CVE-2019-11528 - ill default permissons in uaGate SI
Abstract
The system path /usr/local/bin has file mode 2777 (drwxrwsrwx). So every unix user can modify the excuteables there, and add own executables too.
Attack Vector
Due to an configuarion error, any unpriveleged user can write executable files in /usr/local/bin.
Proof of Concept
curl --silent --user itadmin:******* 'http://uagate/cgi-bin/it/registerAzureIotProxy.cgi?task=register&deviceId=%26ls%20-la%20/usr/local/%26'
Attack Scenario
This weakness can be used to stage a payload, to be executed.
Timeline
- day 0 - pentest of uaGate SI Device - 21.12.2018
- day 28 - initial issue related contact to manufacturer - 18.01.2019
- day 63 - issue report to manufacturer - 22.02.2019
- day 66 - secure communication cannel established - 25.02.2019
- day 74 - detailed issue report to manufacturer - 05.03.2019
- day 116 - manufacurer ackloknowledged security issues - 16.04.2019
- day 125 - CVE ID issued by MITRE - 25.04.2019
- day 229 - fix found in Firmware 1.71.00.1225 - 07.08.2019
- day 293 - released - 10.10.2019
Credits
djo@mioso.com