B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution

Title: B-swiss 3 Digital Signage System 3.6.5 Backdoor Remote Code Execution
Advisory ID: ZSL-2020-5590
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 19.09.2020
Summary
Intelligent digital signage made easy. To go beyond the possibilities offered, b-swiss allows you to create the communication solution for your specific needs and your graphic charter. You benefit from our experience and know-how in the realization of your digital signage project.
Description
The application suffers from an "authenticated" arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in 'index.php' script thru the 'rec_poza' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/usr/users' directory. Due to an undocumented and hidden "maintenance" account 'admin_m' which has the highest privileges in the application, an attacker can use these hard-coded credentials to authenticate and use the vulnerable image upload functionality to execute code on the server.
Vendor
B-Swiss SARL | b-tween Sarl - https://www.b-swiss.com
Affected Version
3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Tested On
Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vendor Status
[13.06.2020] Vulnerability discovered.
[15.07.2020] Vendor contacted. (webform)
[17.07.2020] No response from the vendor.
[18.07.2020] Vendor contacted. (email)
[21.07.2020] Vendor responds asking more details.
[21.07.2020] Sent overview to the vendor asking for secure channel.
[23.07.2020] No response from the vendor.
[24.07.2020] Asked vendor for comment/update/status.
[27.07.2020] Vendor asks more details.
[27.07.2020] Sent details to the vendor.
[29.07.2020] Asked vendor for status update.
[30.07.2020] Vendor responds with questions.
[30.07.2020] Replied to the vendor.
[31.07.2020] Vendor looking into roadmap for the problems identified.
[03.08.2020] Replied to the vendor.
[05.08.2020] Vendor responds, if the reported vulnerabilities are applicable they will create patch for customers.
[06.08.2020] Asked vendor for patch milestone.
[06.08.2020] Vendor doesn't know.
[18.08.2020] Asked vendor for status update.
[18.09.2020] No reponse from the vendor.
[18.09.2020] Asked vendor for status update.
[18.09.2020] Vendor refuses to provide any further information.
[18.09.2020] Replied to the vendor, advisory release scheduled 19.09.2020.
[18.09.2020] Vendor working on fix, will inform us when issues have been solved.
[18.09.2020] Replied to the vendor.
[19.09.2020] Public security advisory released.
PoC
bswiss3.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/48824
[2] https://packetstormsecurity.com/files/159232
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/188577
[4] https://cxsecurity.com/issue/WLB-2020090110
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22004
[6] https://nvd.nist.gov/vuln/detail/CVE-2020-22004
Changelog
[19.09.2020] - Initial release
[30.09.2020] - Added reference [1], [2], [3] and [4]
[19.06.2021] - Added reference [5] and [6]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk