Tuesday, February 25, 2020

[Septentrio] Multiple Unauthenticated Vulnerabilities in PolarRx5 GNSS Receiver


PolaRx5 is a versatile and robust multi-frequency GNSS reference receiver. The unique design of its tracking provides measurements with the lowest noise on the market while constantly monitoring and protecting against interference, multipath and other environmental effects. The PolaRx5 is developed specifically to support the most demanding applications for the earth science community offering a select range of advanced features which enable maximum accuracy and functionality. Powered by Septentrio’s next generation multi-frequency engine, the PolaRx5 offers 544 hardware channels for robust and high quality GNSS tracking. 

Septentrio.com Polarx-5 





The tested version of the device was PolarRx5-3022831



1. Path Traversal

Affected URLS:
 
    http://x.x.x.x/ascii=ldi%2CDSK1%2C../../../../ 
    http://x.x.x.x/status?p=../../../../../../../../../../../../../../../../../../../../../../../some_internal_file


Description:

In an unauthenticated session, you can browse many sections of the web associated to the device, there is a section where you can list and download files from the filesystem, these files are located at the "Disk Contents" subsection of the "Logging" menu.




Looking for the requests that the webpage generates I've noticed that in a parameter of a request the name of the folder that I've clicked in the frontend was reflected there:



So basically I changed the file name with the typical path traversal payload:




And amazingly the contents of the filesystem's root was displayed in clear text



2. Local File Inclusion

Affected URLs:
 
http://x.x.x.x/status?p=filename

Description:


This vulnerability is similar to the last, also unauthenticated, but with the difference that. I was able to retrieve the content of a system file.

First we must go to the URI /scr?fra0=afterupgrade.html, there is a link to the device identification info, when we click the link we can notice that in the URL now the Path is "status" with a parameter named "p".








On this parameter ("p"), if we put some path traversal payloads and appending at the end for example "/etc/shadow", we can retrieve the contents of the mentioned file





@xpl0ited1

Wednesday, February 12, 2020

[EVERTZ] - Path Transversal && Arbitrary File Upload = SHELL





The 3080IPX is an integrated multicast label switching fabric that unlocks the advantage of 10GE and 1GE signaling without sacrifi cing fl exibility and ease control necessary for video LAN/WAN transport applications.

The 7801FC VistaLINK® Frame Controller card provides a single point of access to communicate with VistaLINK®-capable modules. The 7801FC VistaLINK® Frame Controller provides a 10Base-T/100Base-TX/1000 Base-TX Ethernet port, and communication is facilitated through the use of Simple Network Management Protocol (SNMP).
-------------------------------------------------------------------------------------------------------------------------

EVERTZ devices are vulnerable to Transversal Path and arbitrary file upload, allowing an auhtenticated attacker to read any file from the affected system, as well as upload a webshell or overwrite any system files

Affected devices:

It is likely that more devices are affected, because although not all contain a menu or call within the webgui that takes them to the affected function, all devices contain the vulnerable function and can also be called directly if the affected parameter is known

• 3080IPX - exe-guest-v1.2-r26125
• 7801FC - 1.3 Build 27
• 7890IXG - V494


Affected parameter: "filename"
Affected functions:

  • feature-transfer-download.php
  • feature-transfer-upload.php













Path Transversal:

The application allows through the feature-transfer-download.php function to download any system file














All the devices that were tested were vulnerable. The EVERTZ devices I tested have the same functions although they are not necessarily called from the menu of each device. If the function and the vulnerable parameter are known, it is possible to call the affected function directly on any of the affected devices.


















