Vulnerability Summary

CERTAINITY identified multiple vulnerabilities in the Web Level Control application during a penetration testing assessment. The following issues have been uncovered:

• Default passwords for administrative accounts: Using a weak default password that is easily guessed, attackers can take over the WLC web application.
• Cleartext retrieval of passwords: The application sends passwords of backend services and the hashes of users to the application in cleartext.
• Unauthenticated PostgreSQL superuser access: The PostgreSQL service is exposed to the network and the superuser postgres requires no password. This leads to a remote command execution.
• Insecure File Permissions: The WLC application binary is writeable by anyone on the system and loaded by systemd as the sysadm user. This can lead to a privilege escalation from the previously compromised user postgres.

Product Description

Web Level Control (WLC) by KSW Elektro- und Industrieanlagenbau GmbH (KSW) is a web application that can be used for remote monitoring of petrol station tanks. It provides an overview of important parameters for the existing fuel tanks including fluid levels, temperature and capacity. The application requests the data via the MQTT protocol from the remote sources and stores them locally in a PostgreSQL database. Furthermore, the application can send notifications via E-Mails. KSW sells the WLC application in combination with their ICE (Intelligent Control Extension) platform.

Read More

Introduction

This security advisory addresses a vulnerability discovered during a recent forensics engagement. Our investigation together with ONEKEY revealed that the Mocor OS, running on UNISOC SC6531E devices, is susceptible to a clock fault injection attack, which poses a significant threat to user data security and privacy. Through this attack vector, an unauthorized user with physical to a device access can bypass the device’s user lock, gaining unrestricted access to the main screen and compromising the integrity of the system. Notably, this vulnerability arises from a flaw in the soft reset routine performed by the OS kernel, which lacks proper permission checks for user passwords, making feature/burner phones vulnerable to exploitation.

Read More

Introduction

As we already demonstrated through our recent advisories (Asus M25 NAS, Phoenix Contact, NetModule , Festo)  ONEKEY's "zero day identification" module is quite versatile when it comes to finding bugs in PHP, Lua, or Python code we find in firmware uploaded to ONEKEY's platform. However, we recently discovered that we were missing an interesting source for PHP taint analysis: PHP wrappers.

Read More

Introduction

This is the fourth security advisory we release together with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products.

Read More

Introduction

This is the third security advisory we release in cooperation with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform.