CVE-2019-11528 - ill default permissons in uaGate SI

abstract

The system path /usr/local/bin has file mode 2777 (drwxrwsrwx). So every unix user can modify the excuteables there, and add own executables too.

attack vector

Due to an configuarion error, any unpriveleged user can write executable files in /usr/local/bin.

proof of concept

curl --silent --user itadmin:******* 'http://uagate/cgi-bin/it/registerAzureIotProxy.cgi?task=register&deviceId=%26ls%20-la%20/usr/local/%26'

attack Scenario

This weakness can be used to stage a payload, to be executed.

timeline

• day 0 - pentest of uaGate SI Device - 21.12.2018
• day 28 - initial issue related contact to manufacturer - 18.01.2019
• day 63 - issue report to manufacturer - 22.02.2019
• day 66 - secure communication cannel established - 25.02.2019
• day 74 - detailed issue report to manufacturer - 05.03.2019
• day 116 - manufacurer ackloknowledged security issues - 16.04.2019
• day 125 - CVE ID issued by MITRE - 25.04.2019
• day 229 - fix found in Firmware 1.71.00.1225 - 07.08.2019
• day 293 - released - 10.10.2019

credits

djo@mioso.com

external links

• uaGate SI Product Page
• Softing AG