Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2020-14031-Arbitary File Delete-Ozeki SMS Gateway/
Disclosures/CVE-2020-14031-Arbitary File Delete-Ozeki SMS Gateway/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

CVE-2020-14031: Ozeki SMS Gateway Arbitrary File Delete in the "TXT" Module

In Ozeki SMS Gateway software, versions 4.17.6 and below, the “outbox” functionality of the TXT module can be used to delete all/most files in a folder.
Because Ozeki runs as "NT Authority\System" the only files that will not be deleted will be files that are currently being run by the system and/or files that have specific "security attributes" (Ex. Windows Defender files).

This delete functionality can be used to remove important files from different, the most notable of which are:

Folder Impact
"C:\Windows\" And subfolders Can be used to delete important system resources, EXEs, DLLs, config files, etc. that may result in an OS level Denial of Service.
The "Ozeki" folder Can be used to delete:
- user config files which will result in users not being able to login when Ozeki restarts
- deletion of DLL necessary for Ozeki to start or run services/modules
User files Can be used to delete user important files such as "Desktop", "Documents", etc. which may result a decrease in productivity, the loss of sensitive personal and/or business materials.

Requirements:

This vulnerability requires:

  • Access to an Ozeki Web Application administration interface with rights to create/modify the "outbox" location of a "TXT" Module

Proof Of Concept:

First, we point the TXT "outbox" to a folder from which we want to delete files (Ex. "C:\Windows"):

We can notice 2 things almost immediately as this happens:

  • Unusual ".sending" files appear as files are getting deleted:

  • A spike in resource consumption and memory happens on the victim:

By comparing the "Before" and "After" files, we can see the damage that has been done. In this case:

  • Executables and DLLs that were not active at runtime ("py.exe", "pyshellext.amd64.dll", etc.) have been deleted.
  • Logfiles ("WindowsUpdate.log", "iis.log", etc.) have been deleted.
  • Configuration files ("win.ini", "system.ini", "ServerStandard.xml", etc.) have been deleted.