Tuesday, January 14, 2020

[Ruckus Wireless] Authenticated Stored XSS Vulnerability in Ruckus ZoneFlex R310 (CVE-2020-7234)

[Ruckus Wireless] Authenticated Stored XSS Vulnerability in Ruckus ZoneFlex R310

  


 ZoneFlex R310:

The platform used for the administration of Ruckus ZoneFlex R310 access points, version 104.0.0.0.1347, is critically vulnerable to Stored Cross-Site scripting issue.

Performing a simple search in shodan, it is possible to visualize around 18,000 devices exposed to the Internet, several of which use default credentials.


Proof of Concept

To reproduce a proof of concept, it is necessary to have valid credentials to access the administration panel. By default, the credentials of this platform are. Username: super, Password: sp-admin

Once inside, we go to:

Configuration > Radio 2.4G > Wireless X

We enter our payload in the SSID field.


Then, we go to:

Status > Radio 2.4G > Wireless X

And finally, We can see the XSS triggered there.


By @S4mnez

[Evoko] Otra sala por favor !! (CVE-2020-7231 & CVE-2020-7232 )

Recuerdan al vendor Steelcase y su "RoomWizard", ?
Se trata de un lindo IoT pensado para reservar salas de reuniones de manera muy organizada

En un articulo anterior escribi al respecto (https://sku11army.blogspot.com/2020/01/steelcase-sala-por-favor.html)

Resulta que en el camino me tope con otro cacharro de similares características, pero con firma "Evoko"


[steelcase] Sala por favor !!

Querías reservar una sala para coordinar una reunión secreta  ? Osea creíste que seria secreta ?



Cuéntame mas:

Para los que no conozcan estos dispositivos que suelen estar en la entrada de salas de reuniones, se los voy a presentar con dos comerciales (bonitos):


***

[Hikvision] DVR DS-7204HGHI User Enumeration (CVE-2020-7057)


The DVR DS-7204HGHI created by Hikvision is using the Web version V4.0.1 build 180903.

https://mastecsa.com/wp-content/uploads/2019/05/5c47444fec836059272e97c4.jpg

When you try to log-in in the WebServer, the Webpage rely on the “ISAPI” for the authentication. It makes GET requests for the username trying to authenticate, if this username exists, it will respond a Session ID, a Challange and a SALT (also the iterations and if is reversible). If the username does not exist, is going to respond with a 500 Internal Server Error.

 
 

But as I said before, if the username exists, is going to response with interesting information.



This give us the chance to rely on a bruteforce attack for username enumeration. Hikvision’s Web Server, have a limit for fail log-ins, so be careful with the bruteforce OR do it manually avoiding the ban and trying only 4 – 5 usernames per device until you can try again.


CVE-2020-7057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7057

 
biz.