exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DOMOS 5.8 Command Injection

DOMOS 5.8 Command Injection
Posted Sep 30, 2020
Authored by Patrick Hener | Site syss.de

DOMOS versions 5.8 and below suffer from a command injection vulnerability.

tags | exploit
advisories | CVE-2020-14293
SHA-256 | f79d55cd2e399530aae5ed6c8d32963564e7a1e6dcd732e4f4fc6cb4d787808f

DOMOS 5.8 Command Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-025
Product: DOMOS
Manufacturer: Secudos GmbH
Affected Version(s): <= DOMOS 5.8
Tested Version(s): DOMOS 5.8
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: Low
Solution Status: Solved
Manufacturer Notification: 2020-06-17
Solution Date: 2020-08-12
Public Disclosure: 2020-09-28
CVE Reference: CVE-2020-14293
Author of Advisory: Patrick Hener, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DOMOS is a hardened operating system of Secudos GmbH. This operating
system is
used for different applications of the said company. It offers a web
interface to
easily perform administrative tasks within the operating system.

Due to insufficient input validation of user-provided data, it is
vulnerable to
OS command injection.

The default configuration after deploying the appliance does not grant
remote
access to the web interface. Instead, this interface is bound to a local
IP address.

As due to the requirements of valid admin credentials and network access to
the appliance, the vulnerability is rated as a low security risk.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The tasks which are initiated from within the web application use Python
scripts on the back-end server to change server settings. Within these
scripts
user input is concatenated within the function os.system() of Python which
itself will initiate the operating system command.

For example, the script 'conf_datetime', which is located at
/opt/secudos/DomosConf/scripts, uses os.system() in an insecure manner,
as can be
seen here:

# /etc/sysconfig/clock
fn = '/etc/sysconfig/clock'
zone = db.get('datetime.clock.timezone', 'Europe/Berlin')
try:
fout = open(fn,'w')
fout.write('ZONE="'+zone+'"\n')
fout.write('UTC=true\n')
fout.write('ARC=false\n')
fout.close()
except:
print "Can't create",fn

# /etc/localtime
fn = '/etc/localtime'
fln = '/usr/share/zoneinfo/' + zone
try:
cmd = '/bin/ln -sf ' + fln + ' ' + fn
os.system(cmd)

The parameter 'zone' is defined as a field within the web interface.
By using an intercepting proxy and changing the value from 'Europe/Berlin'
to 'Europe/Berlin /etc/localtime; touch /tmp/hacked; cat', for example, the
file 'hacked' is created at '/tmp/' when applying the settings.

Furthermore, the script is run as root which is also a local privilege
escalation.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By using the above technique, it was possible to echo the output of the
command
'id' into a file, thus proving that the script be run as root:

[admin@localhost ~]$ cat /tmp/hacked
uid=0(root) gid=0(root) groups=0(root)

Also refer to [1] for a weaponized exploit.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The issue was fixed in version DOMOS 5.8.1. Upgrade to this version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-06-02: Vulnerability discovered
2020-06-17: Vulnerability reported to manufacturer
2020-08-12: Patch released by manufacturer
2020-09-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Weaponized Go Exploit
https://exploit-db.com/exploits/xxxxxx (will be updated after
publishing)
[2] SySS Security Advisory SYSS-2020-025

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-025.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Patrick Hener of SySS GmbH.

E-Mail: patrick.hener@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Hener.asc
Key ID: 5C708555930AA477
Key Fingerprint: 9CB7 1E87 BD83 64B7 38F2 3434 5C70 8555 930A A477

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnLceh72DZLc48jQ0XHCFVZMKpHcFAl9x+BoACgkQXHCFVZMK
pHeWoQ//eU3OZTlB2zVYyd3SQEyHuHauX1p/VZ9OWdtPF5dEUw0HUq3vglNpVScK
u3OwLcT+WMe2nGFjRnltqUoL4O24OZxMJ8xAvyEJwqOHpqP+4KM8wemlwJ8bdUBS
Y71hUxaCebrmFkdAzJVQ0+olObo+6aK/oszpysHz+jGoRKafQX4oUnRbI2mrDKf9
JOow+uGhowAwNQJ924yzRk4j+7HxTruuglcikxrzHaN6CoJ9RgJWKsA1eWs3J4Al
pmHOAxQec/HVXtGJ30RmNCynJlZy3a3KiNyRWfqW0ezHSBcLUUti9OiD3zq1eaw7
LBgbbEXNrOsxPndO8j1FsKGQPvCj/fpHofNABzhh4eXd7E+yPC+hmgHlsk50uE0v
Mhp7ZeU1oRmCAoSBr61XdNLGyZwgWTneffZR4zWTH87zzTIqQs9xLxwjDF11kf26
3cj03zwtkfvcFKdCo6XD1u0zeMpNEftRXZMLBixgTPGH21/V/dSukrctD58YbME9
Ekbm9O5PU4Sp7PBNkZI3F9FEDAGcZTz1CEwT5x9l5pqHR50rBfpqdfaG0+v9xBXq
l7pZDsXfUUUaC9CYp91j0nJdNvIO8CMyhQcwYHRr/7tvhACSXC0PhthX1/JsRV4D
phxpsB91Q9xn01loZmrVYHsIsOAdiVfu3wkwtX+54p1zRt8BdO4=
=mB6F
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close