The following PoC shows the creation of a new Administrator, by just having the session cookie of an observer (lowest privilege user): import requests session = requests.Session() ust_env = False tpeap_session_id =
#Eap controller software for mac software#
The software does not control privileges on the usage of the Web API, allowing a low privilege user to make any request as an Administrator. Privilege escalation from Observer to Administrator Finally, we discovered two Cross-Site Scripting, one on the creation of a local user in the parameter userName (7.4) and the other one abusing the implementation of portalPictureUpload (7.5). On 7.3 we show the application does not have any Cross-Site Request Forgery Protection giving an attacker the possibility of forcing an end user to execute any unwanted actions on the EAP Controller in which the victim is currently authenticated. Forcing a user to restore this backup (using 7.3) can give us total control over the managed devices.
An attacker possessing such key, and knowing the encryption algorithm would allow the backup file to be decrypted and modified. On 7.2 we show the software uses a hardcoded key to encrypt the Web application's backup file. The vulnerability presented in 7.1 shows how a low privilege user (observer) can make a request and create a new administrator user. TP-Link EAP Controller doesn't have any role control on the Web app API, only the application GUI seems to be restricting low lever users (observer) from changing settings.
#Eap controller software for mac code#
Technical Description / Proof of Concept Code The publication of this advisory was coordinated by Alberto Solino and Leandro Cuozzo from Core Advisories Team.ħ. This vulnerability was discovered and researched by Julian Muñoz from Core Security Exploits QA. TP-Link released Omada Controller_V2.6.1_Windows that fixes the reported issues. Vendor Information, Solutions and Workarounds Other products and versions might be affected, but they were not tested.
Due to the use of a hard-coded cryptographic key the backup file of the Web application can be decrypted, modified and restored back. Vulnerabilities were found in the EAP Controller management software, allowing privilege escalation due to improper privilege management in the Web application. You can configure EAPs in batches and conduct real-time monitoring of each EAP in the network (TP-Link changed the name of EAP Controller to Omada Controller for new versions). It allows you to centrally manage your EAP devices using a Web browser.
TP-Link states that the EAP Controller is a management software for the TP-Link EAP devices. Vulnerability InformationĬlass: Improper Privilege Management, Use of Hard-coded Cryptographic Key, Cross-Site Request Forgery, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ĬVE Name: CVE-2018-10168, CVE-2018-10167, CVE-2018-10166, CVE-2018-10165, CVE-2018-10164 Title: TP-Link EAP Controller Multiple Vulnerabilities
0 kommentar(er)
