SSD Advisory – Cambium Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Cambium Network Updater Tool and Networks Services Server.

The Network Updater Tool is “a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios”

The Cambium Networks Services (CNS) Server is “a network management application provided by Cambium Networks to manage ePMP devices.”

The vulnerabilities found in Cambium products are:

  • Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal
  • Cambium Networks Services Server (CNSS) – Unauthenticated Access Control Bypass
  • Cambium Networks Services Server (CNSS) – Capture credentials for Device Discovery

Credit
An independent security researcher, Karn Ganeshen, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Cambium has released patches to address those vulnerabilities.

For more details: https://help.endian.com/hc/en-us/articles/115012996087 – Support Case 131840

Continue reading SSD Advisory – Cambium Multiple Vulnerabilities

SSD Advisory – DblTek Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities summary
The following advisory describes 2 (two) vulnerabilities found in DblTek webserver.

DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 16, and 32-channel in order to meet the wide range of market demands. All our products are priced very attractively and probably the lowest in the market. Because of the price and performance, GoIPs have been widely adopted by system integrators, VoIP service providers, and many other business and individual users.”

The vulnerabilities found are:

  • Pre-authentication Information Disclosure
  • Command Execution

It is possible to combine the 2 vulnerabilities and gain unauthenticated remote command execution.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
DblTek has released patches to address those vulnerabilities.

Continue reading SSD Advisory – DblTek Multiple Vulnerabilities

SSD安全公告–GraphicsMagick多个漏洞

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

漏洞概要

以下安全公告描述了在GraphicsMagick中发现的两个漏洞。

GraphicsMagick是“图像处理方面的瑞士军刀。 基础包中的源码共有267K行(根据David A. Wheeler统计),它提供了强大而有效的工具和库,支持读,写超过88种主要图像处理格式,包括DPX,GIF,JPEG,JPEG-2000,PNG,PDF,PNM和TIFF等重要格式。

在GraphicsMagick中发现的两个漏洞是:

  • 内存信息泄露
  • 堆溢出

漏洞提交者
一位独立的安全研究人员Jeremy Heng(@nn_amon)和Terry Chia(Ayrx)向 Beyond Security 的 SSD 报告了该漏洞

厂商响应

厂商已经发布了这些漏洞的补丁(15237:e4e1c2a581d8 and 15238:7292230dd18)。获取更多信息: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt

Continue reading SSD安全公告–GraphicsMagick多个漏洞

SSD安全公告-思科UCS平台模拟器远程代

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

漏洞概要
以下安全公告描述了在思科UCS平台模拟器3.1(2ePE1)中发现的两个远程代码执行漏洞。

思科UCS平台模拟器是捆绑到虚拟机(VM)中的Cisco UCS Manager应用程序,VM包含模拟思科统一计算系统(Cisco UCS)硬件通信的软件,思科统一计算系统(Cisco UCS)硬件由思科UCS Manager配置和管理。 例如,你可以使用思科UCS平台模拟器来创建和测试支持的思科UCS配置,或者复制现有的思科UCS环境,以进行故障排除或开发。

在思科UCS平台模拟器中发现的漏洞是:

  • 未经验证的远程代码执行漏洞
  • 经认证的远程代码执行漏洞

一名独立的安全研究者向 Beyond Security 的 SSD 报告了该漏洞。

厂商响应
厂商已经发布了该漏洞的补丁,并发布以下CVE: CVE-2017-12243

漏洞详细信息

未经验证的远程代码执行漏洞
由于用户的输入在传递给IP/settings/ping函数时没有进行充分的过滤,导致未经身份验证的攻击者可以通过ping_NUM和ping_IP_ADDR参数注入命令,这些命令将在远程机器上以root身份执行。

漏洞证明

通过发送以上请求之一后,思科 UCS响应如下:

经认证的远程代码执行漏洞

思科UCS平台模拟器容易受到格式字符串漏洞的攻击,导致远程代码执行。

思科UCS平台模拟器默认运行一个SSH服务器,通过ssh登录的用户运行以下命令:

得到下面的响应:

可以看到,通过执行ssh“show sel %x”命令,我们用libsamvsh.so中的system函数覆写了_ZN7clidcos15CommandEmulator16cli_param_filterEPKc函数的入口。

漏洞证明
为了利用此漏洞,请按照以下说明操作:

使用以下用户名和密码在vm上安装ucspe(安装全部3个网卡):

  • 默认的ucspe用户:ucspe
  • 默认的ucspe密码:ucspe

运行ucspe并记下ucspe的ip地址(在控制台可以看到“Connected to IP: ….”)

在这次漏洞证明中,我们将会使用ip-192.168.1.43。

在另一台机器上打开两个终端(例如Kali)

首先,在第一个终端上执行如下操作:

  1. 创建poc目录,将poc4_ucspe_3.1.2e.py放入poc目录,然后将当前目录改为poc目录
  2. 创建fifo1:
  3. 创建输出目录:
  4. 使用从fifo1重定向的stdin运行ssh,并将stdout重定向到output/log文件:

然后,第二个终端上执行如下操作:

  1. 将当前目录更改为poc
  2. 运行 poc4_ucspe_3.1.2e.py

执行后的输出如下:

终端1

终端2

poc4_ucspe_3.1.2e.py