Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

CVE-2020-8809 and CVE-2020-8810

NotificationsYou must be signed in to change notification settings

seqred-s-a/gxdlmsdirector-cve

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 

Repository files navigation

Gurux GXDLMS Director is an open-source Windows program for interacting with energy metersthrough the use of DLMS/COSEM protocol.

The software has a remote update functionality for add-in DLLs as well as for files containingOBIS codes (device-specific definitions needed to interact with the smart meters).

CVEIDName of the affected product(s) and version(s)Problem type
CVE-2020-8809Gurux GXDLMS Director (all versions prior to 8.5.1905.1301)CWE-494: Download of Code Without Integrity Check
CVE-2020-8810Gurux GXDLMS Director (all versions)CWE-23: Relative Path Traversal

Summary

All version of Gurux GXDLMS Director prior to 8.5.1905.1301 contain an update mechanismfor add-ins and OBIS codes which works over an unencrypted HTTP connection. Additionally, allversions contain a path traversal bug which happens when downloading OBIS codes. Thosevulnerabilities can be used by the attacker to achieve code execution.

Description

A man-in-the-middle attacker (e.g. a malicious Wi-Fi network operator) can prompt the user todownload updates by modifying the contents ofgurux.fi/obis/files.xml andgurux.fi/updates/updates.xml. Then, the attacker can modify the contents of downloaded files.In the case of add-ins (if the user is using those), this will lead to code execution. In case ofOBIS codes (which the user is always using as they are needed to communicate with the energy meters),the attacker can achieve code execution by exploiting a path traversal vulnerability.

When downloading OBIS codes, the program does not verify that the downloaded files are actual OBIScodes and doesn’t check for path traversal. This allows the attacker to send executable files andplace them in an autorun directory (run after reboot), or to place DLLs inside the existing GXDLMSDirector installation (run on next execution of GXDLMS Director). This can be used to achieve codeexecution even if the user doesn’t have any add-ins installed.

Reproduction

  1. Start an HTTP server.
  2. Inside its root directory, create a directory calledobis.
  3. Create a fileobis/files.xml with the following contents:
<files>  <filemodified=”28-09-2099″name=”Iskraemeco”>../../../../../../../../../../Users/Public/Documents/test.txt</file></files>
  1. Create a directoryUsers/Public/Documents.
  2. Create a fileUsers/Public/Documents/test.txt.
  3. On a Windows machine, edit the fileC:\Windows\system32\drivers\etc\hosts and add thefollowing line to it:127.0.0.1 gurux.fi (if your HTTP server is not the same as your Windows machine,replace127.0.0.1 with the server’s IP).
  4. Start Gurux GXDLMS Director. When prompted to download an update, accept.
  5. Verify thatC:\Users\Public\Documents\ now contains filetest.txt.

Remedy

Update Gurux GXDLMS Director to the newest version.

Releases

No releases published

Packages

No packages published
[8]ページ先頭
©2009-2025 Movatter.jp