English | Krzysztof Burghardt’s blog

diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks

diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to device enumeration on LAN interface and DoS attacks against both device and network.

CWE-862: Missing Authorization weakness in diag_tool.cgi allows remote attacker to spawn ping (and traceroute) processes on affected devices without authorization. Moreover similar bug in diag_get_result.cgi allows attacker to retrieve command output. Arbitrary command injection using ; or ` (back ticks) does not seems to work (which make this different than CVE-2018-10561 and CVE-2018-17869).

This vulnerability was assigned CVE-2019-9974.

Continue reading “diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks”

Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp

Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 (and possibly other) saves post data, including credentials, to /tmp/boa-temp. Moreover this file is not sanitized after request has been processed, which allow retrieval of login credential possible until another POST request is made.

This vulnerability was assigned CVE-2019-9976.

Continue reading “Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp”

syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption

DASAN H660RM devices with firmware 1.03-0022 (and possibly other) uses a hard-coded key “dasanektks123” for logs encryption. Data stored using this key can be decrypted by anyone able to access this key.

This vulnerability was assigned CVE-2019-9975.

Continue reading “syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption”

DASAN H665 has vendor backdoor built into BusyBox’s /bin/login

DASAN H665 has vendor backdoor built into BusyBox /bin/login. Account named “dnsekakf2$$” gives access to admin (uid 0) account over telnet, at least for administration interface documented in H665 QIG (Quick Guide).

DASAN H665 is GPON Optical Network Terminal (ONT). It could work as router/NAT or bridge and allow End User to Web Access device at http://192.168.55.1/. Depending on device’s configuration it might assign different 192.168.X.0/24 subnet over DHCP, but device still reply to traffic on 192.168.55.1 from any devices in 192.168.55.0/24 subnet.

This vulnerability was assigned CVE-2019-8950.

Continue reading “DASAN H665 has vendor backdoor built into BusyBox’s /bin/login”

ESE Key Daemon 1.2.7 released

New version of ESE Key Daemon was released today.

New features include the ability to handle multiple key combinations and distinguish between key presses and releases. A problem with the handling of the last line in a configuration file when there is no newline on the last line is gone. Numeric keys are now also allowed in the configuration file.

Download: esekeyd-1.2.7.tar.gz (.asc)

MD5: 5937ad6d7815dbc6ab6983411a9f37d4
SHA1: 07671be42b61973a3270aaf1b41c3467568ae7ac

Debian GNU/Linux on Dell Inspiron 1764

Installing, configuring and using Debian GNU/Linux on Dell Inspiron 1764 (N0476409) notebook.

Continue reading “Debian GNU/Linux on Dell Inspiron 1764”

Integration of AA Google 404 with Atahualpa

AskApache Google 404 default 404.php does not work properly with Atahualpa theme. To fix those problems create another 404.php file in /themes/atahualpa with this content:

Continue reading “Integration of AA Google 404 with Atahualpa”

Virtual destinations are faster than Camel routing

Routing messages from one input queue to two output queues in ActiveMQ can be done in two different ways. Apache Camel, a powerful rule-based routing engine often used with ActiveMQ, is a typical choice. Virtual composite queue is another solution. Which to choose? The faster.

Continue reading “Virtual destinations are faster than Camel routing”

Migrating from ActiveMQ-CPP/CMS version 2.2 to 3.0

Migrating from ActiveMQ-CPP/CMS version 2.2.6 to 3.0.1 is very easy. There are only two minor problems to deal with.

Continue reading “Migrating from ActiveMQ-CPP/CMS version 2.2 to 3.0”

FreeBSD with X.Org on QEMU

X.Org form ports works fine with cirrus driver, but starts in 800×600 only. Small tweak to configuration file is needed to run X in higher resolutions.

Continue reading “FreeBSD with X.Org on QEMU”