Schrack MICROCONTROL XSS / Disclosure / Weak Default Password

`SEC Consult Vulnerability Lab Security Advisory < 20140710-2 >  
=======================================================================  
title: Multiple critical vulnerabilites  
product: Schrack MICROCONTROL emergency light system  
vulnerable version: before 1.7.0 (937)  
fixed version: 1.7.0 (937)  
impact: critical  
homepage: http://www.schrack.at/shop/sicherheitsbeleuchtung.html  
found: 2014-02-05  
by: C. Kudera  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"The microControl is a decentralized power supply system with limited power  
(LowPower system) for 1-, 3- or 8-hour operation. This system combines the high  
reliability of a decentralized single-battery system with the ease and comfort  
of a central battery system. "  
  
Source: http://image.schrack.com/datenblaetter/h_nlmi102_de.pdf  
  
  
Business recommendation:  
------------------------  
The Microcontrol emergency light system, distributed by Schrack Technik GmbH,  
is an autarchic emergency light system, which is configurable over a web  
interface.  
Through the vulnerabilities described in this advisory an attacker can  
reconfigure the whole emergency light system without authentication.  
  
Furthermore he can perform attacks against the users of the web application  
to deploy Cross-Site-Scripting Trojan Horses or steal sensitive data.  
  
It is highly recommended by SEC Consult not to use this product until a  
thorough security review has been performed by security professionals and all  
identified issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Access data disclosure  
The access data for the ftp and telnet services is accessible without  
authentication. This information enables an attacker to access the file system  
of the emergency light system, where he can reconfigure the whole system.  
  
2) Weak default password  
The password for the web interface can't be changed. The emergency light system  
is always delivered with the same weak password to every customer. An attacker  
can reverse engineer the firmware of the emergency light system or request the  
password from Schrack Technik GmbH.  
  
3) Permanent Cross Site Scripting (XSS)  
The emergency light system doesn’t encode user input properly. This leads to  
Cross-Site Scripting vulnerabilities. The vulnerability can be used to  
persistently include HTML- or JavaScript code to the affected web page. The code  
is executed in the browser of users if they visit the manipulated site. The  
vulnerability can be used to change the contents of the displayed site, redirect  
to other sites or steal user credentials. Additionally, users are potential  
victims of browser exploits and JavaScript Trojan Horses.  
  
4) Clear text authentication  
Login data of users is transmitted in clear text. By intercepting network  
traffic, an attacker can eavesdrop authentication data and take over the  
victim's account.  
  
  
Proof of concept:  
-----------------  
1) Access data disclosure  
The ZTPUsrDtls.txt can be accessed via http://<system_ip>/ZTPUsrDtls.txt  
  
2) Weak default password  
The credentials are user:not  
  
3) Permanent Cross Site Scripting (XSS)  
Several Permanent Cross Site Scripting vulnerabilities were noticed in the  
product during the audit (e.g position textbox in the configuration menu).  
  
4) Clear text authentication  
The web page is only accessible via the HTTP protocol. Login data can be  
recorded with a network sniffer.  
Furthermore a telnet service is running (plain text protocol).  
  
  
Vulnerable / tested versions:  
-----------------------------  
The system tested was the MICROCONTROL 4 emergency light system.  
  
  
Vendor contact timeline:  
------------------------  
2014-05-13: Contacted vendor through [email protected], requesting encryption  
keys and attaching responsible disclosure policy  
2014-05-13: Reply from vendor, no encryption keys  
2014-05-13: Phone call to clarify the transmission of the advisory (encryption)  
2014-05-13: Sending the advisory encrypted to Schrack Technik GmbH  
2014-06-03: Asking for status update  
2014-06-03: Receiving information regarding patch / firmware update  
2014-06-11: Asking for more details about the regarding patch / firmware update  
2014-07-09: Phone call to clarify details about the regarding patch / firmware  
update  
2014-07-10: SEC Consult releases security advisory  
  
  
Solution:  
---------  
In order to solve issue 1) and 2) install firmware 1.7.0 (937), available by  
sending a mail to [email protected]  
  
3) Schrack Technik GmbH is working on a patch for this vulnerability  
  
4) For the embedded system, used by the product, SSL is not available.  
Schrack Technik GmbH recommends using an own network segment for the emergency  
light system.  
  
Devices deliverd after 2014-07-01 already contain firmware 1.7.0 (937)  
  
  
Workaround:  
-----------  
No workaround available.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF C. Kudera / @2014  
  
`