📄 AK-Nord USB-Server-LXL Privilege Escalation

================== Overview ==================
    TL;DR: Using the low-privilege "admin" user account via SSH on the IoT device "USB-Server-LXL" [1], it is possible to modify the script /etc/init.d/lighttpd which is executed by root upon restart, leading to arbitrary code execution with root privileges.
    
    CVE: CVE-2025-52361
    Suggested CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    Suggested CVSS score: 7,0 (High)
    Author: Marcus Krüppel, msg systems ag [3]
    Product: USB-Server-LXL [1]
    Manufacturer: AK-Nord GmbH [2]
    Affected versions: up to firmware "v0.0.16 Build 2023-03-13"
    
    ================== Vulnerability ==================
    1. The device [1] is designed to support SSH logins with two users: "root" with high privileges and "admin" with low privileges. You need the password for the "admin" user to login, factory default is "ak-nord".
    
    2. All scripts in /etc/init.d/ are generally owned by root, except "lighttpd" which controls a webserver. This file is owned by "admin", therefore it is possible to edit this file using "vi".
    
    3. You can add arbitrary commands to the script, preferably after line 7 which will always be executed regardless which parameters are provided.
    
    4. These commands will be executed by root if he starts the script manually or at every reboot.
    
    5. This finally leads to arbitrary code execution.
    
    ================== Background ==================
    This vulnerability was found by msg systems during a pentest for a third party which uses the device in its logistics hubs.
    
    #### AK-Nord GmbH ####
    AK-Nord [2] is a German SME and offers a wide range of IT-related electronics and systems for use in an industrial environment with a focus on network-enabled adapters.
    
    #### USB-Server-LXL ####
    The device [1] is designed to host a hardware USB device and integrate it into a standard IP-network via Ethernet.
    
    #### msg systems ag ####
    Apart from software development and consulting, msg systems [3] provides a wide range of security services, both technical (pentests, red teaming, SOC, forensics etc.) and organizational (ISO27001, BSI Grundschutz, security consulting, TISAX etc.). It employs over 100 dedicated security experts covering all aspects of modern IT security.
    
    ================== Timeline ==================
    02.06.2025 Detection of vulnerability during pentest
    04.06.2025 Full pentest report sent to third party client
    12.06.2025 Excerpt of pentest report with this vulnerability sent to manufacturer
    13.06.2025 Manufacturer responded and provided a patch [4]
    13.06.2025 Process for a new CVE initiated at Mitre
    08.07.2025 Mitre responded with reserved CVE-ID
    
    ================== References ==================
    [1] https://www.ak-nord.de/usbserver-usb--usb-converter--usb-auf-ethernet--usb-to-ethernet--usb-auf-lan--usb-server--usb-konverter--print-server-80.html?language=en
    [2] https://www.ak-nord.de/?language=en
    [3] https://www.msg.group/en/solutions/security  |  Contact: mailto:[email protected]
    [4] https://www.ak-nord.de/download/daten/kirkstone/atto/Bugfix_CVE-2025-52361.swu