Car Dealer Pro version 2.01 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Car Dealer Pro v2.01 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://codecanyon.net/item/car-dealer-pro/7265588                                                                 |  | # Dork      : "Powered by: Car Dealer Pro"                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=pass1234 [+] http://car.wenclub.vip/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Car Dealer Pro 2.01 Backdoor Account

Botble version 5.28.3 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Botble 5.28.3 Backdoor Account Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : hhttps://codecanyon.net/item/botble-cms-php-platform-based-on-laravel-framework/16928182                           |  | # Dork      : "Botble Technologies. All right reserved."                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=botble  & pass=159357 [+] https://cms.botble.com/admin/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Botble 5.28.3 Backdoor Account

Active Ecommerce CMS version 6.4.0 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Active ecommerce cms v6.4.0 Backdoor Account Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/active-ecommerce-cms/23471405?s_rank=24                                                |  | # Dork      : "category/beauty-health-hair"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@example.com  & pass=123456 [+] https://www.sbeshopping.com/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Active Ecommerce CMS 6.4.0 Backdoor Account

The ProLink PRS1841 home router suffers from having a backdoor account.

ProLink PRS1841 PLDT Router Backdoor

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and

As we are nearing the end of 2022, looking at the most concerning threats of this turbulent year in terms of testing numbers offers a threat-based perspective on what triggers cybersecurity teams to check how vulnerable they are to specific threats. These are the threats that were most tested to validate resilience with the Cymulate security posture management platform between January 1st and December 1st, 2022.

**Manjusaka****Date published: August 2022**

Reminiscent of Cobalt Strike and Sliver framework (both commercially produced and designed for red teams but misappropriated and misused by threat actors), this emerging attack framework holds the potential to be widely used by malicious actors. Written in Rust and Golang with a User Interface in Simple Chinese (see the workflow diagram below), this software is of Chinese origin.

Manjasuka carries Windows and Linux implants in Rust and makes a ready-made C2 server freely available, with the possibility of creating custom implants.

**Geopolitical context**

Manjasuka was designed for criminal use from the get-go, and 2023 could be defined by increased criminal usage of it as it is freely distributed and would reduce criminal reliance on the misuse of commercially available simulation and emulation frameworks such as Cobalt Strike, Sliver, Ninja, Bruce Ratel C4, etc.

At the time of writing, there was no indication that the creators of Manjasuka are state-sponsored but, as clearly indicated below, China has not been resting this year.

**PowerLess Backdoor****Date published: February 2022**

Powerless Backdoor is the most popular of this year Iran-related threats, designed to avoid PowerShell detection. Its capabilities include downloading a browser info stealer and a keylogger, encrypting and decrypting data, executing arbitrary commands, and activating a kill process.

**Geopolitical context**

The number of immediate threats attributed to Iran has jumped from 8 to 17, more than double of the similar 2021 period. However, it has slowed considerably since the September 14th U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctions against Iranian cyber actors, trickling down to a single attack imputed to Iran since then.

The current political tensions within Iran will no doubt impact the frequency of attacks in 2023, but at this stage, it is difficult to evaluate whether those will increase or decrease.

**APT 41 targeting U.S. State Governments****Date published: March 2022**

Already flagged as very active in 2021, APT41 is a Chinese state-sponsored attacker group activity that showed no sign of slowing down in 2022, and investigations into APT41 activity uncovered evidence of a deliberate campaign targeting U.S. state governments.

APT 41 uses reconnaissance tools, such as Acunetix, Nmap, SQLmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r. It also launches a large array of attack types, such as phishing, watering hole, and supply-chain attacks, and exploits various vulnerabilities to initially compromise their victims. More recently, they have been seen using the publicly available tool SQLmap as the initial attack vector to perform SQL injections on websites.

This November, a new subgroup, Earth Longhi, joined the already long list of monikers associated with APT 41 (ARIUM, Winnti, LEAD, WICKED SPIDER, WICKED PANDA, Blackfly, Suckfly, Winnti Umbrella, Double Dragon). Earth Longhi was spotted targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

**Geopolitical context**

According to Microsoft digital Defense Report 2022, "Many of the attacks coming from China are powered by its ability to find and compile "zero-day vulnerabilities" – unique unpatched holes in software not previously known to the security community. China's collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others."

**LoLzarus Phishing Attack on DoD Industry****Date published: February 2022**

Dubbed LolZarus, a phishing campaign attempted to lure U.S. defense sector job applicants. This campaign was initially identified by Qualys Threat Research, which attributed it to the North-Korean threat actor Lazarus (AKA Dark Seoul, Labyrinth Chollima, Stardust Chollima, BlueNoroff, and APT 38). Affiliated with North Korea's Reconnaissance General Bureau, this group is both politically and financially motivated and were best known for the high profile attack on Sondy in 2016 and WannaCry ransomware attack in 2017.

