246 lines
No EOL
7.5 KiB
Text
246 lines
No EOL
7.5 KiB
Text
Core Security - Corelabs Advisory
|
|
http://corelabs.coresecurity.com/
|
|
|
|
Advantech EKI-6340 Command Injection
|
|
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: Advantech EKI-6340 Command Injection
|
|
Advisory ID: CORE-2014-0009
|
|
Advisory URL:
|
|
http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
|
|
Date published: 2014-11-19
|
|
Date of last update: 2014-11-19
|
|
Vendors contacted: Advantech
|
|
Release mode: User release
|
|
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: OS Command Injection [CWE-78]
|
|
Impact: Code execution
|
|
Remotely Exploitable: Yes
|
|
Locally Exploitable: No
|
|
CVE Name: CVE-2014-8387
|
|
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
|
|
The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor
|
|
deployment. With self-healing and self-forming capabilities, the
|
|
wireless network is free from interruption even part of Mesh nodes
|
|
failed. It's especially critical to infrastructures where wired
|
|
solutions are hard to deploy. This Mesh network covers growing rich data
|
|
demands such as video security, surveillance and entertainment.
|
|
|
|
Advantech EKI-6340 series is vulnerable to a OS Command Injection,
|
|
which can be exploited by remote attackers to execute arbitrary code and
|
|
commands, by using a non privileged user against a vulnerable CGI file.
|
|
|
|
|
|
4. *Vulnerable packages*
|
|
|
|
|
|
. Advantech EKI-6340 V2.05
|
|
. Other versions may probably be affected too, but they were not checked.
|
|
|
|
|
|
5. *Vendor Information, Solutions and Workarounds*
|
|
|
|
|
|
Considering that the vendor is not going to fix or update this
|
|
device the following recommendations should be taken into consideration
|
|
in case of using a vulnerable device:
|
|
|
|
- Change the 'guest' user password (or delete the user in case
|
|
is not used)
|
|
- Edit the fshttpd.conf and remove the line
|
|
'guest_allow=/cgi/ping.cgi'.
|
|
- Check that the 'admin' user doesn't has the default password
|
|
as well.
|
|
|
|
|
|
6. *Credits*
|
|
|
|
|
|
This vulnerability was discovered and researched by Facundo Pantaleo
|
|
and Flavio Cangini from Core Security Engineering Team. The publication
|
|
of this advisory was coordinated by Joaquín Rodríguez Varela from Core
|
|
Advisories Team.
|
|
|
|
|
|
7. *Technical Description / Proof of Concept Code*
|
|
|
|
|
|
This vulnerability is caused by an incorrect sanitization of the
|
|
input parameters of the file "ping.cgi" that is a symbolic link of
|
|
"utility.cgi".
|
|
It allows to concatenate commands after the IP direction parameter,
|
|
therefore enabling a user to inject OS commands. The "call_ping"
|
|
function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where
|
|
the vulnerability lays.
|
|
|
|
The CGI file requieres authentication, but the "admin" user is not
|
|
the only one allowed to execute it. Based on the webservers default
|
|
configuration file, the "guest" has permissons over it as well. This
|
|
user is rarely disbled and its password tends to remain unchanged. This
|
|
default credentials are username "user" and password "user" as well.
|
|
Below is an example of the webserver (based on Mongoose webserver [2])
|
|
default configuration file "fshttpd.conf":
|
|
|
|
|
|
/-----
|
|
|
|
listening_ports=80,443s
|
|
user_admin=admin
|
|
pass_admin=admin
|
|
user_guest=user
|
|
pass_guest=user
|
|
document_root=/usr/webui/webroot
|
|
authorize_uri=/authorize
|
|
unauthorize_uri=/unauthorize
|
|
login_uri=/login.html
|
|
logout_uri=/logout.html
|
|
login_fail_uri=/err/login_fail.html
|
|
sessions_full_uri=/err/nosessions.html
|
|
no_redirect_uri=/cgi/fwupstatus.cgi
|
|
guest_allow=/admin/FWUPStatus.html
|
|
guest_allow=/status/*
|
|
guest_allow=/utility/Ping.html
|
|
guest_allow=/utility/RssiCalc.html
|
|
guest_allow=/utility/FresnelZone.html
|
|
guest_allow=/cgi/ping.cgi
|
|
guest_allow=/cgi/status_query.cgi
|
|
guest_allow=/cgi/nodeinfo_query_MAC.cgi
|
|
guest_allow=/cgi/nodeinfo_query.cgi
|
|
guest_allow=/cgi/nodeinfo_query_AP.cgi
|
|
guest_allow=/cgi/fwupstatus.cgi
|
|
nologin_allow=/
|
|
nologin_allow=/index.*
|
|
nologin_allow=/css/*
|
|
nologin_allow=/template/*
|
|
nologin_allow=/images/*
|
|
nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*
|
|
nologin_allow=/js/*
|
|
nologin_allow=/favicon.ico
|
|
nologin_allow=/err/*
|
|
|
|
-----/
|
|
|
|
|
|
7.1. *Proof of Concept*
|
|
|
|
|
|
/-----
|
|
|
|
|
|
|
|
http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3
|
|
|
|
When requested for credentials use the following:
|
|
|
|
User: user
|
|
Password: user
|
|
|
|
|
|
-----/
|
|
|
|
|
|
8. *Report Timeline*
|
|
|
|
. 2014-10-01:
|
|
|
|
Initial notification sent to ICS-CERT informing of the vulnerability
|
|
and requesting the vendor's contact information.
|
|
|
|
. 2014-10-01:
|
|
|
|
ICS-CERT informs that they will ask the vendor if they want to
|
|
coordinate directly with us or if they prefer to have ICS-CERT mediate.
|
|
They request the vulnerability report.
|
|
|
|
. 2014-10-01:
|
|
|
|
ICS-CERT informs that the vendor answered that they would like the
|
|
ICS-CERT to mediate the coordination of the advisory. They requested
|
|
again the vulnerability report.
|
|
|
|
. 2014-10-01:
|
|
|
|
We send the vulnerability detail, including technical description
|
|
and a PoC.
|
|
|
|
. 2014-10-09:
|
|
|
|
We request a status update on the reported vulnerability.
|
|
|
|
. 2014-10-20:
|
|
|
|
ICS-CERT informs that the vendor plans to discontinue EKI-6340 early
|
|
next year and therefore they will not fix it.
|
|
|
|
. 2014-11-13:
|
|
|
|
We inform them that we will publish this advisory as user release on
|
|
Wednesday 19th of November.
|
|
|
|
. 2014-11-19:
|
|
|
|
Advisory CORE-2014-0009 published.
|
|
|
|
|
|
9. *References*
|
|
|
|
[1]
|
|
http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.
|
|
|
|
[2] https://code.google.com/p/mongoose/.
|
|
|
|
|
|
10. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security, is charged with
|
|
anticipating the future needs and requirements for information security
|
|
technologies. We conduct our research in several important areas of
|
|
computer security including system vulnerabilities, cyber attack
|
|
planning and simulation, source code auditing, and cryptography. Our
|
|
results include problem formalization, identification of
|
|
vulnerabilities, novel solutions and prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use at:
|
|
http://corelabs.coresecurity.com.
|
|
|
|
|
|
11. *About Core Security*
|
|
|
|
|
|
Core Security enables organizations to get ahead of threats with
|
|
security test and measurement solutions that continuously identify
|
|
and demonstrate real-world exposures to their most critical assets. Our
|
|
customers can gain real visibility into their security standing, real
|
|
validation of their security controls, and real metrics to more
|
|
effectively secure their organizations.
|
|
|
|
Core Security's software solutions build on over a decade of trusted
|
|
research and leading-edge threat expertise from the company's Security
|
|
Consulting Services, CoreLabs and Engineering groups. Core Security can
|
|
be reached at +1 (617) 399-6980 or on the Web at:
|
|
http://www.coresecurity.com.
|
|
|
|
|
|
12. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2014 Core Security
|
|
and (c) 2014 CoreLabs, and are licensed under a Creative Commons
|
|
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
|
|
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
|
|
13. *PGP/GPG Keys*
|
|
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |