what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

URVE Software Build 24.03.2020 Missing Authorization

URVE Software Build 24.03.2020 Missing Authorization
Posted Dec 26, 2020
Authored by Erik Steltzner | Site syss.de

URVE Software build version 24.03.2020 suffers from a missing authorization vulnerability.

tags | exploit
advisories | CVE-2020-29551
SHA-256 | 5b50fb6ac4e7f08d9e0044e8d698f81756c260f1010c2d75ae42018e91683f6b

URVE Software Build 24.03.2020 Missing Authorization

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-041
Product: URVE Software
Manufacturer: Eveo Sp. z o.o.
Affected Version(s): Build "24.03.2020"
Tested Version(s): Build "24.03.2020"
Vulnerability Type: Missing Authorization (CWE-862)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-11-10
Solution Date: 2020-11-18
Public Disclosure: 2020-12-23
CVE Reference: CVE-2020-29551
Authors of Advisory: Erik Steltzner, SySS GmbH
Christoph Ritter, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

URVE is a system for reserving rooms which also provides a web interface
with event scheduler.

The manufacturer describes the product as follows (see [1] and [2]):

'Booking rooms on touchscreen and easy integration with MS Exchange,
Lotus, Office 365, Google Calendar and other systems.
Great looking schedules right at the door.
Fight conference room theft with our 10" touchscreen wall-mounted
panel.'

'Manage displays, edit playlists and HTML5 content easily.
Our server can be installed on any Windows and works smoothly from
web browser.'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to access many different files without authentication in
an unauthorized way.

These files are partly PHP scripts which can potentially cause damage.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following path, it is possible to shut down the system:
_internal/pc/shutdown.php

Among others, the following files and scripts are also accessible:

_internal/pc/abort.php
_internal/pc/restart.php
_internal/pc/vpro.php
_internal/pc/wake.php
_internal/error_u201409.txt
_internal/runcmd.php
_internal/getConfiguration.php
ews/autoload.php
ews/del.php
ews/mod.php
ews/sync.php
utils/backup/backup_server.php
utils/backup/restore_server.php
MyScreens/timeline.config
kreator.html5/test.php
addedlogs.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

When processing a request, it should be checked whether the
requesting actor is authorized to access the resource.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-10-28: Vulnerability discovered
2020-11-10: Vulnerability reported to manufacturer
2020-11-18: Patch released by manufacturer
2020-12-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for URVE
https://urve.co.uk/system-rezerwacji-sal
[2] Product Website for URVE
https://urve.co.uk
[3] SySS Security Advisory SYSS-2020-041

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-041.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner and Christoph
Ritter of SySS GmbH.

E-Mail: erik.steltzner@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: christoph.ritter@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Christoph_Ritter.asc
Key ID: 0x05458E666D35EAE8
Key Fingerprint: 9FB0 1B9B 2F72 3DD5 3AF3 62D8 0545 8E66 6D35 EAE8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl/i+1MACgkQTHl5zlMW
Mmh8TQ/+OOXO4wrTs1udBFKgshYd7uhwxYv2S+FEZEg1sHXjJ8yy92lxzvi9x8Yr
UmOGkILJMy0OPZKFUG+pMTpZ3+FVAvRPxK50GM2eC9F4cbRiz0N+N34ypL/r3UqO
iphpbbvlS67o7DfR8Jp0OcAAQ34vzbNE+LUDVvmyc/WxyCTk9SXOtrQflmK0Re9e
QRDcUmPNlkTyCfN4wV5VQHpJ+rhCnMg8LTle2k9EgTTyrWreqH2spG+xqr8vgWbe
5Tj07dQo9qE5oQDvkZcQGUkDi2+mmu6iFaHsVNOwtxHJbNJkfyG5ZYwURanjSuQn
gb8Qx6vx9EqHSxtEw7g1SrtY2eJ/G/5XxQjR5T37Ouu9cAfcC4kk/+RJU4FggucU
2Zvkf/fXdCaYVElBQRpeZUo+gQ2xpC+/4DdIpoG7XI5iFg9YKaGcjqKNx4l5lbZ1
zMkumuyrjdf5kf8bQm+fav3LKc58G6J8RUnh0r5RtLSpPNMwcfX5Bf1fs2G5p6VK
FRU5oI+TZOSeNgF/xLlbautyYNo4AqRGN9DlYo9PPsPSKsRxvV+3gwjxdCAHfyi7
YBGg0iGFosmNsHpb4hxwnn/h01/zHSubIIakv7fJIYU+iZDDhcyVDVN098FUAkWv
RqZz0JLwpOWTxLeEk2Ub0d7nHb8tuYCQvk2Y4TdwP4plJanZ4bs=
=NhQE
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close