The LolZarus phishing campaign relied on at least two malicious _documents, Lockheed\_Martin\_JobOpportunities.docx_ and _salary\_Lockheed\_Martin\_job\_opportunities\_confidential.doc,_ that abused macros with aliases to rename the API used and relied on ActiveX Frame1\_Layout to automated the attack execution. The macro then loaded the WMVCORE.DLL Windows Media dll file to help deliver the second stage shellcode payload aimed at hijacking control and connecting with the Command & Control server.

**Geopolitical context**

Another two North Korean notorious attacks flagged by CISA this year include the use of Maui ransomware and activity in cryptocurrency theft. Lazarus subgroup BlueNoroff seems to have branched out of cryptocurrency specialization this year to also target cryptocurrency-connected SWIFT servers and banks. Cymulate associated seven immediate threats with Lazarus since January 1st, 2022.

**Industroyer2****Date published: April 2022**

Ukraine's high-alert state, due to the conflict with Russia, demonstrated its efficacy by thwarting an attempted cyber-physical attack targeting high-voltage electric substations. That attack was dubbed Industroyer2 in memory of the 2016's Industroyer cyber-attack, apparently targeting Ukraine power stations and minimally successful, cutting the power in part of Kyiv for about one hour.

The level of Industroyer2 customized targeting included statically specified executable file sets of unique parameters for specific substations.

**Geopolitical context**

Ukraine's cyber-resilience in protecting its critical facilities is unfortunately powerless against kinetic attacks, and Russia appears to have now opted for more traditional military means to destroy power stations and other civilian facilities. According to ENISA, a side-effect of the Ukraine-Russia conflict is a recrudescence of cyber threats against governments, companies, and essential sectors such as energy, transport, banking, and digital infrastructure, in general.

In conclusion, as of the five most concerning threats this year, four have been directly linked with state-sponsored threat actors and the threat actors behind the fifth one are unknown, it appears that geopolitical tensions are at the root of the most burning threat concerns for cybersecurity teams.

As state-sponsored attackers typically have access to cyber resources unattainable by most companies, pre-emptive defense against complex attacks should concentrate on security validation and continuous processes focused on identifying and closing in-context security gaps.

_Note: This article was written and contributed by David Klein, Cyber Evangelist at Cymulate._

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

2022 Top Five Immediate Threats in Geopolitical Context

WordPress Yith WooCommerce Gift Cards Premium plugin versions 3.19.0 and below suffer from a remote shell upload vulnerability.

Description: Unauthenticated Arbitrary File Upload

Affected Plugin: Yith WooCommerce Gift Cards Premium

Plugin Slug: yith-woocommerce-gift-cards-premium

Affected Versions: <= 3.19.0

CVE ID: CVE-2022-45359

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s:  Dave Jong

Fully Patched Version: 3.20.0

We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.

The issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook.

Since admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php.

Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.

Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded.

Cyber Observables

These attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):

kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c

b.php – this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19

admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d

Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:

103.138.108.15, which sent out 19604 attacks against 10936 different sites

and

188.66.0.135, which sent 1220 attacks against 928 sites.

The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.

Recommendations

If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

WordPress Yith WooCommerce Gift Cards Premium 3.19.0 Shell Upload

A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that's used by Indian government officials.
Cybersecurity firm Securonix dubbed the activity STEPPY#KAVACH, attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks.
".LNK files are used to initiate code execution which eventually downloads and runs a

Cyber Espionage / Pakistani Hackers

A new targeted phishing campaign has zoomed in on a two-factor authentication solution called **Kavach** that's used by Indian government officials.

Cybersecurity firm Securonix dubbed the activity **STEPPY#KAVACH**, attributing it to a threat actor known as SideCopy based on tactical overlaps with prior attacks.

".LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan (RAT)," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new report.

SideCopy, a hacking crew believed to be of Pakistani origin and active since at least 2019, is said to share ties with another actor called Transparent Tribe (aka APT36 or Mythic Leopard).

It's also known to impersonate attack chains leveraged by SideWinder, a prolific nation-state group that disproportionately singles out Pakistan-based military entities, to deploy its own toolset.

That said, this is not the first time Kavach has emerged as a target for the actor. In July 2021, Cisco Talos detailed an espionage operation that was undertaken to steal credentials from Indian government employees.

