exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DOMOS 5.8 Command Injection

DOMOS 5.8 Command Injection
Posted Sep 30, 2020
Authored by Patrick Hener | Site syss.de

DOMOS versions 5.8 and below suffer from a command injection vulnerability.

tags | exploit
advisories | CVE-2020-14293
SHA-256 | f79d55cd2e399530aae5ed6c8d32963564e7a1e6dcd732e4f4fc6cb4d787808f

DOMOS 5.8 Command Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-025
Product: DOMOS
Manufacturer: Secudos GmbH
Affected Version(s): <= DOMOS 5.8
Tested Version(s): DOMOS 5.8
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: Low
Solution Status: Solved
Manufacturer Notification: 2020-06-17
Solution Date: 2020-08-12
Public Disclosure: 2020-09-28
CVE Reference: CVE-2020-14293
Author of Advisory: Patrick Hener, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DOMOS is a hardened operating system of Secudos GmbH. This operating
system is
used for different applications of the said company. It offers a web
interface to
easily perform administrative tasks within the operating system.

Due to insufficient input validation of user-provided data, it is
vulnerable to
OS command injection.

The default configuration after deploying the appliance does not grant
remote
access to the web interface. Instead, this interface is bound to a local
IP address.

As due to the requirements of valid admin credentials and network access to
the appliance, the vulnerability is rated as a low security risk.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The tasks which are initiated from within the web application use Python
scripts on the back-end server to change server settings. Within these
scripts
user input is concatenated within the function os.system() of Python which
itself will initiate the operating system command.

For example, the script 'conf_datetime', which is located at
/opt/secudos/DomosConf/scripts, uses os.system() in an insecure manner,
as can be
seen here:

# /etc/sysconfig/clock
fn = '/etc/sysconfig/clock'
zone = db.get('datetime.clock.timezone', 'Europe/Berlin')
try:
fout = open(fn,'w')
fout.write('ZONE="'+zone+'"\n')
fout.write('UTC=true\n')
fout.write('ARC=false\n')
fout.close()
except:
print "Can't create",fn

# /etc/localtime
fn = '/etc/localtime'
fln = '/usr/share/zoneinfo/' + zone
try:
cmd = '/bin/ln -sf ' + fln + ' ' + fn
os.system(cmd)

The parameter 'zone' is defined as a field within the web interface.
By using an intercepting proxy and changing the value from 'Europe/Berlin'
to 'Europe/Berlin /etc/localtime; touch /tmp/hacked; cat', for example, the
file 'hacked' is created at '/tmp/' when applying the settings.

Furthermore, the script is run as root which is also a local privilege
escalation.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By using the above technique, it was possible to echo the output of the
command
'id' into a file, thus proving that the script be run as root:

[admin@localhost ~]$ cat /tmp/hacked
uid=0(root) gid=0(root) groups=0(root)

Also refer to [1] for a weaponized exploit.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The issue was fixed in version DOMOS 5.8.1. Upgrade to this version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-06-02: Vulnerability discovered
2020-06-17: Vulnerability reported to manufacturer
2020-08-12: Patch released by manufacturer
2020-09-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Weaponized Go Exploit
https://exploit-db.com/exploits/xxxxxx (will be updated after
publishing)
[2] SySS Security Advisory SYSS-2020-025

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-025.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Patrick Hener of SySS GmbH.

E-Mail: patrick.hener@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Hener.asc
Key ID: 5C708555930AA477
Key Fingerprint: 9CB7 1E87 BD83 64B7 38F2 3434 5C70 8555 930A A477

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEnLceh72DZLc48jQ0XHCFVZMKpHcFAl9x+BoACgkQXHCFVZMK
pHeWoQ//eU3OZTlB2zVYyd3SQEyHuHauX1p/VZ9OWdtPF5dEUw0HUq3vglNpVScK
u3OwLcT+WMe2nGFjRnltqUoL4O24OZxMJ8xAvyEJwqOHpqP+4KM8wemlwJ8bdUBS
Y71hUxaCebrmFkdAzJVQ0+olObo+6aK/oszpysHz+jGoRKafQX4oUnRbI2mrDKf9
JOow+uGhowAwNQJ924yzRk4j+7HxTruuglcikxrzHaN6CoJ9RgJWKsA1eWs3J4Al
pmHOAxQec/HVXtGJ30RmNCynJlZy3a3KiNyRWfqW0ezHSBcLUUti9OiD3zq1eaw7
LBgbbEXNrOsxPndO8j1FsKGQPvCj/fpHofNABzhh4eXd7E+yPC+hmgHlsk50uE0v
Mhp7ZeU1oRmCAoSBr61XdNLGyZwgWTneffZR4zWTH87zzTIqQs9xLxwjDF11kf26
3cj03zwtkfvcFKdCo6XD1u0zeMpNEftRXZMLBixgTPGH21/V/dSukrctD58YbME9
Ekbm9O5PU4Sp7PBNkZI3F9FEDAGcZTz1CEwT5x9l5pqHR50rBfpqdfaG0+v9xBXq
l7pZDsXfUUUaC9CYp91j0nJdNvIO8CMyhQcwYHRr/7tvhACSXC0PhthX1/JsRV4D
phxpsB91Q9xn01loZmrVYHsIsOAdiVfu3wkwtX+54p1zRt8BdO4=
=mB6F
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close