Advantech EKI-6340 Command Injection

Advantech EKI-6340 Command Injection

1. Advisory Information

Title: Advantech EKI-6340 Command Injection
Advisory ID: CORE-2014-0009
Advisory URL: http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release

2. Vulnerability Information

Class: OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-8387

 

3. Vulnerability Description

The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor deployment. With self-healing and self-forming capabilities, the wireless network is free from interruption even part of Mesh nodes failed. It's especially critical to infrastructures where wired solutions are hard to deploy. This Mesh network covers growing rich data demands such as video security, surveillance and entertainment.

Advantech EKI-6340 series is vulnerable to a OS Command Injection, which can be exploited by remote attackers to execute arbitrary code and commands, by using a non privileged user against a vulnerable CGI file.

4. Vulnerable packages

  • Advantech EKI-6340 V2.05
  • Other versions may probably be affected too, but they were not checked.

5. Vendor Information, Solutions and Workarounds

Considering that the vendor is not going to fix or update this device the following recommendations should be taken into consideration in case of using a vulnerable device:

  • Change the 'guest' user password (or delete the user in case is not used)
  • Edit the fshttpd.conf and remove the line 'guest_allow=/cgi/ping.cgi'.
  • Check that the 'admin' user doesn't have the default password as well.

6. Credits

This vulnerability was discovered and researched by Facundo Pantaleo and Flavio Cangini from Core Security Engineering Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.

 

7. Technical Description / Proof of Concept Code

This vulnerability is caused by an incorrect sanitization of the input parameters of the file "ping.cgi" that is a symbolic link of "utility.cgi". It allows to concatenate commands after the IP address parameter, therefore enabling a user to inject OS commands. The "call_ping" function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where the vulnerability lays.

The CGI file requieres authentication, but the "admin" user is not the only one allowed to execute it. Based on the webservers default configuration file, the "guest" has permissons over it as well. This user is rarely disbled and its password tends to remain unchanged. This default credentials are username "user" and password "user" as well. Below is an example of the webserver (based on Mongoose webserver [2]) default configuration file "fshttpd.conf":

 
    listening_ports=80,443s
    user_admin=admin
    pass_admin=admin
    user_guest=user
    pass_guest=user
    document_root=/usr/webui/webroot
    authorize_uri=/authorize
    unauthorize_uri=/unauthorize
    login_uri=/login.html
    logout_uri=/logout.html
    login_fail_uri=/err/login_fail.html
    sessions_full_uri=/err/nosessions.html
    no_redirect_uri=/cgi/fwupstatus.cgi
    guest_allow=/admin/FWUPStatus.html
    guest_allow=/status/*
    guest_allow=/utility/Ping.html
    guest_allow=/utility/RssiCalc.html
    guest_allow=/utility/FresnelZone.html
    guest_allow=/cgi/ping.cgi
    guest_allow=/cgi/status_query.cgi
    guest_allow=/cgi/nodeinfo_query_MAC.cgi
    guest_allow=/cgi/nodeinfo_query.cgi
    guest_allow=/cgi/nodeinfo_query_AP.cgi
    guest_allow=/cgi/fwupstatus.cgi
    nologin_allow=/
    nologin_allow=/index.*
    nologin_allow=/css/*
    nologin_allow=/template/*
    nologin_allow=/images/*
    nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*
    nologin_allow=/js/*
    nologin_allow=/favicon.ico
    nologin_allow=/err/*

7.1. Proof of Concept

 
      
      http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3
      
      When requested for credentials use the following:
      
      User: user
      Password: user
      
    

8. Report Timeline

  • 2014-10-01: Initial notification sent to ICS-CERT informing of the vulnerability and requesting the vendor's contact information.
  • 2014-10-01: ICS-CERT informs that they will ask the vendor if they want to coordinate directly with us or if they prefer to have ICS-CERT mediate. They request the vulnerability report.
  • 2014-10-01: ICS-CERT informs that the vendor answered that they would like the ICS-CERT to mediate the coordination of the advisory. They requested again the vulnerability report.
  • 2014-10-01: We send the vulnerability detail, including technical description and a PoC.
  • 2014-10-09: We request a status update on the reported vulnerability.
  • 2014-10-20: ICS-CERT informs that the vendor plans to discontinue EKI-6340 early next year and therefore they will not fix it.
  • 2014-11-13: We inform them that we will publish this advisory as user release on Wednesday 19th of November.
  • 2014-11-19: Advisory CORE-2014-0009 published.

9. References

[1] http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.
[2] https://code.google.com/p/mongoose/.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.