CERTAINITY Research

Multiple Vulnerabilities in Web Level Control (WLC) Application

by: Yuri Gbur, Senior Security ConsultantTuesday, January 7, 2025

Vulnerability Summary CERTAINITY identified multiple vulnerabilities in the Web Level Control application during a penetration testing assessment. The following issues have been uncovered: read more...

 

Security Advisory: Clock Fault Injection on Mocor OS – Password Bypass

Introduction This security advisory addresses a vulnerability discovered during a recent forensics engagement. Our investigation together with ONEKEY revealed that the Mocor OS, running on UNISOC SC6531E devices, is susceptible to a clock fault injection attack, which poses a significant threat to user data security and privacy. Through this attack vector, an unauthorized user with physical to a device access can bypass the device’s user lock, gaining unrestricted access to the main screen and compromising the integrity of the system. Notably, this vulnerability arises from a flaw in the soft reset routine performed by the OS kernel, which lacks proper permission checks for user passwords, making feature/burner phones vulnerable to exploitation. read more...

 

Security Advisory: Unauthenticated Remote Command Execution in Multiple WAGO Products

Introduction As we already demonstrated through our recent advisories (Asus M25 NAS, Phoenix Contact, NetModule , Festo)  ONEKEY's "zero day identification" module is quite versatile when it comes to finding bugs in PHP, Lua, or Python code we find in firmware uploaded to ONEKEY's platform. However, we recently discovered that we were missing an interesting source for PHP taint analysis: PHP wrappers. PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem functions such as fopen(), copy(), file_exists() and filesize(). They are sometimes used to read the content of HTTP requests or command line arguments by using php://input, php://stdin, or php://fd/0 (ok the last one is a bit far-fetched and came up when we discussed potential sources for the taint analysis, but you get the point :) ). read more...

 

Security Advisory: Multiple Vulnerabilities in Phoenix Contact Routers

Introduction This is the fourth security advisory we release together with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY's platform. You can find the first three here: Asus M25 NAS Vulnerability, Multiple Vulnerabilities in NetModule Routers, and Unauthenticated Configuration Export in Multiple WAGO Products. Phoenix Contact is a manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system. read more...

 

Security Advisory: Multiple Vulnerabilities in NetModule Routers

Introduction This is the third security advisory we release in cooperation with ONEKEY that is related to the introduction of a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform. NetModule is an Original Equipment Manufacturer of industrial grade routers. The vulnerabilities identified within the web management interface allow authenticated users to execute arbitrary commands with elevated privileges or to access any file on the system. read more...

 

Security Advisory: Unauthenticated Configuration Export in Multiple WAGO Products

As shown in our previous security advisory for the Asus M25 NAS from our research cooperation with ONEKEY, we recently introduced a “zero-day identification” module that performs static code analysis on proprietary applications found within firmware uploaded to ONEKEY’s platform.  This module reported two potential issues within a WAGO Series PFC100  configuration API: a path traversal and a command injection vulnerability. The command injection turned out to be a false positive (we strengthened our analysis capabilities since then) but it got us to investigate a specific PHP file where we identified that the authentication and authorization code blocks were commented.  read more...

 

Security Advisory: Asus M25 NAS Vulnerability

by: ONEKEY and CERTAINITY joint research teamThursday, December 1, 2022

ONEKEY and CERTAINITY - together for more cybersecurity In October we announced our joint research cooperation, and we are able to present you our first findings. We recently deployed the first component of our “zero-day identification” module, which aimed at identifying vulnerability patterns in scripting languages. It’s been a long time coming and we want to share a few technical details about it with you. Our objective is to support identification of vulnerability patterns in both scripting languages and compiled binaries. We started off with scripting languages as it seemed to be the easiest path to get results fast. Our first order of business was to identify the distribution of scripting languages within our corpus based off our file categorization. These statistics guided us in choosing which languages to support first. read more...