| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <VI1P191MB0800B3BF8F27EF053DBD108EE759A@VI1P191MB0800.EURP191.PROD.OUTLOOK.COM> Date: Fri, 25 Jul 2025 08:58:32 +0000 From: Marcus Krueppel <Marcus.Krueppel@....group> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] AK-Nord USB-Server-LXL privilege escalation and code execution (CVE-2025-52361) ================== Overview ================== TL;DR: Using the low-privilege "admin" user account via SSH on the IoT device "USB-Server-LXL" [1], it is possible to modify the script /etc/init.d/lighttpd which is executed by root upon restart, leading to arbitrary code execution with root privileges. CVE: CVE-2025-52361 Suggested CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Suggested CVSS score: 7,0 (High) Author: Marcus Krüppel, msg systems ag [3] Product: USB-Server-LXL [1] Manufacturer: AK-Nord GmbH [2] Affected versions: up to firmware "v0.0.16 Build 2023-03-13" ================== Vulnerability ================== 1. The device [1] is designed to support SSH logins with two users: "root" with high privileges and "admin" with low privileges. You need the password for the "admin" user to login, factory default is "ak-nord". 2. All scripts in /etc/init.d/ are generally owned by root, except "lighttpd" which controls a webserver. This file is owned by "admin", therefore it is possible to edit this file using "vi". 3. You can add arbitrary commands to the script, preferably after line 7 which will always be executed regardless which parameters are provided. 4. These commands will be executed by root if he starts the script manually or at every reboot. 5. This finally leads to arbitrary code execution. ================== Background ================== This vulnerability was found by msg systems during a pentest for a third party which uses the device in its logistics hubs. #### AK-Nord GmbH #### AK-Nord [2] is a German SME and offers a wide range of IT-related electronics and systems for use in an industrial environment with a focus on network-enabled adapters. #### USB-Server-LXL #### The device [1] is designed to host a hardware USB device and integrate it into a standard IP-network via Ethernet. #### msg systems ag #### Apart from software development and consulting, msg systems [3] provides a wide range of security services, both technical (pentests, red teaming, SOC, forensics etc.) and organizational (ISO27001, BSI Grundschutz, security consulting, TISAX etc.). It employs over 100 dedicated security experts covering all aspects of modern IT security. ================== Timeline ================== 02.06.2025 Detection of vulnerability during pentest 04.06.2025 Full pentest report sent to third party client 12.06.2025 Excerpt of pentest report with this vulnerability sent to manufacturer 13.06.2025 Manufacturer responded and provided a patch [4] 13.06.2025 Process for a new CVE initiated at Mitre 08.07.2025 Mitre responded with reserved CVE-ID ================== References ================== [1] https://www.ak-nord.de/usbserver-usb--usb-converter--usb-auf-ethernet--usb-to-ethernet--usb-auf-lan--usb-server--usb-konverter--print-server-80.html?language=en [2] https://www.ak-nord.de/?language=en [3] https://www.msg.group/en/solutions/security | Contact: mailto:pentest@....group [4] https://www.ak-nord.de/download/daten/kirkstone/atto/Bugfix_CVE-2025-52361.swu _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists