Thursday, September 15, 2016

[ICS] BINOM3 Electric Power Quality Meter - Multiple Vulnerabilities

[ICS] Universal multifunctional Electric Power Quality Meter BINOM3 - Multiple Vulnerabilities

About

The meters are designed for autonomous operation in automated systems: 
• SCADA systems
• Data aquisition and transmission systems
• Automated data and measurement systems for revenue and technical power metering 
• Power quality monitoring and control systems
• Automated process control systems, Management information system 

http://www.binom3.ru/files/binom3_technical_description_en.pdf
http://www.binom3.ru/files/binom3_manual_operator.pdf

+++++
Submitted to ICS-CERT - May 25, 2016
ICS-CERT Advisory published Jan 2017
https://ics-cert.us-cert.gov/advisories/ICSA-17-031-01A
+++++
Vulnerability Information

Web Management Portal

1. Reflected XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an unauthenticated and authenticated, attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

2. Stored XSS – multiple urls, parameters 
Successful exploitation of this vulnerability could allow an authenticated attacker to inject arbitrary JavaScript in specific input fields, which get stored in the underlying db, and once accessed, the data including malicious scripts, is returned to the web browser leading to script execution.

3. Weak Credentials Management 
The device comes configured with four (4) login accounts:
- admin / 1 
- user / 1 
- alg / 1 
- telem / 1

- These passwords do not meet even basic security criterion.
- To further make it easier for attacker(s), the application design does not provide the users, any option to change their own passwords in device management portal. Only 'root' can change passwords for all other accounts. (AFAIK)

4. Undocumented root account 
In addition to the above four documented login accounts, there is a 'root' superuser account:
- root / root
- root account details are not documented in the device administration guide or manuals
- root account has multiple, additional functions accessible like user management

5. Sensitive Information stored in clear-text 
Sensitive information, specifically, the account passwords, are all stored and shown in clear-text.

Additionally, specific non-root, non-privileged users can access complete device configuration file, which contains clear-text passwords and other config information. This flaw can be used to gain privileged access to the device.

6. Vulnerable to Cross-Site Request Forgery 

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 

7. Sensitive information leakage

Every time ‘root’ logs in, a GET request is made to a specific url to access password configuration file.


Response comes as xml data, and contains all accounts and their passwords. Since, by default, the management portal is configured for HTTP, a suitably positioned attacked can sniff all login credentials, and gain privileged access.

Telnet 

1. Access Control Flaws 
By default, password authentication is not enabled on Telnet access (AFAIK).
- This access gives superuser-level access to device
- Access to the device provides detailed info on application, configuration, device file system, databases (including Energy & billing), consumption, Statistics, network information, as well as clear-text creds (FTP)
- Easy vector to device & data compromise


+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.