Kavach-themed decoy apps have since been co-opted by Transparent Tribe in its attacks targeting India since the start of the year.

The latest attack sequence observed by Securonix over the past couple of weeks entails using phishing emails to lure potential victims into opening a shortcut file (.LNK) to execute a remote .HTA payload using the mshta.exe Windows utility.

The HTML application, the company said, "was discovered being hosted on a likely compromised website, nested inside an obscure 'gallery' directory designed to store some of the site's images."

The compromised website in question is incometaxdelhi\[.\]org, the official website for India's Income Tax department pertaining to the Delhi region. The malicious file is no longer available on the portal.

In the next phase, running the .HTA file leads to the execution of obfuscated JavaScript code that's designed to show a decoy image file that features an announcement from the Indian Ministry of Defence a year ago in December 2021.

The JavaScript code further downloads an executable from a remote server, establishes persistence via Windows Registry modifications, and reboots the machine to automatically launch the binary post startup.

The binary file, for its part, functions as a backdoor that enables the threat actor to execute commands sent from an attacker-controlled domain, fetch and run additional payloads, take screenshots, and exfiltrate files.

The exfiltration component also includes an option to specifically search for a database file ("kavach.db") created by the Kavach app on the system to store the credentials.

It's worth noting that the aforementioned infection chain was disclosed by the MalwareHunterTeam in a series of tweets on December 8, 2022, describing the remote access trojan as MargulasRAT.

"Based on correlated data from the binary samples obtained of the RAT used by the threat actors, this campaign has been going on against Indian targets undetected for the last year," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Warn of Kavach 2FA Phishing Attacks Targeting Indian Govt. Officials

An exhaustive analysis of FIN7 has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.
It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.
The highly active threat group, also known as Carbanak,

An exhaustive analysis of **FIN7** has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.

It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.

The highly active threat group, also known as Carbanak, is known for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.

More than 8,147 victims have been compromised by the financially motivated adversary across the world, with a majority of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K.

FIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise and the use of stolen credentials purchased from underground markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

According to the Swiss cybersecurity company, the threat actors have also been observed to weaponize flaws in Microsoft Exchange such as CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell flaws in Microsoft Exchange Server to obtain a foothold into target environments.

The use of double extortion tactics notwithstanding, attacks mounted by the group have deployed backdoors on the compromised systems, even in scenarios where the victim has already paid a ransom.

The idea is to resell access to other ransomware outfits and re-target the victims as part of its illicit money-making scheme, underscoring its attempts to minimize efforts and maximize profits, not to mention prioritize companies based on their annual revenues, founded dates, and the number of employees.

This "demonstrates a particular type of feasibility study considered a unique behavior among cybercrime groups," the researchers said.

Put differently, the modus operandi of FIN7 boils down to this: It utilizes services like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo to shortlist firms and organizations with the highest revenue. It also uses other website analytics platforms like MuStat and Similarweb to monitor traffic to the victims' sites.

Initial access is then obtained through one of the many intrusion vectors, followed by exfiltrating data, encrypting files, and eventually determining the ransom amount based on the company's revenue.

These infection sequences are also designed to load the remote access trojans such as Carbanak, Lizar (aka Tirion), and IceBot, the latter of which was first documented by Recorded Future-owned Gemini Advisory in January 2022.

Other tools developed by FIN7 encompass modules to automate scans for vulnerable Microsoft Exchange servers and other public-facing web applications as well as Cobalt Strike for post-exploitation.

In yet another indication that criminal groups function like traditional companies, FIN7 follows a team structure consisting of top-level management, developers, pentesters, affiliates, and marketing teams, each of whom are tasked with individual responsibilities.

While two members named Alex and Rash are the chief players behind the operation, a third managerial member named Sergey-Oleg is responsible for delegating duties to the group's other associates and overseeing their execution.

However, it has also been observed that operators in administrator positions engage in coercion and blackmail to intimidate team members into working more and issue ultimatums to "hurt their family members in case of resigning or escaping from responsibilities."

The findings come more than a month after cybersecurity company SentinelOne identified potential links between FIN7 and the Black Basta ransomware operation.

"FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies," PRODAFT concluded.

"Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets. Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FIN7 Cybercrime Syndicate Emerges as Major Player in Ransomware Landscape

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.
"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

Password Management / Online Security

Multiple high-severity vulnerabilities have been disclosed in **Passwordstate** password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.

"Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application," Swiss cybersecurity firm modzero AG said in a report published this week.

"Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username."

Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.

One of the flaws also impacts Passwordstate version 9.5.8.4 for the Chrome web browser. The latest version of the browser add-on is 9.6.1.2, which was released on September 7, 2022.

