 10Base-T/100Base-TX/1000 Base-TX Ethernet port, and communication is facilitated through the use of Simple Network Management Protocol (SNMP).
-------------------------------------------------------------------------------------------------------------------------

EVERTZ devices are vulnerable to Transversal Path and arbitrary file upload, allowing an auhtenticated attacker to read any file from the affected system, as well as upload a webshell or overwrite any system files

Affected devices:

It is likely that more devices are affected, because although not all contain a menu or call within the webgui that takes them to the affected function, all devices contain the vulnerable function and can also be called directly if the affected parameter is known

• 3080IPX - exe-guest-v1.2-r26125
• 7801FC - 1.3 Build 27
• 7890IXG - V494


Affected parameter: "filename"
Affected functions:

  • feature-transfer-download.php
  • feature-transfer-upload.php













Path Transversal:

The application allows through the feature-transfer-download.php function to download any system file














All the devices that were tested were vulnerable. The EVERTZ devices I tested have the same functions although they are not necessarily called from the menu of each device. If the function and the vulnerable parameter are known, it is possible to call the affected function directly on any of the affected devices.


















Arbitrary File Upload:

The application allows through the feature-transfer-upload.php function to overwrite any system file or upload any file to any path within the system, allowing an attacker to upload a webshell or delete critical files from the device


Defining the path in which we want to place the file, we can create new or write others




Webshell























By: @Linuxmonr4





Tuesday, February 11, 2020

[Ericsson] - Multiple Stored & Reflected XSS

Ericsson RX8200 devices are vulnerable to multiple  reflected and stored XSS
Affected Devices:

  • RX8200 - Version  5.13.3

XSS Reflected:

Injecting javascript code into the "path" parameter in any of the menus in the URL using GET or POST we get a reflected xss






We also found another one in the "Service + ID" Parameter




Stored XSS:

Injecting the javascript code in the name of the devices, and then refreshing the page we can see how the XSS sotored is executed






By: @Linuxmonr4


 
biz.