lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 9 Jan 2017 23:16:42 +0100
From: Fabian Fingerle <fabian@...ensalat.eu>
To: fulldisclosure@...lists.org
Subject: [FD] enigma2-plugin-extensions-webadmin Remote Code Execution (IoT)

enigma2-plugin-extensions-webadmin Remote Code Execution

Severity: CRITICAL/TRIVIAL

Discovered by:
Fabian Fingerle (@otih__)
https://fabian-fingerle.de

enigma2-plugin-extensions-webadmin:
The enigma2-plugin-extensions-webadmin Plugin is a web frontend for the
OPKG or APT package manager. With the webadmin it's possible to install
or remove packages, and many other functions over the webinterface of
the Dreambox. Therefore Enigma2 is the new operating system of the
Dreamboxes, which is in continuosly development.

Desc:
An independent research uncovered a critical vulnerability in badly
configured webadmin plugin of many thousand enigma2 boxes in the wild.
This misconfiguration could be used by unauthenticated remote attackers
to achieve remote arbitrary code execution in the context of root
superuser. To exploit the vulnerability an attacker could target common
ISP networks for dial-in users.

Patching:
Enable authentication for enigma2-plugin-extensions-webadmin
Do not share any private services on the public internet without VPN
etc.

Notes:
This notice is not new to the enigma2 community but need to be
addressed.
No official vendor is responsible for enforcing authentication,
encryption and securing enigma2 boxes.
I want people to immediately reconfigure or at least be aware of the
issue before these devices will be part of the next big IoT botnet.

Exploit:
$ pypy exploit.py 1.2.3.256 "id;uptime"
[+] Randfilename is .pkWnzmOrFsIc.sh
[+] Submitted random file to remote host
[+] Exploit seems to work: 
* * *

uid=0(root) gid=0(root)  
22:36:21 up 7 days, 7:39, 0 users, load average: 0.00, 0.01, 0.05  

* * *


[+] cleanup randfile

For updates follow:

https://twitter.com/otih__

I'll send another email to the list once the trivial "exploit" is
published.

-- 
Regards,
Fabian Fingerle - aka otih
https://fabian-fingerle.de
t: @otih__

Content of type "application/pgp-signature" skipped


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists