Thursday, December 24, 2015

[ICS] XZERES 442SR Wind Turbine XSS Vulnerability

[ICS] XZERES 442SR Wind Turbine Cross-site Scripting Vulnerability


AFFECTED PRODUCTS
XZERES is a US-based energy company that maintains offices in several countries around the world, including the UK, Italy, Japan, Vietnam, Philippines, and Myanmar.

The affected product, 442SR Wind Turbine, has a web-based interface system. According to XZERES, the 442SR is deployed across the Energy sector. XZERES estimates that this product is used worldwide.

Reference

Vulnerable parameter
id

PoC
http://<IP>/details?object=Inverter&id=2<script>alert(xss-id-parameter") </script>


[ICS] eWON sa Industrial router - Multiple Vulnerabilities

[ICS] Exploitation details for eWON sa Industrial router vulnerabilities

eWON connects the machine across the Internet

Breaking the barrier between industrial applications and IT standards, the mission of eWON is to connect industrial machines securely to the Internet, enabling easy remote access and gathering all types of technical data originating from industrial machines. 

Typical applications within the scope of our mission include remote maintenance, predictive maintenance, remote services, asset management, remote metering, multi-site building management, M2M, and more.

AFFECTED PRODUCTS
The following eWON router firmware versions are affected:
All eWON firmware versions prior to 10.1s0

Reference

Vulnerabilities

WEAK SESSION MANAGEMENT - FIXED by eWON
CVE-2015-7924

Session remains active even after user performs log off. This vulnerability is by design. Session is destroyed only after browser is exited.

CROSS-SITE REQUEST FORGERY ATTACKS - NOT FIXED by eWON
CVE-2015-7925

There is no CSRF token set by the application in any of the forms / pages. Any & all functions can be executed silently without getting validated from authorized user, if / when this issue is exploited.

…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says

Verified but won't fix. The current implementation is done by design (the user must be able to submit forms using GET only).

As CSRF attack suggests, the user must be already logged on the eWON using its internet browser and the session must thus be valid on user's browser. However eWON IP must also be known by the attacker knowing that the VPN will set another IP each time the victim connects to eWON.

The connection to an eWON device is only possible by a secured VPN, a point- to-point LAN or a secured LAN. 

On their website, eWON describes this issue as following:

Mitigating factors: 
Many requirements have to be met for a successful attack:
The attacker needs a valid login to the eWON.
The attacker needs HTTP access to the eWON (e.g. eWON web server exposed to the public Internet).
Also connections to eWON devices should in standard use cases only occur through:
- a point-to-point LAN, a secured LAN (sniffing the victim IP is not really achievable in these two cases) 
- or a secured VPN (VPN allocated IP address is then defined by the VPN server).
—> eWON team just doesn't understand how CSRF works. And continue to assume the device mgmt portal is accessible ONLY over the VPN, P2P LAN or secured LAN. They clearly have not looked at Shodan and / or publicly accessible portals.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

WEAK RBAC CONTROLS - FIXED by eWON
CVE-2015-7926

The software allows an unauthenticated user to gather information and status of I/O servers through the use of a forged URL.

NOTE: An unauthorized / low-privileged user can perform several unauthorized actions such as reading, updating, & deleting I/O servers, configurations, enabling/disabling I/O servers, & accessing, deleting valid users.

Scenario

Two users

1. adm - Default privileged user - can perform all administrative functions - full rights - [ v o a c f e h j ]
2. test - newly created user - no rights - no [ v o a c f e h j ]

Issue 1

It is possible to enumerate valid I/O servers

I/O Server list is a set defined list:
MEM cbIOSrvList=0 
EWON cbIOSrvList=1 
MODBUS cbIOSrvList=2 
NETMPI ...
SNMP cbIOSrvList=4
DF1 ...
FINS ...
so on
...
...
& others

An unauthorized / unprivileged user can gather information and status of these IO servers in the following manner:

Logged in as ‘test'

Access - http://<IP>/rcgi.bin/Edit1IOSrvForm?cbIOSrvList=0&Ac2on=edit

If Response says
-> Not Configurable.
-> Not a valid I/O

If Response says
-> Access Denied
-> Implies a valid I/O
-> Window Title reveals the I/O server type - example, Modbus IO Server Config, DF1 1O Server Config, n so on

Issue 2
It is possible to modify parameter values of I/O servers directly

Updating the values when logged in as 'test'

Change POST request to GET Modify param values

http://<IP>/rcgi.bin/EditUsrIOSrvForm?edCfgData=MinInterval%3A10%0D %0AMaxInterval%3A268435459%0D%0AReverseCount %3A0&B1=Update&AST_IOSrvNdx=1

Response
-> IO Server config updated.

Similarly, other I/O server configuration can be updated. In case an I/O server is not Enabled, it can be enabled and configured with custom values.

Following poc for SNMP I/O Server settings (This IO server communicates with any SNMP device)

Enabling and configuring SNMP I/O server (logged in as test)

http://<IP>/rcgi.bin/EditAdvUsrIOSrvForm? edEnabledA=1&edGlobAddrA=&edPeriodA=&edGlobAddrB=&edPeriodB=&edGlo bAddrC=&edPeriodC=&B1=Update+Config&IOServer=SNMP
-> IO Server config updated.

Issue 3

Deleting All Users

It is possible for a user with no rights to:
1. Enumerate configured users
2. Delete any & all users.

HTTP GET request to delete a user (when logged in as 'test') (unauthorized request)

http://<IP>/rcgi.bin/EditForm?CB2=3&NbCB=4&Opera2onType=DeleteUser

This brings up a confirmation prompt validating if we really want to delete the user.

It presents the username and offers two options - 
Option 1 - Cancel and Confirm/Delete 
Option 2 - Select Confirm/Delete
.....
Users List test
Please confirm you want to delete these items Select Confirm/Delete
.....
Next, the url redirects to DeleteForm which then shows Access denied twice
..... http://<IP>/rcgi.bin/DeleteForm 
Access denied
Access denied
.....
-> But the user gets deleted anyway. :) Verify by Refreshing User List

Enumerating Users

In order to enumerate valid users, we only need to submit the first DeleteUser request
  • http://<IP>/rcgi.bin/EditForm?CB2=4&NbCB=3&Opera2onType=DeleteUser
It will show the username.
This process can of course be automated to view all valid application usernames.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON considered WEAK RBAC issue a minor one. They do not seem to understand the difference between authentication vs authorization, and therefore AuthZ flaw impact at all.

eWON says:
It's a minor issue as these informations are already available through eWON User Manual. We will however completely block the page in a future eWON firmware release when user credentials don't meet the requirements to avoid any ambiguity regarding eWON security.
—> Regardless, the new firmware says this issue has been fixed..
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

STORED CROSS-SITE SCRIPTING - NOT FIXED by eWON
CVE-2015-7927

Vulnerable functions / parameters
Create / Edit User
User First Name 
User Last Name 
User information
Create / Edit Tag
Tag Description

…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says

Verified.
Won't fix: We left the possibility to include HTML tags or javascript in form fields and form url parameters to meet some specific final user needs. Note that this kind of injection is achievable through FTP upload as everything is saved in the eWON config files. Furthermore all theses XSS exploit also require valid user authentication and rights.

—> Yeah, it’s a feature..and input validation is a useless practice - /mock_rant.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

Reflected XSS - NOT FIXED by eWON

Vulnerable parameter - AST_ErrorMsg

http://<IP>/rcgi.bin/wsdForm?sys_Csave=1&AST_ErrorMsg=Success<script>alert("xss-AST_ErrorMsg")</ script>&sys_IpMbsSrvPort=502&sys_IpEipSrvPort=44818&sys_IpIsoSrvPort=102& sys_IpFinsSrvPort=9600&sys_TagPollMode=0&sys_IOTcpDefTO=1000&btUpdate= Update

PASSWORDS NOT SECURED - PARTIAL FIX by eWON
CVE-2015-7928

Passwords are passed in plain text allowing a malicious party to retrieve them from network traffic. The autocomplete setting of some eWON forms also allows these passwords to be retrieved from the browser. Compromise of the credentials would allow unauthenticated access.
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says

2. Won't fix as the final user is supposed to configure eWON through VPN.
—> Yeah, supposed to..
…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

POST/GET ISSUES - NOT FIXED by eWON
CVE-2015-7929

eWON firmware web server allows the use of the HTML command GET in place of POST. GET is less secure because data that are sent are part of the URL.

