lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <8716F531-64E0-43B6-8A5A-C2750CB743C2@me.com>
Date: Fri, 04 Oct 2013 11:05:36 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in Ice Cold Apps Servers
 Ulitmate Version 6.0.2(12) for Android

Multiple vulnerabilities in Ice Cold Apps Servers Ulitmate Version 6.0.2(12) for Android

9/8/13
Larry W. Cashdollar, @_larry0

http://www.amazon.com/Ice-Cold-Apps-Servers-Ultimate/dp/B00E00C44G/ref=sr_1_1?s=mobile-apps&ie=UTF8&qid=1378688647

http://www.icecoldapps.com

Vulnerabilities

There are no credentials by default, authentication is disabled for telnet/ssh/ftp allowing remote access to the device's storage. PHP can be uploaded to the webserver and executed.

	• ftp server allows writes to lighttp/php* directory.
	• telnet default authentication turned off.
	• ssh server default authentication turned off.
	• Anonymous SOCKS proxy & http/ftp proxy.
SSHD

larry$ ssh 192.168.0.29 -p 2222
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $ uptime
up time: 19:42:02, idle time: 18:47:19, sleep time: 00:00:00 $

Telnet

larry$ telnet 192.168.0.29 2323
Trying 192.168.0.29...
Connected to 192.168.0.29.
Escape character is '^]'.

Welcome to tel!
Please enter some text to test the connection and hit enter:

$
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $

lighttpd / PHP server

	• php has the following functions available:
Via
<?php

        $arr = get_defined_functions();
        echo "<pre>";
                print_r($arr);
        echo "</pre>";

?>

Returned 1300 functions, including exec, pass_thru system() and

            [662] => socket_select
            [663] => socket_create
            [664] => socket_create_listen
            [665] => socket_create_pair
            [666] => socket_accept
            [667] => socket_set_nonblock
            [668] => socket_set_block
            [669] => socket_listen
            [670] => socket_close
            [671] => socket_write
            [672] => socket_read
            [673] => socket_getsockname
            [674] => socket_getpeername
            [675] => socket_connect
            [676] => socket_strerror
            [677] => socket_bind
            [678] => socket_recv
            [679] => socket_send
            [680] => socket_recvfrom
            [681] => socket_sendto
            [682] => socket_get_option
            [683] => socket_set_option
            [684] => socket_shutdown
            [685] => socket_last_error
            [686] => socket_clear_error
            [687] => socket_import_stream
            [688] => socket_getopt
            [689] => socket_setopt


Vendor Notified: 9/10/2013

The full list is here:

http://vapid.dhs.org/advisories/ultimate-server-android-vulns.html

-- Larry



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