-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-025 Product: DOMOS Manufacturer: Secudos GmbH Affected Version(s): <= DOMOS 5.8 Tested Version(s): DOMOS 5.8 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Low Solution Status: Solved Manufacturer Notification: 2020-06-17 Solution Date: 2020-08-12 Public Disclosure: 2020-09-28 CVE Reference: CVE-2020-14293 Author of Advisory: Patrick Hener, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: DOMOS is a hardened operating system of Secudos GmbH. This operating system is used for different applications of the said company. It offers a web interface to easily perform administrative tasks within the operating system. Due to insufficient input validation of user-provided data, it is vulnerable to OS command injection. The default configuration after deploying the appliance does not grant remote access to the web interface. Instead, this interface is bound to a local IP address. As due to the requirements of valid admin credentials and network access to the appliance, the vulnerability is rated as a low security risk. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The tasks which are initiated from within the web application use Python scripts on the back-end server to change server settings. Within these scripts user input is concatenated within the function os.system() of Python which itself will initiate the operating system command. For example, the script 'conf_datetime', which is located at /opt/secudos/DomosConf/scripts, uses os.system() in an insecure manner, as can be seen here: # /etc/sysconfig/clock fn = '/etc/sysconfig/clock' zone = db.get('datetime.clock.timezone', 'Europe/Berlin') try: fout = open(fn,'w') fout.write('ZONE="'+zone+'"\n') fout.write('UTC=true\n') fout.write('ARC=false\n') fout.close() except: print "Can't create",fn # /etc/localtime fn = '/etc/localtime' fln = '/usr/share/zoneinfo/' + zone try: cmd = '/bin/ln -sf ' + fln + ' ' + fn os.system(cmd) The parameter 'zone' is defined as a field within the web interface. By using an intercepting proxy and changing the value from 'Europe/Berlin' to 'Europe/Berlin /etc/localtime; touch /tmp/hacked; cat', for example, the file 'hacked' is created at '/tmp/' when applying the settings. Furthermore, the script is run as root which is also a local privilege escalation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By using the above technique, it was possible to echo the output of the command 'id' into a file, thus proving that the script be run as root: [admin@localhost ~]$ cat /tmp/hacked uid=0(root) gid=0(root) groups=0(root) Also refer to [1] for a weaponized exploit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue was fixed in version DOMOS 5.8.1. Upgrade to this version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-06-02: Vulnerability discovered 2020-06-17: Vulnerability reported to manufacturer 2020-08-12: Patch released by manufacturer 2020-09-28: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Weaponized Go Exploit https://exploit-db.com/exploits/xxxxxx (will be updated after publishing) [2] SySS Security Advisory SYSS-2020-025 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-025.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Patrick Hener of SySS GmbH. E-Mail: patrick.hener@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Hener.asc Key ID: 5C708555930AA477 Key Fingerprint: 9CB7 1E87 BD83 64B7 38F2 3434 5C70 8555 930A A477 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEnLceh72DZLc48jQ0XHCFVZMKpHcFAl9x+BoACgkQXHCFVZMK pHeWoQ//eU3OZTlB2zVYyd3SQEyHuHauX1p/VZ9OWdtPF5dEUw0HUq3vglNpVScK u3OwLcT+WMe2nGFjRnltqUoL4O24OZxMJ8xAvyEJwqOHpqP+4KM8wemlwJ8bdUBS Y71hUxaCebrmFkdAzJVQ0+olObo+6aK/oszpysHz+jGoRKafQX4oUnRbI2mrDKf9 JOow+uGhowAwNQJ924yzRk4j+7HxTruuglcikxrzHaN6CoJ9RgJWKsA1eWs3J4Al pmHOAxQec/HVXtGJ30RmNCynJlZy3a3KiNyRWfqW0ezHSBcLUUti9OiD3zq1eaw7 LBgbbEXNrOsxPndO8j1FsKGQPvCj/fpHofNABzhh4eXd7E+yPC+hmgHlsk50uE0v Mhp7ZeU1oRmCAoSBr61XdNLGyZwgWTneffZR4zWTH87zzTIqQs9xLxwjDF11kf26 3cj03zwtkfvcFKdCo6XD1u0zeMpNEftRXZMLBixgTPGH21/V/dSukrctD58YbME9 Ekbm9O5PU4Sp7PBNkZI3F9FEDAGcZTz1CEwT5x9l5pqHR50rBfpqdfaG0+v9xBXq l7pZDsXfUUUaC9CYp91j0nJdNvIO8CMyhQcwYHRr/7tvhACSXC0PhthX1/JsRV4D phxpsB91Q9xn01loZmrVYHsIsOAdiVfu3wkwtX+54p1zRt8BdO4= =mB6F -----END PGP SIGNATURE-----