Advantech EKI-6340 series is vulnerable to an OS command injection, which can be exploited by remote attackers to execute arbitrary code and commands, by using a non privileged user against a vulnerable CGI file.
Advantech EKI-6340 Command Injection 1. *Advisory Information* Title: Advantech EKI-6340 Command Injection Advisory ID: CORE-2014-0009 Advisory URL: http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection Date published: 2014-11-19 Date of last update: 2014-11-19 Vendors contacted: Advantech Release mode: User release 2. *Vulnerability Information* Class: OS Command Injection [CWE-78] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2014-8387 3. *Vulnerability Description* The Advantech EKI-6340  series are wireless Mesh AP for outdoor deployment. With self-healing and self-forming capabilities, the wireless network is free from interruption even part of Mesh nodes failed. It's especially critical to infrastructures where wired solutions are hard to deploy. This Mesh network covers growing rich data demands such as video security, surveillance and entertainment. Advantech EKI-6340 series is vulnerable to a OS Command Injection, which can be exploited by remote attackers to execute arbitrary code and commands, by using a non privileged user against a vulnerable CGI file. 4. *Vulnerable packages* . Advantech EKI-6340 V2.05 . Other versions may probably be affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Considering that the vendor is not going to fix or update this device the following recommendations should be taken into consideration in case of using a vulnerable device: - Change the 'guest' user password (or delete the user in case is not used) - Edit the fshttpd.conf and remove the line 'guest_allow=/cgi/ping.cgi'. - Check that the 'admin' user doesn't has the default password as well. 6. *Credits* This vulnerability was discovered and researched by Facundo Pantaleo and Flavio Cangini from Core Security Engineering Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* This vulnerability is caused by an incorrect sanitization of the input parameters of the file "ping.cgi" that is a symbolic link of "utility.cgi". It allows to concatenate commands after the IP direction parameter, therefore enabling a user to inject OS commands. The "call_ping" function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where the vulnerability lays. The CGI file requieres authentication, but the "admin" user is not the only one allowed to execute it. Based on the webservers default configuration file, the "guest" has permissons over it as well. This user is rarely disbled and its password tends to remain unchanged. This default credentials are username "user" and password "user" as well. Below is an example of the webserver (based on Mongoose webserver ) default configuration file "fshttpd.conf": /----- listening_ports=80,443s user_admin=admin pass_admin=admin user_guest=user pass_guest=user document_root=/usr/webui/webroot authorize_uri=/authorize unauthorize_uri=/unauthorize login_uri=/login.html logout_uri=/logout.html login_fail_uri=/err/login_fail.html sessions_full_uri=/err/nosessions.html no_redirect_uri=/cgi/fwupstatus.cgi guest_allow=/admin/FWUPStatus.html guest_allow=/status/* guest_allow=/utility/Ping.html guest_allow=/utility/RssiCalc.html guest_allow=/utility/FresnelZone.html guest_allow=/cgi/ping.cgi guest_allow=/cgi/status_query.cgi guest_allow=/cgi/nodeinfo_query_MAC.cgi guest_allow=/cgi/nodeinfo_query.cgi guest_allow=/cgi/nodeinfo_query_AP.cgi guest_allow=/cgi/fwupstatus.cgi nologin_allow=/ nologin_allow=/index.* nologin_allow=/css/* nologin_allow=/template/* nologin_allow=/images/* nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/* nologin_allow=/js/* nologin_allow=/favicon.ico nologin_allow=/err/* -----/ 7.1. *Proof of Concept* /----- http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3 When requested for credentials use the following: User: user Password: user -----/ # 0day.today [2016-04-20] #