# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple
Vulnerabilities]
# Discovered by: Karn Ganeshen
# Reported on: [October 13, 2015]
# Vendor Response: [Vulnerability? What's this?]
# Vendor Homepage: [www.netis-systems.com]
# Version Affected: [Firmware version RTK v
# Exploit Title: [PROLiNK H5004NK ADSL Wireless Modem Multiple
Vulnerabilities]
# Discovered by: Karn Ganeshen
# Reported on: [October 13, 2015]
# Vendor Response: [No process to handle vuln reports]
# Vendor Homepage: [
http://www.prolink2u.com/newtemp/datacom/adsl-modem-router/381-h5004nk.html
ame Password Priority
admin password1 2
support password2 0
admin password3 1
+
Best Regards,
Karn Ganeshen
--
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
ogs
etc is downloaded.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Ser
# Title: [Brocade Fabric OS v6.3.1b - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.brocade.com]
# Versions Reported: Kernel 2.6.14.2 + FabOS v6.3.1b + BootProm 1.0.9
> *version*
Kernel: 2.6.14.2
Fabric OS: v6.3.1b
BootProm: 1.0.9
1 *Default diagnos
# Title: [LG Nortel ADSL modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [NA]
# Version Reported: [Board ID: DV2020]+Product Version: S1.064B2.3H0-0 +
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e]
*Timelines*
April, 2015: Vulnerabilities
s-id-parameter")
--
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
/1.1
connection=basic&userName=admin%27%22%29%3B%7D%3C%2Fscript%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&pw=nordex&language=en
--
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mail
issue B) but the final
user is supposed to configure eWON through VPN (and thus https).
Mitigating factors:
This could be an issue regarding the CSRF attacks described above. However
as already mentioned the eWON firmware exposure to CSRF attacks is really
limited. Thus having equivalent POST and
UI. It is
possible to download the configs by calling the url directly
*Access policy config xml*
https://IP/configure_manage.php?action=download_config&file=policy.xml
*Access cookie config xml*
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml
*Access system c
text passwords*.
+
I sent it out on Jan 29 but for some reason, it was not posted to FD. So
sending it again.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/l
from the portal
directly, gather clear-text admin creds, and gain full, unauthorized access
to the device.
--
Best Regards,
Karn Ganeshen
ipositivesecurity.blogspot.in
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
0 ETA
*226-File successfully transferred*
226 0.003 seconds (measured here), 143.76 Kbytes per second
459 bytes received in 00:00 (35.35 KiB/s)
+
--
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
ill be forcefully changed, and msh has been
sufficiently improved to mitigate against command injection.
Issue 3, however, persists. Anyone with access to msh shell, can still drop
in to root shell, and have some fun.
+
--
Best Regards,
Karn Ganeshen
__
generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability allows silent
execution of unauthorized actions on the device such as password change,
configuration parameter changes, saving modified configuration, & device
reboot.
+
--
Best Regards,
comments
to ICS-CERT team to correct their report. Hopefully they will update it
soon.
+++++
Cheers!
--
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
. Successful exploitation of this vulnerability may allow silent
execution of unauthorized actions on the device such as password change,
configuration parameter changes, generating system configuration archive,
saving modified configuration, & device reboot.
+
--
Best Regards,
Karn Gane
act due to device compromise can be severe depending upon the utility &
environment where they are deployed.
+
--
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archiv
ess this issue on the Raven XE/XT. Sierra Wireless strongly
recommends that the AceManager interface be disabled on the cellular WAN
connection, particularly when the device is active on public networks in
order to prevent exploitation of this sensitive information by
internet-based attackers.
+
*EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager -
Multiple Vulnerabilities*
Also rebranded as: *SMC TigerSwitch 10/100 SMC6128L2 Manager*
Object ID:
1.3.6.1.4.1.259.8.1.5
Switch Information
Main Board:
Number of Ports 26
Hardware Versi
*RS232-NET Converter (JTC-200) - Multiple vulnerabilities*
About RS232-NET Converter (model JTC-200)
http://www.jantek.com.tw/en/product/73
*Seen deployed in:*
CHTD, Chunghwa Telecom Co., Ltd. (Taiwan)
HiNet (Taiwan & China)
PT Comunicacoes (Portugal)
Sony Network Taiwan Limited (Taiwan)
Vodafone
*CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities*
DocuClass is a modular and scalable enterprise content management (ECM)
solution that allows organizations to streamline internal operations by
significantly improving the way they manage their information within a
business
*Powerlogic/Schneider Electric ION series Smart Meters - Multiple
security issues*
*Impacted devices:*
*ION7300 and potentially all ION models (based off of Powerlogic) *For
example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274
http://www.schneider-electric.com/download/hk/en
*ELNet **Energy & Electrical Power Meter - Mulitple Vulnerabilities*
http://elnet.feniks-pro.com/Elnet-LT.php
http://www.elnet.cc/product/elnet-lt/
Powermeter with color graphic display for all electrical measurements and
harmonics, with TCP/IP and RS485 communication (ModBus and Bacnet), pane
*Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple
Vulnerabilities*
*About*
The meters are designed for autonomous operation in automated systems:
• SCADA systems
• Data aquisition and transmission systems
• Automated data and measurement systems for revenue and technical po
Python + PostgreSQL pgAdmin4 – Insecure Library Loading Allows Code
Execution (DLL Hijacking Vulnerability)
*Confirmed on*
pgAdmin4 v1.1: Current version packaged with PostgreSQL v9.6.1.1 (Windows
x86 Current version)
*Checked on*
Windows 7 SP1 + python 2.7.13 (current version)
Note - This is a
LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA
Access Control Vulnerability
Vendor: LCDS – Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
Equipment: LAquis SCADA
Vulnerability: Improper Access Control
ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/IC
Sielco Sistemi Winlog SCADA Software Insecure Library Loading Allows Code
Execution
Vendor: Sielco Sistemi
Equipment: Winlog SCADA Software
Vulnerability: Uncontrolled Search Path Element
ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-038-01
AFFECTED PRODUCTS
The following Si
SenNet Data Logger appliances and Electricity Meters Multiple
Vulnerabilities
Note: Vendor has released the fix. Details to be documented in ICS-CERT
Advisory.