…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..
eWON says

Won't fix. This could be a problem regarding CRSF (issue B) but the final user is supposed to configure eWON through VPN (and thus https).

—> Again, they don't seem to understand why GET/POST interchange can be a problem, and instead bring CSRF into its reference.

…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..…..

+++++

Cheers!

Monday, December 21, 2015

LG-Nortel ADSL modem Multiple Vulnerabilities

LG-Nortel ADSL modem - Multiple Vulnerabilities

These vulnerabilities were found during April - May 2015. This device is heavily deployed by Optus in Australia (Sydney) for its SOHO broadband customers. 
(Potential) Estimated deployment size is 20-30% of customer base.
Optus, CERT-US, CERT-AU, are aware of these issues.

Ownership of this model by LG Nortel could not be identified.

This device may very well be used by other Service Providers and / or in other locations.

I am not sure if & how this device might connect back to Optus network. If it does connect / talk back, it'd be interesting what impact it can create.


Device Info
Board ID: DV2020
Product Version: S1.064B2.3H0-0
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e
Bootloader (CFE) Version: 1.0.37-4.3
Wireless Driver Version: 3.131.35.0.cpe0.0


1. Weak Authorization controls (HTTP)

1.1 Non-admin users can access restricted, Administrative functionality (accessible to Admin only)

LG-Nortel ADSL modem allows three (3) users with different privilege levels for administering the device. Administrative ‘admin’ user has complete privileges to access and perform all functions on the modem. Other non-admin users – ‘support’ and ‘user’ – have restricted functional access and can perform limited functions.

Figure 1 - 'admin' home page

 

Figure 2 - 'user' home page




As seen above in Figure 2, a non-admin ‘user’ does not have access to administrative functions via GUI menu, i.e. there are no administrative function links seen/visible in the home page.

However, the application lacks sufficient Authorization controls and a ‘user’ can still access the administrative functionality via direct url access.

For example, a non-admin ‘user’ does not have a menu option to access the device configuration file. However, it can still access the file - backupsettings.conf - by directly accessing the url – http://<modem_ip>/backupsettings.conf

With access to this configuration file, a low-privileged ‘user’ can easily access login passwords for ‘admin’ and any other valid users of the modem. The login passwords were found to be stored in base64-encoded format, which is a weak scheme to secure passwords, and can easily be de-obfuscated to reveal the clear-text password.

Figure 3 - 'user' access to device config + 'admin' password


In a similar manner, low-privileged ‘user’ and ‘support’ logins can also access other administrative functions.


1.2 Application does not secure sensitive configuration details from non-admin ‘user’ (HTTP)

Tthe application allows read-only access to ‘user’ login. But, as seen above, the application does not restrict or hide sensitive configuration information such as passwords, keys etc. All configuration details are readily accessible and readable to ‘user’ login.

The application / system should censure / encrypt the passwords, keys and any other crucial pieces of configuration, when a ‘user’ (read-only, non-admin) accesses the device configuration.

This is a design flaw in the LG-Nortel ADSL modem. On one hand, ‘admin’ and ‘user’ have different privileges, ‘user’ can only read the configuration details, and since ‘user’ can access all the configured passwords, ‘admin’ access is practically unrestricted. A ‘user’ can get ‘admin’ password from the configuration file, and simply login as ‘admin’. The current design does not enforce securing sensitive information and strict privilege separation correctly.


1.3 Password Change - Clear-text Password Disclosure

The application does not secure the new changed password either. Once the password is changed, the application simply reveals the new password in address bar, as:

http://<modem_ip>/password.cgi?sptPassword=<new_password>

Figure 5 - clear-text password after password change


As seen above, this HTTP request contains new, valid password in clear-text.

A suitably placed attacker / a malicious user can capture this clear-text password via sniffing.

2. Application does not secure configured passwords (HTTP)

Accounts, passwords, keys etc, shown in the application mgmt portal are masked and only ***** are shown in the corresponding fields. 

This client-side restriction can easily be bypassed though - via intercepting proxy and / or Inspect element. Since values are stored / passed in clear, they can be retrieved easily.

