llandeilocymro

Summary
The MOBOTIX S14 Camera did not implement any mechanism to avoid cross-site request forgery (CSRF) attacks.

Impact
Successful exploitation of this vulnerability can lead to the takeover of the device.

Deatils
The MOBOTIX S14 Camera did not implement any mechanism to avoid cross-site request forgery attacks. 
This can lead to allow a local account password to be changed without the knowledge of the authenticated user.

llandeilocymro

#!/usr/bin/python

import requests, signal, sys, argparse
from requests.auth import HTTPBasicAuth

p = argparse.ArgumentParser("./camera.py -h <ip> -p <port>", version="0.1")
p.add_argument("-ip", "--ipaddress", dest="ipaddress", help="Enter an ipaddress")
p.add_argument("-p", "--port", dest="port", default="8081", help="Enter a port")

args = p.parse_args()

llandeilocymro

Default Web Management Interface Credentials (https://www.use-ip.co.uk/forum/threads/mobotix-default-password.76/) - CVE-2009-5154 
In a default state, the admin's hash was - Wx3P0QA1/y1bg, this was cracked to reveal 'meinsm'.  
See: https://gist.github.com/llandeilocymro/430bdd50266e03c75e6116c3e80bf78f for PoC in python.

Administrator Credentials stored in weak hashing format - CVE-2019-7673
In a default state, the admin's hash was found to be - Wx3P0QA1/y1bg.  This is a DES hash and isn't considered secure.

Clear text credentials / Basic authentication - CVE-2019-7675.
The default management application was delivered over HTTP and used basic authentication.

llandeilocymro

> [Description - CVE-2018-10723]
> Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in
> api/schema.sql.
> 
> ------------------------------------------
> 
> [Additional Information]
> Here is the extract of the hardcoded credential (from schema.sql): INSERT INTO `directus_users` (`id`,
>  `status`,
>  `first_name`,

llandeilocymro

#! /usr/bin/python
# EDW - NCCGroup
# wrapper to safely get hashes from a box
# needs winexe, smbclient and creddump7
# v0.2 Rich - added colors, pth-winexe, pth-smbexec and scan over a range
# v0.3 EDW - added threading

import os
import optparse
import signal

llandeilocymro

#! /usr/bin/perl -w
# EDW
# Quick little script to rattle through a sudoers file and make recommendations

if ($^O eq "MSWin32") { print "Windows....really....use *nix\n"; exit; }

$file = "/etc/sudoers";
$line="\="x50;

if ($#ARGV != 0) { 

llandeilocymro

#! /usr/bin/perl -w
# EDW
# Quick little script to rattle through a sshd_config file and make recommendations

if ($^O eq "MSWin32") { print "Windows....really....use *nix\n"; exit; }

$file = "/etc/ssh/sshd_config";
$line="\="x50;

if ($#ARGV != 0) { 

llandeilocymro

#! /usr/bin/python
# EDW - looks for default tomcat and ssh creds.

import logging
import paramiko
import os, sys 
import optparse
import threading
from socket import *
try:

llandeilocymro

#!/usr/bin/python
# EDW - ACF2 Username Enumeration

import sys
import time
import optparse
import re
import signal
from telnetlib import Telnet
from socket import *

llandeilocymro

#!/usr/bin/python 
# EDW - OpenSSH Username enum

import sys
import paramiko
import time
import optparse 
import re
import signal
from socket import *