exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 13 of 13 RSS Feed

Files from Andrew Klaus

Email addressandrewklaus at gmail.com
First Active2016-08-16
Last Active2020-01-07
Fortinet FortiSIEM 5.2.5 / 5.2.6 Hardcoded Key
Posted Jan 7, 2020
Authored by Andrew Klaus

Fortinet FortiSIEM has a hard-coded SSH public key for user "tunneluser" which is the same between all installs. An attacker with this key can successfully authenticate as this user to the FortiSIEM Supervisor. The unencrypted key is also stored inside the FortiSIEM image. While the user's shell is limited to running the /opt/phoenix/phscripts/bin/tunnelshell script, SSH authentication still succeeds. Versions 5.2.5 and 5.2.6 have been verified as vulnerable.

tags | exploit, shell
SHA-256 | 2c28af53eba7e337d89352df4d65040bfaf3d030410b0fb0308bd4147ae2c358
Fortinet FortiSIEM 5.0 / 5.2.1 Improper Certification Validation
Posted Oct 1, 2019
Authored by Andrew Klaus

A FortiSIEM collector connects to a Supervisor/Worker over HTTPS TLS (443/TCP) to register itself as well as relaying event data such as syslog, netflow, SNMP, etc. When the Collector (the client) connects to the Supervisor/Worker (the server), the client does not validate the server-provided certificate against its root-CA store. Since the client does no server certificate validation, this means any certificate presented to the client will be considered valid and the connection will succeed. If an attacker spoofs a Worker/Supervisor using an ARP or DNS poisoning attack (or any other MITM attack), the Collector will blindly connect to the attacker's HTTPS TLS server. It will disclose the authentication password used along with any data being relayed. Versions 5.0 and 5.2.1 have been tested and are affected.

tags | exploit, web, root, spoof, tcp
SHA-256 | dbc1310afdd15da14c73881539c81b6d75bfa93a15e200bb1094631bd6549cbe
Telus Actiontec T2200H Local Privilege Escalation
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2019-12789
SHA-256 | 64c22975e1acdf7c911c95d4b915a2f2f35f87f789a240cdb57a6e473dd665a4
Telus Actiontec WEB6000Q Serial Number Information Disclosure
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. The WCB6000Q DHCP DISCOVER and REQUEST broadcasts include the device serial number in the DHCP option 125 (subopt 2) field. An attacker on the same Layer 2 network segment as the device, can see all these DHCP requests with a packet capture. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.

tags | exploit, web, info disclosure
SHA-256 | a60ada135acfe3357034b2f1a27e49db28c91ce7c509f65eef039cbca0d8eb46
Telus Actiontec T2200H Serial Number Information Disclosure
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. By forging a special DHCP packet using Option 125, an attacker can obtain the device serial number. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.

tags | exploit, web, info disclosure
SHA-256 | e00278c615b4c6ca6904174cd960226f3071c1c8dac2689625b8674db654d3c2
Telus Actiontec WEB6000Q Denial Of Service
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from a denial of service vulnerability. By querying CGI endpoints with empty (GET/POST/HEAD) requests causes a Segmentation Fault of the uhttpd webserver. Since there is no watchdog on this daemon, a device reboot is needed to restart the webserver to make any modification to the device.

tags | exploit, denial of service, cgi
SHA-256 | b7e77c13720ff2862b5f2cd505e2fd83433bb92406f790f5a82bf75578c329dd
Telus Actiontec WEB6000Q Privilege Escalation
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec WEB6000Q with firmware 1.1.02.22 suffers from both local and remote privilege escalation vulnerabilities.

tags | exploit, remote, local, vulnerability
advisories | CVE-2018-15555, CVE-2018-15556, CVE-2018-15557
SHA-256 | 4603e04a98825c83c6631a84067f20ea7105aa334aa5ff03f9006cfcabc325ec
Telus Actiontec T2200H WiFi Credential Disclosure
Posted Jun 12, 2019
Authored by Andrew Klaus

Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a credential disclosure vulnerability. An HTTP interface used by wireless extenders to pull the modem's wifi settings uses DHCP client-provided option values to restrict access to this API. By forging DHCP packets, one can access this interface without any authentication and obtain details such as SSID name, encryption type, and WPA/WEP keys. This can be leveraged if an attacker is on the same Layer 2 network as the modem.

tags | exploit, web, info disclosure
SHA-256 | 18956a3fcbea918f85460a9c4e64d5ab6e1e70d214ae287471800ffc0dc7ee49
Subsonic Music Streamer 4.4 For Android Improper Certificate Validation
Posted Sep 7, 2018
Authored by Andrew Klaus

Subsonic Music Streamer version 4.4 suffers from an improper certificate validation vulnerability.

tags | advisory
advisories | CVE-2018-15898
SHA-256 | f7f53b635f997e2cd5340af1d92833a14752efed2260921f9403d2e91f9f5fc0
DSub For Subsonic 5.4.1 Improper Certificate Validation
Posted Sep 7, 2018
Authored by Andrew Klaus

DSub for Subsonic version 5.4.1 suffers from an improper certificate validation vulnerability.

tags | advisory
advisories | CVE-2018-1000664
SHA-256 | 370704c68c165cc35ae66d964e40aba2fe2d033e452e2d6c15489ec1efdeb3a2
OpenConext-EngineBlock 5.7.3 Cross Site Scripting
Posted Jul 13, 2018
Authored by Andrew Klaus

OpenConext-EngineBlock versions 5.7.0 through 5.7.3suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2018-1000611
SHA-256 | 1c40f13fb738e9a91991869459b8beb8b294dcd95634775a7427ab9531fbb0ba
Actiontec WCB3000N 0.16.2.5 Privilege Escalation
Posted Nov 7, 2016
Authored by Andrew Klaus

Actiontec WCB3000N with firmware version 0.16.2.5 suffers from a privilege escalation vulnerability.

tags | exploit
SHA-256 | d334325a801f0f16ab6691fb7928af2b8fe205c07c1792c6af3ddad17a84e3eb
Actiontec T2200H Remote Reverse Root Shell
Posted Aug 16, 2016
Authored by Andrew Klaus

Actiontec T2200H allows for command injection that provides a remote root reverse shell.

tags | exploit, remote, shell, root
SHA-256 | 28169bbcf417020b949571295e53959017cd3341ec9c096c5b7311102388ba56
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close