[CORE-2014-0009] - Advantech EKI-6340 Command Injection

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Advantech EKI-6340 Command Injection

1. Advisory Information

Title: Advantech EKI-6340 Command Injection
Advisory ID: CORE-2014-0009
Advisory URL:
http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release

2. Vulnerability Information

Class: OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-8387

3. Vulnerability Description

   The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor
   deployment. With self-healing and self-forming capabilities, the
   wireless network is free from interruption even part of Mesh nodes
   failed. It's especially critical to infrastructures where wired
   solutions are hard to deploy. This Mesh network covers growing rich data
   demands such as video security, surveillance and entertainment.

   Advantech EKI-6340 series is vulnerable to a OS Command Injection,
   which can be exploited by remote attackers to execute arbitrary code and
   commands, by using a non privileged user against a vulnerable CGI file.

4. Vulnerable packages

   . Advantech EKI-6340 V2.05
   . Other versions may probably be affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

   Considering that the vendor is not going to fix or update this
   device the following recommendations should be taken into consideration
   in case of using a vulnerable device:

    - Change the 'guest' user password (or delete the user in case
   

is not used)
- Edit the fshttpd.conf and remove the line
'guest_allow=/cgi/ping.cgi'.
- Check that the 'admin' user doesn't has the default password
as well.

6. Credits

   This vulnerability was discovered and researched by Facundo Pantaleo
   and Flavio Cangini from Core Security Engineering Team. The publication
   of this advisory was coordinated by Joaquin Rodriguez Varela from Core
   Advisories Team.

7. Technical Description / Proof of Concept Code

   This vulnerability is caused by an incorrect sanitization of the
   input parameters of the file "ping.cgi" that is a symbolic link of
   "utility.cgi".
   It allows to concatenate commands after the IP direction parameter,
   therefore enabling a user to inject OS commands. The "call_ping"
   function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where
   the vulnerability lays.

   The CGI file requieres authentication, but the "admin" user is not
   the only one allowed to execute it. Based on the webservers default
   configuration file, the "guest" has permissons over it as well. This
   user is rarely disbled and its password tends to remain unchanged. This
   default credentials are username "user" and password "user" as well.
   Below is an example of the webserver (based on Mongoose webserver [2])
   default configuration file "fshttpd.conf":

/-----

listening_ports=80,443s
user_admin=admin
pass_admin=admin
user_guest=user
pass_guest=user
document_root=/usr/webui/webroot
authorize_uri=/authorize
unauthorize_uri=/unauthorize
login_uri=/login.html
logout_uri=/logout.html
login_fail_uri=/err/login_fail.html
sessions_full_uri=/err/nosessions.html
no_redirect_uri=/cgi/fwupstatus.cgi
guest_allow=/admin/FWUPStatus.html
guest_allow=/status/*
guest_allow=/utility/Ping.html
guest_allow=/utility/RssiCalc.html
guest_allow=/utility/FresnelZone.html
guest_allow=/cgi/ping.cgi
guest_allow=/cgi/status_query.cgi
guest_allow=/cgi/nodeinfo_query_MAC.cgi
guest_allow=/cgi/nodeinfo_query.cgi
guest_allow=/cgi/nodeinfo_query_AP.cgi
guest_allow=/cgi/fwupstatus.cgi
nologin_allow=/
nologin_allow=/index.*
nologin_allow=/css/*
nologin_allow=/template/*
nologin_allow=/images/*
nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*
nologin_allow=/js/*
nologin_allow=/favicon.ico
nologin_allow=/err/*

-----/

7.1. Proof of Concept

/-----

http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3

When requested for credentials use the following:
 
User: user
Password: user

-----/

8. Report Timeline

. 2014-10-01:

Initial notification sent to ICS-CERT informing of the vulnerability

and requesting the vendor's contact information.

. 2014-10-01:

ICS-CERT informs that they will ask the vendor if they want to

coordinate directly with us or if they prefer to have ICS-CERT mediate.
They request the vulnerability report.

. 2014-10-01:

ICS-CERT informs that the vendor answered that they would like the

ICS-CERT to mediate the coordination of the advisory. They requested
again the vulnerability report.

. 2014-10-01:

We send the vulnerability detail, including technical description

and a PoC.

. 2014-10-09:

We request a status update on the reported vulnerability.

. 2014-10-20:

ICS-CERT informs that the vendor plans to discontinue EKI-6340 early

next year and therefore they will not fix it.

. 2014-11-13:

We inform them that we will publish this advisory as user release on

Wednesday 19th of November.

. 2014-11-19:

Advisory CORE-2014-0009 published.

9. References

[1]
http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.

[2] https://code.google.com/p/mongoose/.

10. About CoreLabs

    CoreLabs, the research center of Core Security, is charged with
    anticipating the future needs and requirements for information security
    technologies. We conduct our research in several important areas of
    computer security including system vulnerabilities, cyber attack
    planning and simulation, source code auditing, and cryptography. Our
    results include problem formalization, identification of
    vulnerabilities, novel solutions and prototypes for new technologies.
    CoreLabs regularly publishes security advisories, technical papers,
    project information and shared software tools for public use at:
    http://corelabs.coresecurity.com.

11. About Core Security

    Core Security enables organizations to get ahead of threats with
    security test and measurement solutions that continuously identify
    and demonstrate real-world exposures to their most critical assets. Our
    customers can gain real visibility into their security standing, real
    validation of their security controls, and real metrics to more
    effectively secure their organizations.

    Core Security's software solutions build on over a decade of trusted
    research and leading-edge threat expertise from the company's Security
    Consulting Services, CoreLabs and Engineering groups. Core Security can
    be reached at +1 (617) 399-6980 or on the Web at:
    http://www.coresecurity.com.

12. Disclaimer

    The contents of this advisory are copyright (c) 2014 Core Security
    and (c) 2014 CoreLabs, and are licensed under a Creative Commons
    Attribution Non-Commercial Share-Alike 3.0 (United States) License:
    http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

    This advisory has been signed with the GPG key of Core Security
    advisories team, which is available for download at
    http://www.coresecurity.com/files/attachments/core_security_advisories.asc.