9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.038 Low
EPSS
Percentile
90.9%
**Title:**Advantech EKI-6340 Command Injection
**Advisory ID:**CORE-2014-0009
**Advisory URL:**http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
**Date published:**2014-11-19
**Date of last update:**2014-11-19
**Vendors contacted:**Advantech
**Release mode:**User release
**Class:**OS Command Injection [CWE-78]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2014-8387
The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor deployment. With self-healing and self-forming capabilities, the wireless network is free from interruption even part of Mesh nodes failed. Itβs especially critical to infrastructures where wired solutions are hard to deploy. This Mesh network covers growing rich data demands such as video security, surveillance and entertainment.
Advantech EKI-6340 series is vulnerable to a OS Command Injection, which can be exploited by remote attackers to execute arbitrary code and commands, by using a non privileged user against a vulnerable CGI file.
Considering that the vendor is not going to fix or update this device the following recommendations should be taken into consideration in case of using a vulnerable device:
This vulnerability was discovered and researched by Facundo Pantaleo and Flavio Cangini from Core Security Engineering Team. The publication of this advisory was coordinated by JoaquΓn RodrΓguez Varela from Core Advisories Team.
This vulnerability is caused by an incorrect sanitization of the input parameters of the file βping.cgiβ that is a symbolic link of βutility.cgiβ. It allows to concatenate commands after the IP address parameter, therefore enabling a user to inject OS commands. The βcall_pingβ function inside the file β/usr/webui/webroot/cgi/utility.cgiβ is where the vulnerability lays.
The CGI file requieres authentication, but the βadminβ user is not the only one allowed to execute it. Based on the webservers default configuration file, the βguestβ has permissons over it as well. This user is rarely disbled and its password tends to remain unchanged. This default credentials are username βuserβ and password βuserβ as well. Below is an example of the webserver (based on Mongoose webserver [2]) default configuration file βfshttpd.confβ:
listening_ports=80,443s user_admin=admin pass_admin=admin user_guest=user pass_guest=user document_root=/usr/webui/webroot authorize_uri=/authorize unauthorize_uri=/unauthorize login_uri=/login.html logout_uri=/logout.html login_fail_uri=/err/login_fail.html sessions_full_uri=/err/nosessions.html no_redirect_uri=/cgi/fwupstatus.cgi guest_allow=/admin/FWUPStatus.html guest_allow=/status/* guest_allow=/utility/Ping.html guest_allow=/utility/RssiCalc.html guest_allow=/utility/FresnelZone.html guest_allow=/cgi/ping.cgi guest_allow=/cgi/status_query.cgi guest_allow=/cgi/nodeinfo_query_MAC.cgi guest_allow=/cgi/nodeinfo_query.cgi guest_allow=/cgi/nodeinfo_query_AP.cgi guest_allow=/cgi/fwupstatus.cgi nologin_allow=/ nologin_allow=/index.* nologin_allow=/css/* nologin_allow=/template/* nologin_allow=/images/* nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/* nologin_allow=/js/* nologin_allow=/favicon.ico nologin_allow=/err/*
http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3 When requested for credentials use the following: User: user Password: user
[1] <http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx>.
[2] <https://code.google.com/p/mongoose/>.
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Securityβs software solutions build on over a decade of trusted research and leading-edge threat expertise from the companyβs Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
The contents of this advisory are copyright Β© 2014 Core Security and Β© 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.