exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 18 of 18 RSS Feed

Files from Jim Becher

First Active2020-11-20
Last Active2024-03-06
Artica Proxy 4.50 Loopback Service Disclosure
Posted Mar 6, 2024
Authored by Jim Becher, Jaggar Henry | Site korelogic.com

Services that are running and bound to the loopback interface on the Artica Proxy version 4.50 are accessible through the proxy service. In particular, the tailon service is running as the root user, is bound to the loopback interface, and is listening on TCP port 7050. Using the tailon service, the contents of any file on the Artica Proxy can be viewed.

tags | exploit, root, tcp
advisories | CVE-2024-2056
SHA-256 | 0693c2ce363baaef7b371443418fb29623edc052f8d82f02eea207672f271e4b
Artica Proxy 4.40 / 4.50 Authentication Bypass / Privilege Escalation
Posted Mar 6, 2024
Authored by Jim Becher | Site korelogic.com

The Rich Filemanager feature of Artica Proxy versions 4.40 and 4.50 provides a web-based interface for file management capabilities. When the feature is enabled, it does not require authentication by default, and runs as the root user. This provides an unauthenticated attacker complete access to the file system.

tags | exploit, web, root
advisories | CVE-2024-2055
SHA-256 | 4e458aef9f797d0714e86e3cbbbe7fdd8225fa1b68b23cd60a66a992d28a4eb5
Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification
Posted Aug 18, 2023
Authored by Jim Becher | Site korelogic.com

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 suffers from an unpatched vulnerability in sudoedit, allowed by sudo configuration, which permits a low-privilege user to modify arbitrary files as root and subsequently execute arbitrary commands as root.

tags | exploit, arbitrary, root
systems | cisco
advisories | CVE-2023-22809
SHA-256 | 9caf2d86fd42cb7a6098a98695d2f0c8ac71c65afef31f1c6345f008453f417a
Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation
Posted Aug 18, 2023
Authored by Jim Becher | Site korelogic.com

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to run arbitrary commands as root via the tcpdump command without a password.

tags | exploit, arbitrary, root
systems | cisco
advisories | CVE-2023-20224
SHA-256 | f0f074bfbbdfcf50b89b456bedfa1d6e2dad916eb9c805528576e82777cae103
Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read
Posted Aug 18, 2023
Authored by Hank Leininger, Jim Becher | Site korelogic.com

Cisco ThousandEyes Enterprise Agent Virtual Appliance version thousandeyes-va-64-18.04 0.218 has an insecure sudo configuration which permits a low-privilege user to read root-only files via the dig command without a password.

tags | exploit, root
systems | cisco
advisories | CVE-2023-20217
SHA-256 | 9a639b868d2a607d6808f5cc9c66c20f4c697461ce4034c2ce7534df93c6ec6e
CommScope Ruckus IoT Controller 1.7.1.0 Undocumented Account
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

An upgrade account is included in the IoT Controller OVA that provides the vendor undocumented access via Secure Copy (SCP).

tags | exploit
advisories | CVE-2021-33216
SHA-256 | f6519f57eed331c93ca5644c3a83e240cb6fe2ee50133663e8ee3dad642af551
CommScope Ruckus IoT Controller 1.7.1.0 Web Application Arbitrary Read/Write
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

The IoT Controller web application includes a NodeJS module, node-red, which has the capability for users to read or write to local files on the IoT Controller. With the elevated privileges the web application runs as, this allowed for reading and writing to any file on the IoT Controller filesystem.

tags | exploit, web, local
advisories | CVE-2021-33217
SHA-256 | ab0f31561d42610f5ba5969c33fa30d3f807865c8f1eaac846a5b376b04319c7
CommScope Ruckus IoT Controller 1.7.1.0 Web Application Directory Traversal
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

A Python script (web.py) for a Dockerized webservice contains a directory traversal vulnerability, which can be leveraged by an authenticated attacker to view the contents of directories on the IoT Controller.

tags | exploit, web, python
advisories | CVE-2021-33215
SHA-256 | 671f09dc7253e2fd4b96a2bd934c4db733ea5c114369ba82a1d81b35d72836f3
CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

An undocumented, administrative-level, hard-coded web application account exists in the IoT Controller OVA which cannot be changed by the customer.

tags | exploit, web
advisories | CVE-2021-33219
SHA-256 | 2486beac57efb14715dc2756e1ddce5fd0beb0268fa52ef3547894a1a7be04a5
CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded System Passwords
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

Hard-coded, system-level credentials exist on the Ruckus IoT Controller OVA image, and are exposed to attackers who mount the filesystem.

tags | exploit
advisories | CVE-2021-33218
SHA-256 | df1716ceee1afc4991054f7d3e009a901d7b28289e89a2bebb461c0a64b3b1d9
CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded API Keys Exposed
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

API keys for CommScope Ruckus are included in the IoT Controller OVA image, and are exposed to attackers who mount the filesystem.

tags | exploit
advisories | CVE-2021-33220
SHA-256 | b4f5b79b878528d1365915db1dfcf08d2ea164bfda75ebc9baab1499e553cb33
CommScope Ruckus IoT Controller 1.7.1.0 Unauthenticated API Endpoints
Posted May 27, 2021
Authored by Jim Becher | Site korelogic.com

Three API endpoints for the IoT Controller are accessible without authentication. Two of the endpoints result in information leakage and consumption of computing/storage resources. The third API endpoint that does not require authentication allows for a factory reset of the IoT Controller.

tags | exploit
advisories | CVE-2021-33221
SHA-256 | a8546049f222180c6bd593bbd28ea7a598ba7bbcd08ac8c48b4f8ac76357ba7c
Barco wePresent Insecure Firmware Image
Posted Nov 20, 2020
Authored by Matthew Bergin, Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have firmware that does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.

tags | exploit
advisories | CVE-2020-28332
SHA-256 | ce155e50978552faf0e472116a9c5ce4f975a3420fd6632369708f93d1554c2a
Barco wePresent Global Hardcoded Root SSH Password
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have a hardcoded root password hash included in the firmware image.

tags | exploit, root
advisories | CVE-2020-28334
SHA-256 | 75cc1a2f773099f090db6e25b10a5322af43049d1ef7d2035e513c189b3011ed
Barco wePresent Undocumented SSH Interface
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W version 2.5.1.8 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.

tags | exploit, web
advisories | CVE-2020-28331
SHA-256 | a366665beb0a2a41a9a77ce23a19d8837b9d6bfef4a80c4bbf011cf9589c7bc4
Barco wePresent Authentication Bypass
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

The Barco wePresent WiPG-1600W version 2.5.1.8 web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.

tags | exploit, web
advisories | CVE-2020-28333
SHA-256 | 77ed3fcf16f9ea1209c2673adba8c737e13b77a283c9ea2dfab06836d2aa7dde
Barco wePresent Admin Credential Exposure
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 2.5.1.8.

tags | exploit, web, tcp
advisories | CVE-2020-28329, CVE-2020-28330
SHA-256 | d17ea5576bc764da9307b56d3e500fe6c4d6a46a6d607ac07eeebd256034d86c
Barco wePresent Hardcoded API Credentials
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Versions affected include 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19.

tags | exploit
advisories | CVE-2020-28329
SHA-256 | 22801e1943167d9cae8f39b9e75645ceb62540439a7d2d3cf58ea0fee603d235
Page 1 of 1
Back1Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close