The following HTTP GET request shows capture of SIP / voip password(s):
GET /voicesipset.cmd?proxyAddr=XXX.yesphone.optus.com.au&proxyPort=5060&regAddr=XXX.yesphone.optus.com.au&regPort=5060&extension1=<phone-num-removed>&extension2=&password1=<password-removed>&password2=&ifName=ppp_8_32_1&servermode=proxy&telurl=sip&regexpiry=1800&hostname=XXX.yesphone.optus.com.au&localport=5060&display1=<phone-num-removed>&display2=&authuser1=<phone-num-removed>&authuser2= HTTP/1.1Host: 10.1.1.1User-Agent: iTunes/11.1.3 (Macintosh; Intel Mac OS X 10.7) AppleWebKit/534.20.8Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip,deflateReferer: http://10.1.1.1/voicesipview.cmdAuthorization: Basic YWRtaW46YWRtaW4=X-Forwarded-For: X.X.X.XVia: 1.1 A.B.C.DIf-None-Match: r9nejkpl2DNT: 1Connection: keep-alive


3. Lack of strict Authorization controls (Telnet)

3.1 Allows non-admin ‘user’ to access password hashes

Connecting to the modem over Telnet provides a CLI-based device administration console.

After logging in over Telnet as ‘user’, the system permits running system level commands and to read sensitive files from the file-system.

Figure 6 - 'user' login - 23t - access password hashes
 

As seen above, ‘user’ login can read the /etc/passwd file from the file-system. This file contained password hashes for all the users, including ‘admin’. At this point, it is easy for an attacker to capture the password hashes and crack them offline, using password-cracking tools. Once the hashes are cracked, they can provide direct, legitimate access to the device.

Looking at /etc/passwd file, we also find that all accounts – admin, support, user, nobody – have a UID and GID of 0. This implies that all these users have superuser (root) privileges, i.e. all of the users have full, unrestricted, administrative access to the system.!

This is a design flaw in the LG-Nortel ADSL modem. Regular users must have restricted privileges, just enough to perform respective tasks. Superuser/root privileges to all the users on the system are a recipe for security issues.

3.2 Allows non-admin user to change Admin password + create Denial of Service

After logging in to the modem as non-admin ‘user’ login, a password change functionality is available to ‘user’ login.
> passwd
Usage: passwd <admin|support|user> <password>       passwd –help

As seen above, the passwd command can be used to change passwords for all three users – ‘admin’, ‘support’, and ‘user’. Since the current login is a non-admin ‘user’ account, any attempts to change password for administrative user ‘admin’ are expected to fail and / or restricted by the system.

Ist attempt - Failed
> passwd admin admin1Connection closed by foreign host.

The first attempt to change ‘admin’ login password failed and the telnet connection drops. 

Telnet daemon / service running on LG-Nortel ADSL modem, can be easily crashed by logging in as a low-privileged user and attempting to perform an unauthorized action, such as trying to change password for ‘admin’ user.

In the second attempt, the command executed and password for ‘admin’ was changed successfully.

2nd attempt - Successful
> passwd
Usage: passwd <admin|support|user> <password>       passwd --help> passwd admin admin1>

Following this password change, Telnet service again turned non-responsive within 10-15 seconds and the connection dropped.

The underlying system lacks sufficient authorization measures to ensure that a non-admin / low-privileged application user is restricted and cannot perform unauthorized, sensitive functions, especially the ones targeting administrative accounts.

Additionally, considering the consistent Telnet service crash after each unauthorized action attempt, it is evident that the underlying system also lacks sufficient measures to ensure service’s continued availability in the event of any unauthorized action(s).

3.3 Application does not secure sensitive configuration details from ‘user’ 

This issue is same as one described in section 1.2. The only difference is the method of exploitation (over Telnet).

The application permits ‘user’ login to view sensitive information in modem’s configuration. To view configuration, Telnet administrative console provides a command - dumpcfg - to the ‘user’. Running this command as ‘user’ login dumps the device configuration information. This information includes sensitive information such as passwords and keys.

The application / system should encrypt the passwords, keys and any other crucial pieces of configuration, when a ‘user’ (read-only, non-admin) accesses the device configuration.

Figure 7 - 'user' login - 23t - dumpcfg

This is a design flaw in the LG-Nortel ADSL modem. On one hand, ‘admin’ and ‘user’ have different privileges, ‘user’ can only read the configuration details, and since ‘user’ can access all the configured passwords, ‘admin’ access is practically unrestricted. A ‘user’ can potentially get ‘admin’ password from the configuration file, and simply login as ‘admin’. The current design does not enforce strict privilege separation correctly

3.4 Allows ‘user’ to access busybox shell + create Denial of Service


‘user’ login is allowed to access the base underlying BusyBox shell and also access certain set of commands.