The list of vulnerabilities identified by modzero AG is below -

*   CVE-2022-3875 (CVSS score: 9.1) - An authentication bypass for Passwordstate's API
*   CVE-2022-3876 (CVSS score: 6.5) - A bypass of access controls through user-controlled keys
*   CVE-2022-3877 (CVSS score: 5.7) - A stored cross-site scripting (XSS) vulnerability in the URL field of every password entry
*   No CVE (CVSS score: 6.0) - An insufficient mechanism for securing passwords by using server-side symmetric encryption
*   No CVE (CVSS score: 5.3) - Use of hard-coded credentials to list audited events such as password requests and user account changes through the API
*   No CVE (CVSS score: 4.3) - Use of insufficiently protected credentials for Password Lists

Exploiting the vulnerabilities could permit an attacker with knowledge of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to achieve remote code execution.

What's more, an improper authorization flow (CVSS score: 3.7) identified in the Chrome browser extension could be weaponized to send all passwords to an actor-controlled domain.

In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance.

Users are recommended to update to Passwordstate 9.6 - Build 9653 released on November 7, 2022, or later versions to mitigate the potential threats.

Passwordstate, in April 2021, fell victim to a supply chain attack that allowed the attackers to leverage the service's update mechanism to drop a backdoor on customer's machines.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Nokia Fastmile 3tg00118abad52 devices shipped by Optus are shipped with a default hardcoded admin account of admin:Nq+L5st7o This account can be used locally to access the web admin interface.

Having had some time to off to mull over what to do next and attend to some other priorities I decided it was time to get back to looking at this.  

But first, I had to address the issue of having to take my internet down every time I wanted to do any prodding. So then there were two...

**Fun Party Tricks**

Of course we can't just dive straight into the hard stuff so I thought I'd take a look at what ridiculous things I could do with the Android side first.

As it's just a standard Android phone, we can use scrcpy to virtually interact with it over ADB. This doesn't really tell you anything else that you can't find via CLI.

What it does allow us to do however is install our own apps and interact with them. So naturally, I installed FlappyBird to have a go.

4 WHOLE POINTS

**I am claiming the world record for FlappyBird on a Nokia Fastmile Router.**

**Come at me.**

**Identical Super Admin Passwords**

Alright back to the serious stuff.

After receiving my second device, I noticed that the second device was on a newer firmware version with the authenticated privilege escalation vulnerability patched out.

This locks us out of the configuration backup/restore utility.

Luckily, there's a higher privileged account with the same default password that seems to be baked into every Optus shipped device.

    <WebAccount. n="WebAccount" t="staticObject">
        <Enable rw="RW" t="boolean" v="True"></Enable>
        <Alias t="string" ml="64" rw="RW" dv="cpe-NokiaAlias2" v="cpe-NokiaAlias2"></Alias>
        <Priority max="10" min="1" rw="RW" t="unsignedInt" v="1"></Priority>
        <UserName ml="64" rw="RW" t="string" v="admin"></UserName>
        <Password ml="64" rw="RW" t="string" v="7hrGZUG0NX48jHEq3+Twog==" ealgo="ab"></Password>
        <PresetPassword ml="64" rw="RW" t="string" v="7hrGZUG0NX48jHEq3+Twog==" ealgo="ab"></PresetPassword>
    </WebAccount.>

Using the same tricks from last time the password 'decrypts' to **Nq+L5st7o** with the username being admin.

At least in my case, the password I obtained from my first device also worked on my second device.

Maybe somebody should tell Optus, or maybe not because having full access to these devices is nice.

UDPATE: Informed Nokia and as of U-Boot Aug-09-2022--20:45:33 patch version 3TG00118ABGA31 this is no longer available.

UPDATE 2: This has been assigned CVE-2022-36222.

**Diving into the Firmware**

Shout out to **@neggles** for helping me through some of this.

I never did end up going through the process of dumping the Router side firmware so I might come back to do this as an exercise. In this case, I didn't end up needing to.

**Obtaining Firmware**

When the device goes to update itself, it very nicely logs the download URL for the firmware.

Sifting through my own device's logs I managed to download some firmware only to find that it's encrypted.

Luckily for us some nice person on the internet has posted a download URL for an older firmware version that isn't encrypted.

> https://whrl.pl/RgaV4d

You'll probably need to be on the Optus network somewhere to reach this:  
http://macs.optusnet.com.au/firmware/Nokia/5GGW\_D010003B37T0101E0052\_ota.tar.gz

Cracking open this older firmware file we see a couple of files. The highlighted one being relevant for the Router side with the zip file being relevant for the Android side.

