SICUNET Physical Access Controller - Multiple Vulnerabilities
-------------------------------------------------------------
Introduction
============
Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered
exhaustive.
Affected Software and Versions
==============================
Known vulnerable version is 0.32-05z. This version string was taken from
Spider.db.
CVE
===
No CVEs have been assigned.
Vulnerability Overview
======================
0. SN-01: HIGH: Outdated software
1. SN-02: HIGH: PHP include()
2. SN-03: CRITICAL: Unauthenticated remote code execution
3. SN-04: CRITICAL: Hardcoded root credentials
4. SN-05: High: Passwords stored in plaintext
Vulnerability Details
=====================
------------------------
SN-01: Outdated software
------------------------
Severity: High
A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.
/usr/local/php_b2/bin # ./php -v
PHP 5.2.14 (cli) (built: Jul 8 2012 22:45:11)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies
http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.
/usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v
lighttpd/1.4.30 (ssl) - a light and fast webserver
Build-Date: Dec 26 2013 15:13:53
https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.
# uname -a
Linux SICUNET 2.6.32.9 #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l
GNU/Linux
It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that theyare secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.
--------------------
SN-02: PHP include()
--------------------
Severity: High
When sending a request to /, the 'c' parameter is used as part of an
include() statement.
Excerpt from /spider/web/webroot/index.php:
$class = Input::get('c', 'layout');
$method = Input::get('m', 'index');
include APP_DIR.'/controllers/'.$class.EXT;
(where EXT is defined as '.phpa).
By crafting the c parameter, itas possible to access arbitrary files on the
device:
wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00'
The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.
It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.
--------------------------------------------
SN-03: Unauthenticated remote code execution
--------------------------------------------
Severity: Critical
A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:
For example, in card_scan_decoder.php
16 $No = $_GET['No'];
17 $door = $_GET['door'];
18
19 $result = array();
20
21 $db = new PDO('sqlite:/tmp/SpiderDB/Spider.db');
<snip>
27
28 if ($No < 1)
29 {
30 $DelTemp = $db->prepare("DELETE FROM CardRawData");
31 $DelTemp->execute();
32
33 exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34 }
This vulnerability can be exploited by:
wget 'http://victim.ip.address/card_scan_decoder.php?No=0&door=$(sleep 3)a
This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.
It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).
---------------------------------
SN-04: Hardcoded root credentials
---------------------------------
Severity: Critical
There are 3 password fingerprints in /etc/passwd
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux
User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux
User,,,:/home/lighttpd:/bin/sh
The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.
The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.
For example, the root password is used in a variety of ways in the
following format:
echo %s | su -c 'mkdir -p %s >& /tmp/message'
echo %s | su -c 'chown %s %s >& /tmp/message'
Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.
It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.
FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).
------------------------------------------
SN-05: Passwords stored in plaintext
------------------------------------------
Severity: High
A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:
sqlite> SELECT Name,Password FROM WebUser;
admin|ExamplePlaintextPassword
sqlite> SELECT Name,ID,Password FROM Controller;
Server|username|AnotherPlaintextPassword
It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).
Author
======
The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.
Timeline
========
2016/12/06 - Contacted sicunet.com domain registrar, and sales@sicunet.com
for a point of contact to report security issues.
2016/12/08 - Pinged earlier email for a point of contact, additionally
included tech@sicunet.com on an email.
2016/12/08 - Report sent to Ike Huh, CEO.
2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
listens on port 7000, and strings suggests that there may be
command injection / other vulnerabilities. No reply.
2017/01/17 - Asked point of contact if they had any questions about the
advisory sent earlier. No reply.
2017/01/24 - Pinged vendor again, asked about resellers who may be able to
make recommendations about restricting network access to the
devices from the internet.
2017/01/30 - No contact from vendor.
2017/02/24 - Asked vendor if the affected users can expect patches. No reply.
2017/03/01 - Sent an email to the vendor, reminding them disclosure is
coming up soon.
2017/03/08 - 90 day disclosure deadline.