exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

KONE KGC 4.6.4 DoS / Code Execution / LFI / Bypass

KONE KGC 4.6.4 DoS / Code Execution / LFI / Bypass
Posted Sep 6, 2018
Authored by Sebastian Neuner

KONE KGC versions 4.6.4 and below suffer from unauthenticated remote code execution, denial of service, local file inclusion, and missing FTP access control vulnerabilities.

tags | exploit, remote, denial of service, local, vulnerability, code execution, file inclusion
advisories | CVE-2018-15483, CVE-2018-15484, CVE-2018-15485, CVE-2018-15486
SHA-256 | 24a911638d8739b82ef739ff95871523a6aba5b8a61b2ae7d362519d4d6d759d

KONE KGC 4.6.4 DoS / Code Execution / LFI / Bypass

Change Mirror Download
Vulnerabilities in KONEs Group Controller (KGC)

Vulnerabilities were identified in the KONE Group Controller (KGC).
These were discovered during a black box assessment and therefore the
vulnerability list should not be considered exhaustive.

The version under test was indicated as: 4.6.4

Comment added by KONE
KONE Group Controller (KGC) is an elevator group controller computer,
installed in the elevator machine room of a building. Its purpose is
to optimize the operation of a group of elevators, and it allows
features such as destination calls and locking and unlocking floors.
Group controller is not an essential component of an elevator control
system and vulnerabilities in KGC do not affect the safety of the
elevators connected to the group.
More information at https://www.kone.com/en/vulnerability.aspx

Affected Software And Versions
- KONE KGC version 4.6.4 and below

The following CVEs were assigned to the issues described in this report:

Vulnerability Overview
01. CVE-2018-15484: Unauthenticated Remote Code Execution
02. CVE-2018-15486: Unauthenticated Local File Inclusion /
Unauthenticated Local File modification
03. CVE-2018-15485: FTP without authentication and authorization
04. CVE-2018-15483: Denial of Service

Vulnerability Details

CVE-2018-15484: Unauthenticated Remote Code Execution

By modifying the file autoexec.bat via the web interface using an
unauthenticated local file modification method (see CVE-2018-15486),
an attacker can inject arbitrary operating systems commands, which get
executed at boot time. To trigger a reboot, an HTTP GET request to
/reboot has to be made. This enables an attacker to compromise the
integrity of all software running on the device.

This includes specific autoexec commands but also the full range of
command.com (operating system) commands regarding to FreeDOS.

Injecting an interactive command, such as the help command,
effectively prevents the KGC from booting up again and therefore
causes a Denial of Service Attack (CVE-2018-15483).

CVE-2018-15486: Unauthenticated Local File Inclusion / Unauthenticated
Local File modification

By modifying the name parameter of the file endpoint, any file the
webserver has access to can be viewed.

GET /file?name=secret.txt HTTP/1.1
Host: <redacted>

However, more importantly, by modifying the name parameter of the
editfile endpoint, any file can be modified:

GET /editfile?name=secret.txt HTTP/1.1
Host: <redacted>

After calling the endpoint above, the file to edit is presented in a
textbox for modification.
This way, attackers can choose from a wide range of attack scenarios,
e.g., persisting backdoors in files such as KERNEL.SYS, enable access
to floors, they wouldn't have access to in normal cases (KGC config
files) or carry out DNS redirection- and Man-in-the-Middle attacks.
The latter could be achieved by modifying the DNS parameter or the
default gateway, respectively:

: DHCP on or off [0-1]
: Attacker would switch to 0
: Static IP address [IP]
: Set a static IP
ip=<static IP>
: Subnet mask [IP]
mask=<appropriate mask>
: Default gateway [IP]
: Change gateway
default_gateway=<attacker controlled gateway>
: DNS [IP]
dns=<attacker controlled dns server>
: Host name [string]

This way, an attacker could read and modify all the data transmitted
over the wires.

CVE-2018-15485: FTP without authentication and authorization

FTP on the KGC is enabled on port 21 and is not secured by
authentication or authorization mechanisms.

A user that connects to that port is logged in as SuperUser, with
needing a username or password (also blank usernames and passwords are

$ ftp -p <redacted-IP>
Connected to <redacted-IP>.
220 KGC FTP Server ready
Name (<redacted-IP>:username): <blank>
331 User name okay, need password.
Password: <blank>
230 SuperUser logged in, proceed.
Remote system type is WIN32.

This way all available data can be downloaded and new data can be
uploaded to the KGC.

CVE-2018-15483: Denial of Service

There are several possible ways to cause a denial of service on the KGC.
One of them is the possibility to reboot the system via the web
interface. An attacker could reboot the system every time it boots
back up to interrupt the service and cause a denial of service attack:

GET /reboot HTTP/1.1
Host: <redacted>

The vulnerabilities were discovered by Sebastian Neuner
(@sebastian9er) from the Google Security Team.

2018/05/10 - Security report sent to KONE security.
2018/05/11 - KONE acknowledges the report and starts working on the issues.
2018/05/25 - KONE requested grace period due to internal patch cycle.
2018/05/25 - Google granted grace period until patch available and
being deployed.
2018/08/06 - Public disclosure on the bugtraq Mailing List.

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By