Figure 8 - 'user' login - 23t - access busybox shell


As seen above, ‘user’ can access the BusyBox shell. Once certain command(s) are run, such as ‘vconfig’, it results in Telnet daemon / service crash, and the connection drops.


Tuesday, December 1, 2015

Brocade Fabric OS v6.3.1b Multiple Vulnerabilities

# Title: [Brocade Fabric OS v6.3.1b - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.brocade.com]
# Versions Reported: Kernel 2.6.14.2 + FabOS v6.3.1b + BootProm 1.0.9


version
Kernel:     2.6.14.2
Fabric OS:  v6.3.1b
BootProm:   1.0.9

Default diagnostic accounts
root and factory with default passwords documented in respective admin guides. By default, both these users are not restricted and can SSH / telnet in to the box.

unix-passwd-in-etc-passwd
Password hashes found in /etc/passwd files (All user hashes)

unix-uid-0-accounts
Multiple users have UID 0 privs

unix-world-writable-files
Multiple world writable files are present:
/etc/fabos/hil_wwn
/etc/fabos/cfgsave/factory/etc/hosts
/etc/raslog.ext
/etc/ipadmd_log.txt
/etc/hosts.0

unix-user-home-dir-mode - weak access permissions
The permissions for home directory of user basicswitchadmin was found to be 755 instead of 750.

generic-passwd-shadow-group-file-permissions - weak access permissions
The permission of file '/etc/shadow' is not 400.

unix-partition-mounting-weakness

/tmp partition does not have 'nosuid' option set. 
/tmp partition does not have 'noexec' option set. 
/tmp partition does not have 'nodev' option set. 
/mnt partition does not have 'nodev' option set.

unix-suid-writable
Following world-writable suid files were found on the system:
/etc/fabos/hil_wwn(-r-xrw-rw-)

unix-suid-script
Multiple scripts with suid set were found on the system:

, wwn /fabos/sbin/coreshow /fabos/sbin/timeLineGet /fabos/bin/getIpAddr.sh /fabos/ , , bin/userConfig /fabos/cliexec/authCmds /fabos/cliexec/config /fabos/cliexec/conf , , igCmd /fabos/cliexec/configure /fabos/cliexec/fcping /fabos/cliexec/fpcmd /fabos , , /cliexec/haadm /fabos/cliexec/helpcmds /fabos/cliexec/ipAddr /fabos/cliexec/kill , , telnet /fabos/cliexec/ms /fabos/cliexec/savecore /fabos/cliexec/secCmds /fabos/c , , /fabos/sbin/coreshow, /fabos/sbin/timeLineGet, /fabos/cliexec/killtelnet, /fabos/cliexec/savecore, /fabos/cliexec/ssave.sh, , supportsave /fabos/cliexec/supportsavestatus /fabos/cliexec/switchcmd /fabos/cli , , exec/syscmd /fabos/cliexec/trace_cli /fabos/standby_sbin/coreshow /fabos/libexec , , /coreffdc.sh /fabos/libexec/ethmode /fabos/libexec/getDefaultFID /fabos/libexec/ , , ipc_showAll /fabos/libexec/secRoleCheck /fabos/etc/swInst /fabos/webtools/htdocs , , /weblinker.fcg /var/log/rcslog.old /var/log/fdmilog.txt /var/log/ficulog.txt /va , , r/log/nslog.txt /var/log/rcslog.txt /var/log/seclog.txt /var/log/zonelog.txt && , , /fabos/cliexec/supportsavestatus, /fabos/standby_sbin/coreshow, /fabos/libexec/coreffdc.sh, /fabos/libexec/ipc_showAll, , g.txt /var/log/esslog.old /var/log/ficulog.old /var/log/fdmilog.old /var/log/ess , , log.txt /var/log/nslog.old /var/log/seclog.old /var/log/zonelog.old /var/log/snm , , plog.old /bin/passwd /bin/login /bin/login.nopam /bin/ping /sbin/fuser /sbin/boo , , tenv /usr/bin/du /usr/bin/ppname /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh, sr/sbin/sendmail 

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.