CVE-2020-14028
📋 TL;DR
CVE-2020-14028 is a path traversal vulnerability in Ozeki NG SMS Gateway's Autoreply module that allows attackers to write or overwrite arbitrary files with SYSTEM privileges. This affects Ozeki NG SMS Gateway installations through version 4.17.6. Attackers can potentially compromise the entire system by writing malicious files.
💻 Affected Systems
- Ozeki NG SMS Gateway
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file write leading to remote code execution, data destruction, or persistent backdoor installation with SYSTEM privileges.
Likely Case
File system manipulation allowing data exfiltration, service disruption, or privilege escalation through malicious file writes.
If Mitigated
Limited impact with proper file system permissions, network segmentation, and monitoring in place.
🎯 Exploit Status
Exploitation requires access to the Autoreply module interface but doesn't require authentication beyond that. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17.7 or later
Vendor Advisory: http://www.ozeki.hu/index.php?owpn=231
Restart Required: Yes
Instructions:
1. Download Ozeki NG SMS Gateway version 4.17.7 or later from the official website. 2. Backup your configuration and data. 3. Install the updated version. 4. Restart the SMS Gateway service.
🔧 Temporary Workarounds
Disable Autoreply Module
windowsTemporarily disable the vulnerable Autoreply module until patching is possible.
Navigate to Ozeki SMS Gateway configuration > Modules > Autoreply > Disable
Restrict File System Permissions
windowsApply strict file system permissions to limit where the SMS Gateway can write files.
icacls "C:\Program Files\Ozeki\NG SMS Gateway" /deny SYSTEM:(OI)(CI)W
🧯 If You Can't Patch
- Implement network segmentation to isolate the SMS Gateway from critical systems
- Enable detailed file system auditing and monitor for unauthorized file writes
🔍 How to Verify
Check if Vulnerable:
Check the Ozeki NG SMS Gateway version in the administration interface. If version is 4.17.6 or earlier, the system is vulnerable.Check Version:
Check the version displayed in the Ozeki NG SMS Gateway web interface or examine the installation directory properties.Verify Fix Applied:
Verify the version is 4.17.7 or later in the administration interface and test that the Autoreply module functions without allowing path traversal.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in Windows Event Logs
- Autoreply module access attempts with suspicious file paths
Network Indicators:
- HTTP requests to Autoreply endpoint with path traversal sequences (../)
SIEM Query:
source="windows" AND (event_id="4656" OR event_id="4663") AND process_name="ozeki*" AND object_name="*../*"🔗 References
- http://www.ozeki.hu/index.php?owpn=231
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14028-Arbitary%20File%20Write-Ozeki%20SMS%20Gateway
- http://www.ozeki.hu/index.php?owpn=231
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-14028-Arbitary%20File%20Write-Ozeki%20SMS%20Gateway
