Silently Fixed Unauthorized Command Injection in WAGO PLC Ethernet

It's been almost 4 years I didn't blogged anything on anywhere (shame).

Anyway, recently found Unauthorized Command Injection vulnerability in WAGO PLC's web-based management software. Affected device is here (WAGO 750-8202 PFC200 CS 2ETH RS).

P.S: This is not related with CVE-2016-9362.

You would need following tools if you would like to analyze vulnerability by yourself;

• Burp Suite 
• A Web Browser 
• Binwalk 
• Code Editor (My fav is Sublime Text, it's so lightweight and have good themes) 

If you fire up your MITM proxy (Burp Suite is my choice) and visit web application, eventually you will notice that application do lots of XML HTTP Requests and one of requested URL is /wbm/configtools.php. That endpoint executes some OS commands and shares output with the web application (I know 90's wants it's vulnerabilities back).

While playing with JSON payload sent to configtools.php endpoint, find out that it's possible to inject OS commands into "parameter" JSON value. Injected commands such as uname -a and id.

Results of executed commands.


Bingo! Easy and quick win against a dummy device web-based management software.

To confirm that critical vulnerability in latest version of firmware, simply downloaded the latest firmware from WAGO's web site, extracted it with binwalk (thanks authors of binwalk) and start to review source code.




In the source code, CallConfigtoolByJson function called to JSON request from browser which later call CallConfigtool function to process "parameter" value in JSON payload.



OK, commments and code fixes show that they found it internally (maybe?) and fixed it silently. Requested old firmwares but they didn't send me yet :)

MS12-076 Excel SerAuxErrBar Heap Overflow Vulnerability

There was a Heap Overflow vulnerability (CVE-2012-1885) in Excel while parsing SerAuxErrBar structure from xls (Excel's old binary format) files. So I decided to took on it (a little bit analysis). But I faced with reality that there is no public debugging symbols for Excel :( When I read advisory [1] I don't understand anything as always 'cause Microsoft only says "A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take..". That's shit description :( Then I look for SerAuxErrBar structure and found something on MSDN that describes this structure [2]. But there was another question. "How one could create SerAuxErrBar structure?".

Metasploit Framework ile Exploit Gelistirme Sunumu

Uzun bir sure sonra blog yaziyorum sanirim:) Gecenlerde Fatih Ozavci ile Ozgur Yazilim Gunleri 2013'te Metasploit Framework ile Exploit Gelistirme baslikli bir sunum gerceklestirdik. Metasploit Framework yapisi, exploiting (cok yuzeysel) ve ornek moduller uzerinden modul gelistirme konusunda bilgi aktarmaya calistik. Merak edenler icin sunum asagida.

 Ayrica umuyorum tekrar bir seyler yazarim buraya yakin zamanda.

 

Metasploit Framework ile Exploit Gelistirme 2013 1.5 from Canberk Bolat

WebKit cssText NULL Ptr Deref

Just tested with Chrome 21.0.1180.89 m (latest version)

Crash moment:

0:000> r
eax=00000000 ebx=015ccfb0 ecx=00000000 edx=0014ea24 esi=01e00440 edi=01e44630
eip=58fcd2a8 esp=0014e8b0 ebp=0014e8b4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
chrome_58bf0000!WebCore::CSSValue::cssText+0x8:
58fcd2a8 8b4804          mov     ecx,dword ptr [eax+4] ds:002b:00000004=????????

PoC:


Same bug in old release (19.0.1084.52) http://pastebin.com/Z0pu9jbE

CVE-2012-2760 Session Stealing in mod_auth_openid

As advisory describing, mod_auth_openid is vulnerable to session stealing. Because "Session ids are stored insecurely in /tmp/mod_auth_openid.db (default filename). The db is world readable and the session ids are stored unencrypted." [1]

Yes, this is important issue and file is accessible by local attackers. But more important issue is database file also accessible by remote attackers in some cases (For example, if application have some kind of arbitrary file download/access vulnerability like LFI) because file is located in tmp folder (apache can access tmp directory) and sqlite db is not encrypted.

SQLite is not supporting database file encryption but there are some external libraries that "provides transparent 256-bit AES encryption of database files". [2]

Dear mod_auth_openid developers, you should use database file encryption. :(

[1] http://seclists.org/fulldisclosure/2012/May/238
[2] http://sqlcipher.net/