From 9d8a4eb5e91cd7e010dbea57925b65caf13a1630 Mon Sep 17 00:00:00 2001 From: Giulio Date: Fri, 29 Nov 2019 11:03:36 +0100 Subject: [PATCH] Minor readme changes --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e7c8546..df73704 100755 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Since the 4760 is an ancient product I fired up a Windows XP virtual machine and When i started getting frustrated with all this ancient enteprisise crap, i finally found the PHP files inside a CAB archive. -## Vulnerbilities +## Vulnerabilities ### 4760 pre auth RCE @@ -306,11 +306,12 @@ function DecodePwd($data) ``` ### 8770 post auth RCE (to be verified) -Unfortunately I do not have access to the 8770 files and i can't write (yet) reliable code for this one, so a contribution would be welcome. By default, the installation also listens on port 389. By connecting to port 389 with the leaked credentials, one can edit the whole ldap tree including seeing and modifying the hashed password `AdminNmc` user which is the administrator of the PHP web interface. By using the newly obtained credentials it should not be a problem to upload a PHP file as an asset of an existing template. Unfortunately, while all the previous vulnerabilities do work even when a "Directory License" (ndr the license specific for the PHP interface) is not present because the license check isn't done as the first thing, this last one do not. It is possible to login and obtain a valid session with the leaked credentials, but it doesn't seem possible to get a valid `themeDate` in session. +Since I do not have access to the 8770 files and i can't test the upload code for the 8770. + ## Other issues @@ -324,4 +325,5 @@ Unfortunately, while all the previous vulnerabilities do work even when a "Direc ``` I did not find an exploitable chain but: all the PHP version shipped with this product have multiple unserialize CVE and I did not find a way but it is possible to play with the COM class. - * LDAP injections? \ No newline at end of file + * LDAP injections? +