AK-Nord USB-Server-LXL privilege escalation and code execution (CVE-2025-52361)

[Marcus Krueppel <Marcus.Krueppel@msg.group>]

================== Overview ==================
TL;DR: Using the low-privilege "admin" user account via SSH on the IoT device "USB-Server-LXL" [1], it is possible to 
modify the script /etc/init.d/lighttpd which is executed by root upon restart, leading to arbitrary code execution with 
root privileges.

CVE: CVE-2025-52361
Suggested CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Suggested CVSS score: 7,0 (High)
Author: Marcus Krüppel, msg systems ag [3]
Product: USB-Server-LXL [1]
Manufacturer: AK-Nord GmbH [2]
Affected versions: up to firmware "v0.0.16 Build 2023-03-13"

================== Vulnerability ==================
1. The device [1] is designed to support SSH logins with two users: "root" with high privileges and "admin" with low 
privileges. You need the password for the "admin" user to login, factory default is "ak-nord".

2. All scripts in /etc/init.d/ are generally owned by root, except "lighttpd" which controls a webserver. This file is 
owned by "admin", therefore it is possible to edit this file using "vi".

3. You can add arbitrary commands to the script, preferably after line 7 which will always be executed regardless which 
parameters are provided.

4. These commands will be executed by root if he starts the script manually or at every reboot.

5. This finally leads to arbitrary code execution.

================== Background ==================
This vulnerability was found by msg systems during a pentest for a third party which uses the device in its logistics 
hubs.

#### AK-Nord GmbH ####
AK-Nord [2] is a German SME and offers a wide range of IT-related electronics and systems for use in an industrial 
environment with a focus on network-enabled adapters.

#### USB-Server-LXL ####
The device [1] is designed to host a hardware USB device and integrate it into a standard IP-network via Ethernet.

#### msg systems ag ####
Apart from software development and consulting, msg systems [3] provides a wide range of security services, both 
technical (pentests, red teaming, SOC, forensics etc.) and organizational (ISO27001, BSI Grundschutz, security 
consulting, TISAX etc.). It employs over 100 dedicated security experts covering all aspects of modern IT security.

================== Timeline ==================
02.06.2025 Detection of vulnerability during pentest
04.06.2025 Full pentest report sent to third party client
12.06.2025 Excerpt of pentest report with this vulnerability sent to manufacturer
13.06.2025 Manufacturer responded and provided a patch [4]
13.06.2025 Process for a new CVE initiated at Mitre
08.07.2025 Mitre responded with reserved CVE-ID

================== References ==================
[1] 
https://www.ak-nord.de/usbserver-usb--usb-converter--usb-auf-ethernet--usb-to-ethernet--usb-auf-lan--usb-server--usb-konverter--print-server-80.html?language=en
[2] https://www.ak-nord.de/?language=en
[3] https://www.msg.group/en/solutions/security  |  Contact: mailto:pentest@msg.group
[4] https://www.ak-nord.de/download/daten/kirkstone/atto/Bugfix_CVE-2025-52361.swu
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/