-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2020-025
Product: DOMOS
Manufacturer: Secudos GmbH
Affected Version(s): <= DOMOS 5.8
Tested Version(s): DOMOS 5.8
Vulnerability Type: OS Command Injection (CWE-78)
Risk Level: Low
Solution Status: Solved
Manufacturer Notification: 2020-06-17
Solution Date: 2020-08-12
Public Disclosure: 2020-09-28
CVE Reference: CVE-2020-14293
Author of Advisory: Patrick Hener, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
DOMOS is a hardened operating system of Secudos GmbH. This operating
system is
used for different applications of the said company. It offers a web
interface to
easily perform administrative tasks within the operating system.
Due to insufficient input validation of user-provided data, it is
vulnerable to
OS command injection.
The default configuration after deploying the appliance does not grant
remote
access to the web interface. Instead, this interface is bound to a local
IP address.
As due to the requirements of valid admin credentials and network access to
the appliance, the vulnerability is rated as a low security risk.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The tasks which are initiated from within the web application use Python
scripts on the back-end server to change server settings. Within these
scripts
user input is concatenated within the function os.system() of Python which
itself will initiate the operating system command.
For example, the script 'conf_datetime', which is located at
/opt/secudos/DomosConf/scripts, uses os.system() in an insecure manner,
as can be
seen here:
# /etc/sysconfig/clock
fn = '/etc/sysconfig/clock'
zone = db.get('datetime.clock.timezone', 'Europe/Berlin')
try:
fout = open(fn,'w')
fout.write('ZONE="'+zone+'"\n')
fout.write('UTC=true\n')
fout.write('ARC=false\n')
fout.close()
except:
print "Can't create",fn
# /etc/localtime
fn = '/etc/localtime'
fln = '/usr/share/zoneinfo/' + zone
try:
cmd = '/bin/ln -sf ' + fln + ' ' + fn
os.system(cmd)
The parameter 'zone' is defined as a field within the web interface.
By using an intercepting proxy and changing the value from 'Europe/Berlin'
to 'Europe/Berlin /etc/localtime; touch /tmp/hacked; cat', for example, the
file 'hacked' is created at '/tmp/' when applying the settings.
Furthermore, the script is run as root which is also a local privilege
escalation.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
By using the above technique, it was possible to echo the output of the
command
'id' into a file, thus proving that the script be run as root:
[admin@localhost ~]$ cat /tmp/hacked
uid=0(root) gid=0(root) groups=0(root)
Also refer to [1] for a weaponized exploit.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The issue was fixed in version DOMOS 5.8.1. Upgrade to this version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2020-06-02: Vulnerability discovered
2020-06-17: Vulnerability reported to manufacturer
2020-08-12: Patch released by manufacturer
2020-09-28: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Weaponized Go Exploit
https://exploit-db.com/exploits/xxxxxx (will be updated after
publishing)
[2] SySS Security Advisory SYSS-2020-025
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-025.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Patrick Hener of SySS GmbH.
E-Mail: patrick.hener@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Hener.asc
Key ID: 5C708555930AA477
Key Fingerprint: 9CB7 1E87 BD83 64B7 38F2 3434 5C70 8555 930A A477
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEnLceh72DZLc48jQ0XHCFVZMKpHcFAl9x+BoACgkQXHCFVZMK
pHeWoQ//eU3OZTlB2zVYyd3SQEyHuHauX1p/VZ9OWdtPF5dEUw0HUq3vglNpVScK
u3OwLcT+WMe2nGFjRnltqUoL4O24OZxMJ8xAvyEJwqOHpqP+4KM8wemlwJ8bdUBS
Y71hUxaCebrmFkdAzJVQ0+olObo+6aK/oszpysHz+jGoRKafQX4oUnRbI2mrDKf9
JOow+uGhowAwNQJ924yzRk4j+7HxTruuglcikxrzHaN6CoJ9RgJWKsA1eWs3J4Al
pmHOAxQec/HVXtGJ30RmNCynJlZy3a3KiNyRWfqW0ezHSBcLUUti9OiD3zq1eaw7
LBgbbEXNrOsxPndO8j1FsKGQPvCj/fpHofNABzhh4eXd7E+yPC+hmgHlsk50uE0v
Mhp7ZeU1oRmCAoSBr61XdNLGyZwgWTneffZR4zWTH87zzTIqQs9xLxwjDF11kf26
3cj03zwtkfvcFKdCo6XD1u0zeMpNEftRXZMLBixgTPGH21/V/dSukrctD58YbME9
Ekbm9O5PU4Sp7PBNkZI3F9FEDAGcZTz1CEwT5x9l5pqHR50rBfpqdfaG0+v9xBXq
l7pZDsXfUUUaC9CYp91j0nJdNvIO8CMyhQcwYHRr/7tvhACSXC0PhthX1/JsRV4D
phxpsB91Q9xn01loZmrVYHsIsOAdiVfu3wkwtX+54p1zRt8BdO4=
=mB6F
-----END PGP SIGNATURE-----