← Advisories

B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution

Critical
Advisory ID
ZSL-2020-5590
Release Date
19 September 2020
Vendor
B-Swiss SARL, b-tween Sarl - https://www.b-swiss.com
Affected Version
3.6.5, 3.6.2, 3.6.1, 3.6.0, 3.5.80, 3.5.40, 3.5.20, 3.5.00, 3.2.00, 3.1.00
CVE
CVE-2020-22004
Tested On
Linux 5.3.0-46-generic x86_64, Linux 4.15.0-20-generic x86_64, Linux 4.9.78-xxxx-std-ipv6-64, Linux 4.7.0-040700-generic x86_64, Linux 4.2.0-27-generic x86_64, Linux 3.19.0-47-generic x86_64, Linux 2.6.32-5-amd64 x86_64, Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64, macOS 10.13.5, Microsoft Windows 7 Business Edition SP1 i586, Apache/2.4.29 (Ubuntu), Apache/2.4.18 (Ubuntu), Apache/2.4.7 (Ubuntu), Apache/2.2.22 (Win64), Apache/2.4.18 (Ubuntu), Apache/2.2.16 (Debian), PHP/7.2.24-0ubuntu0.18.04.6, PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1, PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1, PHP/5.6.31, PHP/5.6.30-10+deb.sury.org~xenial+2, PHP/5.5.9-1ubuntu4.17, PHP/5.5.9-1ubuntu4.14, PHP/5.3.10, PHP/5.3.13, PHP/5.3.3-7+squeeze16, PHP/5.3.3-7+squeeze17, MySQL/5.5.49, MySQL/5.5.47, MySQL/5.5.40, MySQL/5.5.30, MySQL/5.1.66, MySQL/5.1.49, MySQL/5.0.77, MySQL/5.0.12-dev, MySQL/5.0.11-dev, MySQL/5.0.8-dev, phpMyAdmin/3.5.7, phpMyAdmin/3.4.10.1deb1, phpMyAdmin/3.4.7, phpMyAdmin/3.3.7deb7, WampServer 3.2.0, Acore Framework 2.0
Summary

Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project.

Description

The application suffers from an "authenticated" arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in 'index.php' script thru the 'rec_poza' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/usr/users' directory. Due to an undocumented and hidden "maintenance" account 'admin_m' which has the highest privileges in the application, an attacker can use these hard-coded credentials to authenticate and use the vulnerable image upload functionality to execute code on the server.

Proof of Concept
bswiss3.pyTXT
Disclosure Timeline
13.06.2020Vulnerability discovered.
15.07.2020Vendor contacted. (webform)
17.07.2020No response from the vendor.
18.07.2020Vendor contacted. (email)
21.07.2020Vendor responds asking more details.
21.07.2020Sent overview to the vendor asking for secure channel.
23.07.2020No response from the vendor.
24.07.2020Asked vendor for comment/update/status.
27.07.2020Vendor asks more details.
27.07.2020Sent details to the vendor.
29.07.2020Asked vendor for status update.
30.07.2020Vendor responds with questions.
30.07.2020Replied to the vendor.
31.07.2020Vendor looking into roadmap for the problems identified.
03.08.2020Replied to the vendor.
05.08.2020Vendor responds, if the reported vulnerabilities are applicable they will create patch for customers.
06.08.2020Asked vendor for patch milestone.
06.08.2020Vendor doesn't know.
18.08.2020Asked vendor for status update.
18.09.2020No reponse from the vendor.
18.09.2020Asked vendor for status update.
18.09.2020Vendor refuses to provide any further information.
18.09.2020Replied to the vendor, advisory release scheduled 19.09.2020.
18.09.2020Vendor working on fix, will inform us when issues have been solved.
18.09.2020Replied to the vendor.
19.09.2020Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/48824
[2]https://packetstormsecurity.com/files/159232
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/188577
[4]https://cxsecurity.com/issue/WLB-2020090110
[5]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22004
[6]https://nvd.nist.gov/vuln/detail/CVE-2020-22004
Changelog
19.09.2020Initial release
30.09.2020Added reference [1], [2], [3] and [4]
19.06.2021Added reference [5] and [6]