About
SenNet is a trademark of Satel Spain that offers monitoring and
remote-control solutions for businesses. Our engineers develop, int
Cambium SNMP Security Vulnerabilities
AFFECTED PRODUCTS
Cambium ePMP 1000
Cambium ePMP 2000
Cambium PMP XXX
Cambium ForceXXX models
Potentially all other models
IMPACT
These vulnerabilities may allow an attacker to access device configuration
as well as make unauthorized changes to the device c
*VMU-C Web-Server solution for photovoltaic applications*
VMU-C EM is a data logger system for small to medium projects, VMUC-Y EM is
a hardware data aggregator for medium to larger projects and Em2 Server is
a software solution for large projects. They are designed to complement the
extensive lin
Microsoft Office Patch Installer Executables - Insecure Library Loading
Allows Code Execution
Vulnerability: DLL Hijacking / DLL Side Loading
Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-office-patch-installers-insecure-library-loading-allow-code-execution/
---
Microsoft Machine Debug Manager (mdm) DLL side loading vulnerability
Vulnerability: DLL Hijacking / DLL Side Loading
Advisory URL:
https://ipositivesecurity.com/2017/06/15/microsoft-machine-debug-manager-mdm-insecure-library-loading-allows-code-execution/
ABOUT
--
Vendor: Digital Canal Structural
Equipment: Wind Analysis
Vulnerability: Stack-Based Buffer Overflow
Advisory URL:
https://ipositivesecurity.com/2017/06/15/ics-digital-canal-structural-wind-analysis-stack-buffer-overflow/
ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-157-02
--
Vendor: Trihedral
Equipment: VTScada
Vulnerability: Resource Consumption, Cross-Site Scripting, Information
Exposure
Advisory URL:
https://ipositivesecurity.com/2017/06/15/ics-trihedral-vtscada-multiple-vulnerabilities/
ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
Vendor: Schneider Electric
Equipment: Wonderware InduSoft Web Studio
Vulnerability: Incorrect Default Permissions
Advisory URL:
https://ipositivesecurity.com/2017/05/19/ics-schneider-electric-wonderware-indusoft-web-studio-privilege-escalation/
ICS-CERT Advisory
https://ics-cert.us-cert.gov/adviso
Vendor: BLF-Tech LLC
Equipment: VisualView HMI Software
Vulnerability: DLL Hijacking
Advisory URL:
https://ipositivesecurity.com/2017/05/18/ics-blf-tech-llc-visualview-hmi-software-insecure-library-loading-allows-code-execution/
ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-115
Vendor: Schneider Electric
Equipment: Interactive Graphical SCADA System (IGSS) Software
Vulnerability: DLL Hijacking
Advisory URL:
https://ipositivesecurity.com/2017/05/18/ics-schneider-electric-interactive-graphical-scada-system-software-insecure-library-loading-allows-code-execution/
ICS-CERT A
[ICS] Schneider Electric Pro-Face WinGP – Runtime.exe – Insecure Library
Loading Allows Code Execution
Vendor: Schneider Electric
Equipment: Pro-Face WinGP
Vulnerability: Uncontrolled Search Path Element (DLL side-loading)
Advisory URL:
https://ipositivesecurity.com/2017/06/28/ics-schneider-elect
reproduce
1. Generate a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o i2capi.dll
2. Place this dll in any directory defined in the PATH environment variable
C:\Pro-face\WinGP\
3. Run Runtime.exe -> calc.exe
executes
+
Best Regards,
Karn Ganes
WattConfigM.exe -> calc.exe executes
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
HCDownloader.exe -> calc.exe executes
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
this dll in any directory defined in the PATH environment variable
C:\app-folder-RW\
3. Run ArchBrowser.exe (or any from listed above) -> calc.exe will execute
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
ht
A:N).
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
base
score of 7.3 has been assigned; the CVSS vector string is
(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives &
CVSS base score of
4.0-6.9, and
* 24 vulnerabilities were identified as having a CVSS base score of 0.0-3.9.
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives
when the application starts, while few are loaded
when the application is exited. Thus, code execution can happen at the
start or at exit time of the application run.
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https
a dll payload
msfvenom –p windows/exec cmd=calc.exe –f dll –o pegrc32a.dll
2. Place this dll in install directory (or any directory defined in the
PATH environment variable)
C:\DAQFactory\
3. Run DAQFactory.exe
-> calc.exe executes
+
Best Regards,
Karn Ganes
).
Technical Details
https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https
Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
/S:U/C:H/I:H/A:H).
+
Best Regards,
Karn Ganeshen
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
51 matches
Mail list logo