Arbitrary File Upload:

The application allows through the feature-transfer-upload.php function to overwrite any system file or upload any file to any path within the system, allowing an attacker to upload a webshell or delete critical files from the device


Defining the path in which we want to place the file, we can create new or write others




Webshell























By: @Linuxmonr4





Tuesday, February 11, 2020

[Ericsson] - Multiple Stored & Reflected XSS

Ericsson RX8200 devices are vulnerable to multiple  reflected and stored XSS
Affected Devices:

  • RX8200 - Version  5.13.3

XSS Reflected:

Injecting javascript code into the "path" parameter in any of the menus in the URL using GET or POST we get a reflected xss






We also found another one in the "Service + ID" Parameter




Stored XSS:

Injecting the javascript code in the name of the devices, and then refreshing the page we can see how the XSS sotored is executed






By: @Linuxmonr4


Monday, February 10, 2020

[GOCLOUD] - RCE in Gocloud Routers (authenticated) - (CVE-2020-8949)







 The following Gould routes are vulnerable to OS command Injection:

Affected Versions:
  • GOCLOUD S2A_WL  -  Firmware Version 4.2.7.16471
  • GOCLOUD S2A  - Firmware Version 4.2.7.17278  
  • GOCLOUD S2A  - Firmware Version 4.3.0.15815 
  • GOCLOUD S2A  - Firmware Version 4.3.0.17193
  • GOCLOUD S3A (K2P MTK Version) - Firmware Version  4.2.7.16528  
  • GOCLOUD S3A  - Firmware Version  4.3.0.16572
  • GOCLOUD ISP3000 Intel(R) Xeon(R) E5-2660 - Firmware Version 4.3.0.17190
























It seems that these routers are widely used in China, and they are also vulnerable to injecting commands in the systemtools diagnostic function

Within the "ping" function in the url, it is possible to inject commands by escaping with ";" at the beginning and end of the injected command

for example:
http://x.x.x.x:8088/cgi-bin/webui/admin/tools/app_ping/diag_ping/;df;/5/56/false.com

This must be executed once the application is authenticated.











I encountered the problem that some characters gave me problems, such as "/", so I used base64 to encode the payload











CVE-2020-8949

By: @Linuxmonr4

[TimeTools] - SR / SC Series Network Time Protocol Server - RCE - (CVE-2020-8963 | CVE-2020-8964)



According to the vendor's page:


SR Series GPS \ LF Radio NTP Time Servers
Synchronize your network with microsecond precision using Network Time Protocol (NTP \ SNTP).

Accurately synchronize Windows, Linux, Unix, Servers and Workstations, Time Displays, CCTV systems, DVR’s, telephone systems, switches, routers and more!

GPS, MSF and DCF-77 reference clock options for Stratum 1 operation. Peering and Stratum 2 operation via NTP servers.
-----------------------------------------------------------------------------------------------------------------------

Downloading and analyzing the firmware of the device, I found that the cookie is hardcoded as a backdoor in the t3.cgi binary and obviously this allows you to log into any devices that are exposed on the internet.


Taking advantage of the hardcoded cookie, we send the t3axs coockie by GET as follows and enter any of the affected devices:

[https://x.x.x.x/t3.cgi?t3axs=TiMEtOOlsj7G3xMm52wB]




















Well, that was the first vulnerability, and the one that would facilitate the scenario for the rest.

Continuing with the analysis, I also find an OS command Injection, which together with the hardcoded cookie makes it an "unauthenticated remote OS command Injection", which allows you to take control directly of any of the affected devices, they could execute commands such as ROOT

In Servers SR and SC series

The application expects two parameters, the first one is a valid cookie (t3axs) and the second the "srmodel", which ends up passing as a parameter to "system()" so we can inject our code there.


The "rtime" parameter ends in the function system() as a parameter, which allows us to inject our code into that parameter


Running "ls" command in settime function


checking  "/etc/shadow", so root is the user who is rooning those commands


Factorymodel function


In server T100/T300/T550 series, exactly the same happens as in the firmware of the indoor devices. 



The only difference with the previous case is that the output is not reflected in the response of the web server, but if we redirect it to the path "/home/root/www/output.txt" we can see the response of each command.



To complete a reverse shell




Affected Devices:
  • SR9850
  • SR9750
  • SC9705
  • SR9210 
  • SC9205
  • SR7110 
  • SC7105
  • T100
  • T300
  • T550
CVE:
  • CVE-2020-8963
  • CVE-2020-8964
By: @linuxmonr4


:::Many thanks to Xploited for the support:::



 
biz.