The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
SICUNET Access Controller 0.32-05z Code Execution / File DisclosureSICUNET Physical Access Controller - Multiple Vulnerabilities
-------------------------------------------------------------
Introduction
============
Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.
Affected Software and Versions
==============================
Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.
CVE
===
No CVEs have been assigned.
Vulnerability Overview
======================
0. SN-01: HIGH: Outdated software
1. SN-02: HIGH: PHP include()
2. SN-03: CRITICAL: Unauthenticated remote code execution
3. SN-04: CRITICAL: Hardcoded root credentials
4. SN-05: High: Passwords stored in plaintext
Vulnerability Details
=====================
------------------------
SN-01: Outdated software
------------------------
Severity: High
A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.
/usr/local/php_b2/bin # ./php -v
PHP 5.2.14 (cli) (built: Jul 8 2012 22:45:11)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.
/usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v
lighttpd/1.4.30 (ssl) - a light and fast webserver
Build-Date: Dec 26 2013 15:13:53
https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.
# uname -a
Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
GNU/Linux
It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that theyare secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.
--------------------
SN-02: PHP include()
--------------------
Severity: High
When sending a request to /, the 'c' parameter is used as part of an
include() statement.
Excerpt from /spider/web/webroot/index.php:
$class = Input::get('c', 'layout');
$method = Input::get('m', 'index');
include APP_DIR.'/controllers/'.$class.EXT;
(where EXT is defined as '.phpa).
By crafting the c parameter, itas possible to access arbitrary files on the
device:
wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00'
The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.
It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.
--------------------------------------------
SN-03: Unauthenticated remote code execution
--------------------------------------------
Severity: Critical
A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:
For example, in card_scan_decoder.php
16 $No = $_GET['No'];
17 $door = $_GET['door'];
18
19 $result = array();
20
21 $db = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>
27
28 if ($No < 1)
29 {
30 $DelTemp = $db->prepare("DELETE FROM CardRawData");
31 $DelTemp->execute();
32
33 exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34 }
This vulnerability can be exploited by:
wget 'http://victim.ip.address/card_scan_decoder.php?No=0&door=$(sleep 3)a
This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.
It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).
---------------------------------
SN-04: Hardcoded root credentials
---------------------------------
Severity: Critical
There are 3 password fingerprints in /etc/passwd
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh
The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.
The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.
For example, the root password is used in a variety of ways in the
following format:
echo %s | su -c 'mkdir -p %s >& /tmp/message'
echo %s | su -c 'chown %s %s >& /tmp/message'
Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.
It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.
FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).
------------------------------------------
SN-05: Passwords stored in plaintext
------------------------------------------
Severity: High
A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:
sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword
It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).
Author
======
The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.
Timeline
========
2016/12/06 - Contacted sicunet.com domain registrar, and [email protected]
for a point of contact to report security issues.
2016/12/08 - Pinged earlier email for a point of contact, additionally
included [email protected] on an email.
2016/12/08 - Report sent to Ike Huh, CEO.
2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
listens on port 7000, and strings suggests that there may be
command injection / other vulnerabilities. No reply.
2017/01/17 - Asked point of contact if they had any questions about the
advisory sent earlier. No reply.
2017/01/24 - Pinged vendor again, asked about resellers who may be able to
make recommendations about restricting network access to the
devices from the internet.
2017/01/30 - No contact from vendor.
2017/02/24 - Asked vendor if the affected users can expect patches. No reply.
2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming up soon.
2017/03/08 - 90 day disclosure deadline.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum