CERTAINITY Research

Vulnerability Summary CERTAINITY identified multiple vulnerabilities in the Web Level Control application during a penetration testing assessment. The following issues have been uncovered: Default passwords for administrative accounts: Using a weak default password that is easily guessed, attackers can take over the WLC web application. Cleartext retrieval of passwords: The application sends passwords of backend services and the hashes of users to the application in cleartext. Unauthenticated PostgreSQL superuser access: The PostgreSQL service is exposed to the network and the superuser postgres requires no password. This leads to a remote command execution. Insecure File Permissions: The WLC application binary is writeable by anyone on the system and loaded by systemd as the sysadm user. This can lead to a privilege escalation from the previously compromised user postgres. Product Description Web Level Control (WLC) by KSW Elektro- und Industrieanlagenbau GmbH (KSW) is a web application that can be used for remote monitoring of petrol station tanks. It provides an overview of important parameters for the existing fuel tanks including fluid levels, temperature and capacity. The application requests the data via the MQTT protocol from the remote sources and stores them locally in a PostgreSQL database. Furthermore, the application can send notifications via E-Mails. KSW sells the WLC application in combination with their ICE (Intelligent Control Extension) platform. weiterlesen...

Introduction This security advisory addresses a vulnerability discovered during a recent forensics engagement. Our investigation together with ONEKEY revealed that the Mocor OS, running on UNISOC SC6531E devices, is susceptible to a clock fault injection attack, which poses a significant threat to user data security and privacy. Through this attack vector, an unauthorized user with physical to a device access can bypass the device’s user lock, gaining unrestricted access to the main screen and compromising the integrity of the system. Notably, this vulnerability arises from a flaw in the soft reset routine performed by the OS kernel, which lacks proper permission checks for user passwords, making feature/burner phones vulnerable to exploitation. weiterlesen...

May 17, 2023 Introduction As we already demonstrated through our recent advisories (Asus M25 NAS, Phoenix Contact, NetModule , Festo)  ONEKEY's "zero day identification" module is quite versatile when it comes to finding bugs in PHP, Lua, or Python code we find in firmware uploaded to ONEKEY's platform. However, we recently discovered that we were missing an interesting source for PHP taint analysis: PHP wrappers. PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem functions such as fopen(), copy(), file_exists() and filesize(). They are sometimes used to read the content of HTTP requests or command line arguments by using php://input, php://stdin, or php://fd/0 (ok the last one is a bit far-fetched and came up when we discussed potential sources for the taint analysis, but you get the point :) ). weiterlesen...

Introduction This is the fourth security advisory we release together with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products. Phoenix Contact is a manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system. weiterlesen...

Introduction This is the third security advisory we release in cooperation with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform. NetModule is an Original Equipment Manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system. weiterlesen...

As shown in our previous security advisory for the Asus M25 NAS from our research cooperation with ONEKEY, we recently introduced a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform.  This module reported two potential issues within a WAGO Series PFC100  configuration API: a path traversal and a command injection vulnerability. The command injection turned out to be a false positive (we strengthened our analysis capabilities since then) but it got us to investigate a specific PHP file where we identified that the authentication and authorization code blocks were commented.  weiterlesen...

Im Oktober haben wir unsere gemeinsame Forschungskooperation angekündigt, und wir können können wir Ihnen unsere ersten Ergebnisse präsentieren. Kürzlich haben wir die erste Komponente unseres Moduls “Zero-Day-Identifikation” in Betrieb genommen Modul eingesetzt, das darauf abzielt, Schwachstellenmuster in Skriptsprachen Sprachen. Es hat lange auf sich warten lassen und wir möchten Ihnen ein paar technische Details darüber mit Ihnen teilen. Unser Ziel ist es, die Identifizierung von Schwachstellenmustern sowohl in Skriptsprachen und kompilierten Binärdateien zu unterstützen. Wir begannen mit Skriptsprachen Skriptsprachen begonnen, da dies der einfachste Weg zu sein schien, um schnell Ergebnisse zu erzielen. Unser erster erste Aufgabe war es, die Verteilung der Skriptsprachen in unserem Korpus innerhalb unseres Korpus auf der Grundlage unserer Dateikategorisierung zu ermitteln. Diese Statistiken leiteten uns bei der Auswahl der Sprachen, die wir zuerst unterstützen sollten. weiterlesen...