Eisbar SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability
Polar Bear KNX is a modern EIB or KNX visualization for all types of buildings. Applications: lighting, shading, heating, air conditioning, Ventilation and security integration and integrated control reduce capital and operating costs of buildings and systems, Flexibility in use and their adaptation, comfort, safety and optimization of running processes.
(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/eisbaer/id777598405 & http://www.busbaer.de/newbb_plus,viewtopic,topic_id,971,forum,81.html )
The Vulnerability Laboratory Research Team discovered an application-side input validation vulnerability in the Eisbar SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application.
2015-05-19: Public Disclosure (Vulnerability Laboratory)
Alexander Maier GmbH Product: Eisbar SCADA - Mobile (Google Android, Windows Phone & Apple iOS) 2.1.11
Alexander Maier GmbH Product: Eisbar SCADA - Software 2.1.454.814
An application-side input validation web vulnerability has been discovered in the officialEisbar SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application. The security vulnerability allows an attacker to inject own script code to the application-side of the affected mobile software to compromise connected scada services.
We setup a secure environment that was able to execute scada controlled functions in our company by an android, ios and windows mobile device. Due to the implementation we discovered that the server configuration input impacts a common security risk.
The vulnerability is located in the `server name` value of the main network server settings module. Local attackers with physical device access are able to manipulate the `netzwerk server name` input to compromise the mobile application or connected eisbar scada services. The attacker includes a own script code payload to the servername and is able to execute the function in the server index listing and edit mode.
The attacker can prepare a qr code with a final configuration that impact a malicious injected server name. The execution of the payload occurs after the scan or on review of the server listing. The servername value is also in use by the Eisbar Solutions section with the DoorPhone-Knoten service. We verified that the main server name component can be used to unauthorized execute a function in the connected scada service. The servername can be changed by the app or in the node directly to manipulate the communication permanently.
The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network settings of the app can be automatically transferred via QR code. In polar bears v2.1 there are also refer to a QR code component.
The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 5.2. Exploitation of the persistent input validation web vulnerability requires a low privilege application user account and low user interaction (click). Successful exploitation of the persistent web vulnerability results in mobile application/device compromise or connected service component manipulation.
Request Method(s): [+] [Sync]
Vulnerable Module(s): [+] Home > Server (Netzwerk)
Vulnerable Parameter(s): [+] servername (name)
Affected Module(s): [+] Home Index Server Listing [+] Edit Server Entries
The application-side input validation web vulnerability can be exploited by local attackers with low privileged application user account and low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ... 1. Install the mobile application to your windows phone, ios or android mobile device 2. Start the application 3. Configure a service that is successful connected with functions 4. Surf to the existing server home index listing 5. Change the internal or external server with existing address and payload 6. Save the input 7. The execution occurs in the main index server listing 8. Click the arrow next to the injected code 9. The second execution occurs in the header section were the servername description becomes visible 10. Successful reproduce of the security vulnerability!
Note: Include as payload a server that exists and attach your payload for a successful execution! The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network settings of the app can be automatically transferred via QR code. In polar bears v2.1 there are also refer to a QR code component.
The vulnerability can be patched by a secure parse and encode of the netzwerk - servername value. Restrict the input field and disallow the usage of script code tags and special chars. Filter the server name output in the edit mode and parse also the index listing output with the servername.
The security risk of the application-side input validation vulnerability in the server configuration is estimated as medium. (CVSS 5.2)
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (firstname.lastname@example.org) [www.vulnerability-lab.com]
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: email@example.com - firstname.lastname@example.org - email@example.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (firstname.lastname@example.org or email@example.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
-- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: firstname.lastname@example.org PGP KEY: http://email@example.com%280x198E9928%29.txt