Advantech EKI-6340 2.05 Command Injection

`Core Security - Corelabs Advisory  
http://corelabs.coresecurity.com/  
  
Advantech EKI-6340 Command Injection  
  
  
1. *Advisory Information*  
  
Title: Advantech EKI-6340 Command Injection  
Advisory ID: CORE-2014-0009  
Advisory URL:  
http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection  
Date published: 2014-11-19  
Date of last update: 2014-11-19  
Vendors contacted: Advantech  
Release mode: User release  
  
  
2. *Vulnerability Information*  
  
Class: OS Command Injection [CWE-78]  
Impact: Code execution  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2014-8387  
  
  
3. *Vulnerability Description*  
  
  
The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor  
deployment. With self-healing and self-forming capabilities, the  
wireless network is free from interruption even part of Mesh nodes  
failed. It's especially critical to infrastructures where wired  
solutions are hard to deploy. This Mesh network covers growing rich data  
demands such as video security, surveillance and entertainment.  
  
Advantech EKI-6340 series is vulnerable to a OS Command Injection,  
which can be exploited by remote attackers to execute arbitrary code and  
commands, by using a non privileged user against a vulnerable CGI file.  
  
  
4. *Vulnerable packages*  
  
  
. Advantech EKI-6340 V2.05  
. Other versions may probably be affected too, but they were not checked.  
  
  
5. *Vendor Information, Solutions and Workarounds*  
  
  
Considering that the vendor is not going to fix or update this  
device the following recommendations should be taken into consideration  
in case of using a vulnerable device:  
  
- Change the 'guest' user password (or delete the user in case  
is not used)  
- Edit the fshttpd.conf and remove the line  
'guest_allow=/cgi/ping.cgi'.  
- Check that the 'admin' user doesn't has the default password  
as well.  
  
  
6. *Credits*  
  
  
This vulnerability was discovered and researched by Facundo Pantaleo  
and Flavio Cangini from Core Security Engineering Team. The publication  
of this advisory was coordinated by Joaquín Rodríguez Varela from Core  
Advisories Team.  
  
  
7. *Technical Description / Proof of Concept Code*  
  
  
This vulnerability is caused by an incorrect sanitization of the  
input parameters of the file "ping.cgi" that is a symbolic link of  
"utility.cgi".  
It allows to concatenate commands after the IP direction parameter,  
therefore enabling a user to inject OS commands. The "call_ping"  
function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where  
the vulnerability lays.  
  
The CGI file requieres authentication, but the "admin" user is not  
the only one allowed to execute it. Based on the webservers default  
configuration file, the "guest" has permissons over it as well. This  
user is rarely disbled and its password tends to remain unchanged. This  
default credentials are username "user" and password "user" as well.  
Below is an example of the webserver (based on Mongoose webserver [2])  
default configuration file "fshttpd.conf":  
  
  
/-----  
  
listening_ports=80,443s  
user_admin=admin  
pass_admin=admin  
user_guest=user  
pass_guest=user  
document_root=/usr/webui/webroot  
authorize_uri=/authorize  
unauthorize_uri=/unauthorize  
login_uri=/login.html  
logout_uri=/logout.html  
login_fail_uri=/err/login_fail.html  
sessions_full_uri=/err/nosessions.html  
no_redirect_uri=/cgi/fwupstatus.cgi  
guest_allow=/admin/FWUPStatus.html  
guest_allow=/status/*  
guest_allow=/utility/Ping.html  
guest_allow=/utility/RssiCalc.html  
guest_allow=/utility/FresnelZone.html  
guest_allow=/cgi/ping.cgi  
guest_allow=/cgi/status_query.cgi  
guest_allow=/cgi/nodeinfo_query_MAC.cgi  
guest_allow=/cgi/nodeinfo_query.cgi  
guest_allow=/cgi/nodeinfo_query_AP.cgi  
guest_allow=/cgi/fwupstatus.cgi  
nologin_allow=/  
nologin_allow=/index.*  
nologin_allow=/css/*  
nologin_allow=/template/*  
nologin_allow=/images/*  
nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*  
nologin_allow=/js/*  
nologin_allow=/favicon.ico  
nologin_allow=/err/*  
  
-----/  
  
  
7.1. *Proof of Concept*  
  
  
/-----  
  
  
  
http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3  
  
When requested for credentials use the following:  
  
User: user  
Password: user  
  
  
-----/  
  
  
8. *Report Timeline*  
  
. 2014-10-01:  
  
Initial notification sent to ICS-CERT informing of the vulnerability  
and requesting the vendor's contact information.  
  
. 2014-10-01:  
  
ICS-CERT informs that they will ask the vendor if they want to  
coordinate directly with us or if they prefer to have ICS-CERT mediate.  
They request the vulnerability report.  
  
. 2014-10-01:  
  
ICS-CERT informs that the vendor answered that they would like the  
ICS-CERT to mediate the coordination of the advisory. They requested  
again the vulnerability report.  
  
. 2014-10-01:  
  
We send the vulnerability detail, including technical description  
and a PoC.  
  
. 2014-10-09:  
  
We request a status update on the reported vulnerability.  
  
. 2014-10-20:  
  
ICS-CERT informs that the vendor plans to discontinue EKI-6340 early  
next year and therefore they will not fix it.  
  
. 2014-11-13:  
  
We inform them that we will publish this advisory as user release on  
Wednesday 19th of November.  
  
. 2014-11-19:  
  
Advisory CORE-2014-0009 published.  
  
  
9. *References*  
  
[1]  
http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.  
  
[2] https://code.google.com/p/mongoose/.  
  
  
10. *About CoreLabs*  
  
CoreLabs, the research center of Core Security, is charged with  
anticipating the future needs and requirements for information security  
technologies. We conduct our research in several important areas of  
computer security including system vulnerabilities, cyber attack  
planning and simulation, source code auditing, and cryptography. Our  
results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://corelabs.coresecurity.com.  
  
  
11. *About Core Security*  
  
  
Core Security enables organizations to get ahead of threats with  
security test and measurement solutions that continuously identify  
and demonstrate real-world exposures to their most critical assets. Our  
customers can gain real visibility into their security standing, real  
validation of their security controls, and real metrics to more  
effectively secure their organizations.  
  
Core Security's software solutions build on over a decade of trusted  
research and leading-edge threat expertise from the company's Security  
Consulting Services, CoreLabs and Engineering groups. Core Security can  
be reached at +1 (617) 399-6980 or on the Web at:  
http://www.coresecurity.com.  
  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2014 Core Security  
and (c) 2014 CoreLabs, and are licensed under a Creative Commons  
Attribution Non-Commercial Share-Alike 3.0 (United States) License:  
http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
  
13. *PGP/GPG Keys*  
  
  
This advisory has been signed with the GPG key of Core Security  
advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
  
`