Calamp.com Incorrect Privilege Assignment

2018.05.15
Risk: Low
Local: No
Remote: No
CVE: N/A
CWE: CWE-266

There is also a full write up on https://medium.com/@evstykas/remote-smart-car-hacking-with-just-a-phone-2fe7ca682162 Vulnerability Security Advisory < 20180501 > ======================================================================= title: Incorrect Privilege Assignment product: lenderoutlook on colt.calamp-ts.com vulnerable version: latest fixed version: - CVE number: - impact: critical found: 2018-04-31 by: Vangelis Stykas & George Lavdanis ======================================================================= Vendor description: ------------------- Calamp is a telematics pioneer on M2M that manages more than 1.5M IoT devices. Vulnerability overview/description: ----------------------------------- 1) Incorrect Privilege Assignment When a user is logged in https://colt.calamp-ts.com/dashboard/login , a service that is being used by many vendors (such as viper smartstart and directed smartstart) it makes a request to https://reporting.calamp.com/jasperserver-pro/ to login with the same user.This server is used to generate reports regarding users vehicles using TIBCO jaspersoft server. When the reports are run from the dashboard they are limited to user owned vehicles but this is not the case when accessing the jaspersoft server directly. Any report on any user vehicle can run, making location / past whereabouts of vehicles and users available.A lot of financial data reports are also available. Data sources are also viewable / editable / exportable .After exporting clear text passwords of data sources are available. As data sources are editable a ddos can be caused just by editing them. As data sources are correctly firewalled no direct access is possible. We can manipulate by editing existing reports , adhoc views and queries to access all the data on the underlying data sources and using it to lead to a full compromise of the platform. Exploiting this also gives access to connect.calamp.com database. Proof of concept: ----------------- 1) Incorrect Privilege Assignment: ### Details * Attack Vector: HTTP GET * Prerequisites: None * CWE: CWE-266: Incorrect Privilege Assignment * Technical Impact: View reports of any user / vehicle / iot device, query about any user / vehicle / iot device, access underlying data sources. * Vulnerable query URL: / Vulnerable / tested versions: ----------------------------- https://colt.calamp-ts.com/ https://connect.calamp.com/ Vendor contact timeline: ------------------------ 2018a05a01: Sent support request requesting proper disclosure steps 2018a05a01: Asked via twitter dm on @calamp for an email to sent report 2018a05a02: Reached out via linkedin to a cybersecurity employee at calamp for direction on proper disclosure 2018a05a02: Reached out to CERT which guided us to the proper communication channel 2018a05a02: Calamp answered and acknowledged issue 2018a05a03: Calamp updated us that their are working on a fix 2018a05a12: Calamp notified us that is is patched and after verification we are releasing this.

References:

https://medium.com/@evstykas/remote-smart-car-hacking-with-just-a-phone-2fe7ca682162


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top