Trying to unpack this file we immediately run into a hurdle, it looks like a UBI image but fails to unpack with ubidump.

Some Googling brings us to this issue which seems to be what we ran into. Several Squashfs volumes inside a UBI image.

Unpacking the squashfs volume shows us the root filesystem.

**Needle in a Haystack**

Cracking open the firmware revealed a massive attack surface to evaluate. I put together a non exhaustive list of things to look at that might help us to get root and just started working my way down the list.

*   Finding an issue with one of the CGI Scripts in the web directory
*   Reversing the jail shell /usr/sbin/vtysh
*   Reversing the configuration management utility usr/sbin/cfgmgr
*   Figure out how to repack the firmware with an entry point for us
*   Attacking the router from the Android side (that 5GCPE app on the Android side must be doing something)
    *   Storage of Android /sdcard/ is shared to the router via USB-OTG and files seem to be written there to transfer some information!
    *   There's also network connectivity as we established last time but I'm unsure if this only used for routing traffic

**CGI Scripts**

Looking at just the first point in that list, there's a sea of CGI scripts that could potentially lead us to shell access.

I had a look at a few of these and found some other vulnerabilities (that will be documented at the bottom for those interested) but quickly decided to move on from this.

**Jail Shell**

> Quick recap, in the last blog post we were able to SSH into the device by enabling the SSH user in the configuration file.
> 
> While the credentials we set in the configuration worked for SSH, they did not work for the password prompt presented when trying to use the 'shell' command at the jail shell.

Next I decided to look at the jail shell which seemed to be located at /usr/sbin/vtysh. Notably, I was interested in what was actually being checked when we were getting prompted for a password.

Opening the binary in Ghidra it become quickly apparent that the password we were getting prompted for had little to do with the one we set in the configuration. It seemed to be consisted of a group of integers that I couldn't figure out where they were set.

Ghidra Output

Reversing isn't my strong suit so I decided to move on from this as well.

**Configuration Manager**

Next I started to look into the configuration manager.

While I was looking at the CGI scripts I noticed a number of them simply took user input and passed them onto bash scripts to then perform actions.

I'm all about being as lazy as possible, so trying the easiest stuff first made sense to see if the same pattern had been used in this binary. After running strings on the binary and sifting through the results, a single line caught my eye.

Adding management users sounds like something I want to do.

In the middle of this script there's also a very interesting if statement (full script for those interested).

    if [ -e /usr/sbin/vtysh -a "$user_name" != "ONTUSER" -a "$OPID" != "0000" -a "OPID" != "9999" ]; then
       adduser -D -h ${home_dir}/${user_name} -G wheel ${user_name} -s /usr/sbin/vtysh
    else
       adduser -D -h ${home_dir}/${user_name} -G wheel ${user_name}
    fi

At this point, we know:

*   We have access to change the config of the router including managing users
*   This script is called by the Configuration Manager at some point
*   If the username == ONTUSER OR if the OperatorID == (9999 OR 1111) then users are created with the **default shell** instead of the **jail shell**
*   In the previous write-up, we found mentions of setting LimitAccount\_ONTUSER in config to false doing something

It can't possibly be that easy.

Bingo

The config ships with the "TelnetSshAccount" username of "admin". I changed this to "ONTUSER" and upon SSH we are greeted with full root access instead of a jail shell.

Config Sample

Mission accomplished.

There's tons more to look at obviously so maybe there'll be a part 3 as I'm almost certain there's another way in with such a large attack surface. For now though, I'll leave you with some of the other interesting things I noticed while looking through this device.

**Other Interesting Things****WTF Backdoor??????**

There's a telnet script in the web directory which seems to spin up a telnet server that gives shell access without authentication.

Couldn't find anywhere this gets called though. ./telnet.sh on will turn the backdoor on and ./telnet.sh st checks the status of the backdoor

**Pipe Path Traversal**

UPDATE: This has been assigned CVE-2022-36221.

The CGI script used to read the output of diagnostic pings is affected by a path traversal vulnerability.

Opening the command\_web\_app.cgi script up we see that it passes user input straight to the cat.sh script.

Ghidra Output of command\_web\_app.cgi

This script performs a check to see if the file is a pipe but otherwise just returns the contents.

The result? We have path traversal!

The usefulness of this is dependent on the existence of pipes on the router that contain sensitive information. Also the endpoint is only available as an authenticated user (albeit full admin is not required).

There's also a similar issue allowing you to check for the existence of any arbitrary directory.

Tag

#backdoor