SEC Consult Vulnerability Lab Security Advisory < 20160121-0 > ======================================================================= title: Deliberately hidden backdoor account product: Several AMX (HARMAN Professional) devices, see section "Vulnerable / tested versions" vulnerable version: v1.2.322, v1.3.100 for AMX NX-1200, multiple other products fixed version: untested hotfix and firmware updates available CVE number: CVE-2015-8362 impact: critical homepage: http://www.amx.com found: 2015-03-10 by: Matthias Klinski, Manuel Hofer (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "AMX® (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management. AMX systems are deployed worldwide in conference rooms, homes, classrooms, network operation/command centers, hotels, entertainment venues and broadcast facilities, among others." Source: http://www.amx.com/automate/aboutamx.aspx Business recommendation: ------------------------ Attackers are able to completely compromise the affected devices as they can gain higher privileges than even administrative access to the system via the backdoor. It is highly recommended by SEC Consult not to use these products until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Deliberately hidden backdoor account While analysing the application binary /bin/bw, SEC Consult discovered a function called "setUpSubtleUserAccount" which adds an administrative account to the internal user database. This account can be used to log on to the web interface as well as SSH. Functions to retrieve a list of all users in the database were found to deliberately hide this user. Further, using this backdoor account grants additional features on the remote-cli, such as a facility to capture packets on the network interface which not even an administrator account can perform. Proof of concept: ----------------- The binary /bin/bw which provides core functionality as well as user management for the AMX NX-1200 implements a function called "setUpSubtleUserAccount", which is called on system boot. This function adds an administrative account with hardcoded credentials to the user database: STMFD SP!, {R4-R7,LR} LDR R4, =aMu1cqhrnyu4 ; "QmxhY2tXaWRvdw" SUB SP, SP, #0x44 ADD R12, R4, #0x38 ADD LR, SP, #0x58+cSubtleUserPassword MOV R5, this LDMIA R12!, {this-R3} ; "<removed from PoC>" STMIA LR!, {R0-R3} ADD R3, R4, #0x54 LDMIA R12, {R0,R1} MOV R4, #0 ADD R12, SP, #0x58+cSubtleUserUserName+0x10 STR R0, [LR],#4 STRB R4, [R12],#1 STRH R1, [LR],#2 ADD R6, SP, #0x58+cSubtleUserUserName By decoding the strings which are loaded from memory and passed as arguments to cSubtleUserPassword and cSubtleUserUserName, the following user and password can be recovered: user: BlackWidow password: <removed from PoC> Using these credentials a successful login has been performed to the web based management interface, as well as the command line interface. Using this backdoor account grants additional features on the command line interface, such as capturing packets on the network interface. Parts of the application which display a list of users are designed to deliberately hide the backdoor account. The backdoor did not get removed by AMX in their first patch, but the backdoor username has only been changed to a DC superhero name. The new username now was: 1MB@tMaN The hotfix from 2016-01-15 is untested by SEC Consult and it is unknown whether the backdoor has been removed properly now. Hence the password will not be published. Vulnerable / tested versions: ----------------------------- The following software versions of the AMX NX-1200 have been tested / verified to be vulnerable: v1.2.322 v1.3.100 Apart from the NX-1200, we have found at least the following products to be affected by this vulnerability as well: * AMX DGX16-ENC (Digital Media Switchers) * AMX DGX32-ENC-A (Digital Media Switchers) * AMX DGX64-ENC (Digital Media Switchers) * AMX DGX8-ENC (Digital Media Switchers) * AMX DVX-2100HD (All-In-One Presentation Switchers) * AMX DVX-2210HD (All-In-One Presentation Switchers) * AMX DVX-2250HD (All-In-One Presentation Switchers) * AMX DVX-2255HD (All-In-One Presentation Switchers) * AMX DVX-3250HD (All-In-One Presentation Switchers) * AMX DVX-3255HD (All-In-One Presentation Switchers) * AMX DVX-3256HD (All-In-One Presentation Switchers) * AMX ENOVADGX64-ENC (Digital Media Switchers) * AMX MCP-106 (ControlPads) * AMX MCP-108 (ControlPads) * AMX NI-2000 (Central Controllers) * AMX NI-2100 (Central Controllers) * AMX NI-3000 (Central Controllers) * AMX NI-3100 (Central Controllers) * AMX NI-3101-SIG (Central Controllers) * AMX NI-4000 (Central Controllers) * AMX NI-4100 (Central Controllers) * AMX NI-700 (Central Controllers) * AMX NI-900 (Central Controllers) * AMX NX-1200 (Central Controllers) * AMX NX-2200 (Central Controllers) * AMX NX-3200 (Central Controllers) * AMX NX-4200 (Central Controllers) * AMX NXC-ME260-64 (Central Controllers) * AMX NXC-MPE (Central Controllers) * AMX NetLinx NX Integrated Controller (Media) Vendor contact timeline: ------------------------ 2015-03-10: SEC Consult provides PoC to AMX through European sales. 2015-10-12: Vendor provides "fixed" version 2015-10-12: SEC Consult verifies the new version. Backdoor username has only been changed to a leet-speak DC superhero name 2015-11-04: Contacting vendor amxservice () harman com again, setting responsible disclosure deadline to 2015-12-24 2015-11-16: No response. Contacting vendor with extended recipient list: - amxservice () harman com - Kevin.Morrison () harman com - Debbie.Franklin () harman com - Mark.Stoldt () harman com - Mike.Ramoz () harman com 2015-11-24: No response. Again extending the recipient list with emails found on the web (Paul.Zielie () harman com), asking for encryption keys and security contact 2015-11-24: AMX responds, requests advisory to be sent unencrypted. 2015-11-24: Providing advisory and proof of concept through insecure channel as requested. 2015-12-02: Asking for status update. 2015-12-16: No response, offered postponing of advisory release to 2016-01-20 due to Christmas holidays and asked for status update again. 2016-01-14: No response, informed vendor again about upcoming advisory release 2016-01-15: Vendor releases hotfix without notification of SEC Consult, hotfix is untested and unconfirmed, unsure whether all products are properly fixed. 2016-01-16: Informed local CERT teams. 2016-01-17: Informed US CERT/CC. 2016-01-20: AMX informs SEC Consult about released hotfix & firmware versions 2016-01-20: Informing AMX that the advisory will be released on 2016-01-21. The update and hotfixes are untested, hence the advisory will be released without the password. 2016-01-21: Release of security advisory & blog post. Solution: --------- Immediately apply the hotfix for the corresponding device. Covered products and firmware versions: * NX Series (X200) Master, NX Series DVX-325x/225x Master, Massio ControlPads Master v.1.4.65 Information on this firmware update and a link for authorized users to download the update are at: http://www.amx.com/techcenter/NXSecurityBrief/ NI Series Controllers * Hotfix For NI Series (NI-700 and NI-900) 64 MB Duet v.4 Master Firmware v.4.1.419 available from AMX Technical Support * Hotfix For NI Series (X100) Duet v.4 Master Firmware v. 4.1.419 available from AMX Technical Support Workaround: ----------- No workaround available. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Manuel Hofer, Matthias Klinski / @2016