Friday, January 24, 2020

[ITERIS] - Vantage Velocity Field Unit - Privilege escalation - (CVE-2020-9024)

"Vantage Velocity Field Unit" devices for traffic analysis, have a weakness in the permission settings in the /root/cleardata.pl and /root/loadperl.sh scripts, which allows to any user without privileges to modify their content. These scripts are executed using CROND, every 30 min (/root/cleardata.pl) and when the device is restarted (/root/loadperl.sh), executing any code they contain, with root permissions


Connected as the "eclipse" user and validating that this user does not have sudo privileges, I proceed to list the files that the eclipse user can write.



[Xirrus] - Xirrus WiFi - XSS - (CVE-2020-9022)




                                             



The "Xirrus XR520 WiFi Array/Xirrus XR620 WiFi Array/Xirrus XR2436 WiFi Array/Xirrus XH2-120 WiFi Array" devices are vulnerable to a Cross-Site Scripting Reflected at login, specifically in the "user" parameter.

[Post Oak Traffic Systems] - AWAM Bluetooth Field Device -RCE - (CVE-2020-9021)








"AWAM Bluetooth Field Device " devices, as the company behind them "http://www.postoaktraffic.com/" says, are devices for monitoring traffic, by capturing the MAC addresses of the Bluetooth devices that you could commonly have in your car, such as cell phone, headphones or the car's own bluetooth. This simply seemed very interesting, so I decided to test the safety of these devices.

[ INTELLIAN ] Multiple vulnerabilities in technology #Intellian (CVE-2019-17269, CVE-2020-7980,CVE-2020-7999, CVE-2020-8000, CVE-2020-8001)




"Intellian Aptus Web"

Vulnerabilities identified
1) Credencials harcoded ( CVE-2020-8000)

Path, Resource: http://<host>/include_js/bim_web_svc_auth.js?



2)  RCE ( CVE-2020-7980)
Reference:  https://sku11army.blogspot.com/2020/01/intellian-aptus-web-rce-intellian.html


Path explotable:  http://<host>/cgi-bin/libagent.cgi?type=J
Variable vuln: Q


poc: Request to service web









Tested in :

"Intellian, Aptus Web V100 v1.24"
"Intellian, Aptus Web V80 v1.24"



"Intellian APTUS Mobile App"


















PoC with app version: 1.0.2 

Static analysis. (Only decompiling the "* .apk")


Descompile code with tools:  "jadx-gui" and modSF



Vulnerabilities identified

1) Credentials harcoded ( CVE-2020-8001 )



Testing/check the credentials:

  • user: masteruser
  • pass: intellian





2) API Key harcoded ( CVE-2020-7999 )

package com.uniwebs.network.define;classe: UpdateProtocol()







public static String DOWNLOAD_API_KEY = "F4O5c7wGpOk8lmevm6LoWAXeIx6In+Qi";
public static String FILE_DOWNLOAD_API_KEY = "SdAXizuDB4STYpcxRwWwsA==";




"Intellian Remote Access" 


El aplicativo web utilizado para la gestión y administración de las terminales satélitales de la firma Intellian cuenta con una vulnerabilidad critica (y facil de explotar). Es decir, el aplicativo permite realizar Ejecución de comandos remotos (RCE)  



RCE: (
CVE-2019-17269)

In The wild !
shodan dorks: title:"Intellian Remote Access"










Access to device:


FTP



SSH








WEB:

***





 RCE; Step by steap

1)




a) problem !


b) no problem :)








Easy Tool !











Saludos,

 
biz.