[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] [FOXMOLE SA 2016-07-20] Lupusec XT1 Alarm System - Multiple Issues

Hash: SHA256

=== FOXMOLE - Security Advisory 2016-07-20 ===

Lupusec XT1 Alarm System - Multiple Issues

Affected Versions
Lupusec XT1 fw 1.0.80

Issue Overview
Vulnerability Type: Cross Site Scripting, Cross Site Request Forgery, Unencrypted Connection, Remote Administrative Access, Denial of Service
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: Lupus-Electronics
Vendor URL: https://www.lupus-electronics.de/
Credits: FOXMOLE employees Niklas Abel, Daniel Dilger, Tim Herres, Sascha Kettler
Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-20.txt
Advisory Status: Private
CVE-Number: NA
OVE-ID: OVE-20160808-0001
CVSS 2.0: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

The system uses an unencrypted connection. This means all information including username and password are transmitted in cleartext.
Furthermore there is no protection against Cross Site Request Forgery attacks.
This can be used by an attacker to change the admin credentials by tricking an administrative user to activate a malicious form.
Also the application misses input validation and output encoding. This can be used to store JavaScript Code inside an input field.
Moreover the system contains a non-documented root backdoor via telnet using a fixed password which can be abused within the
local network to compromise the entire system. Addionally the system contains an outdated version of the DHCP client
which is suspectible to shell injection via the DHCP server.

Issue Description
The following findings are only examples there are quite more. The whole application should be reviewed.

All items tested using FF42.

1.) Stored Cross Site Scripting:
Authentication Required: Yes
PoC: Network --> Cameras --> URL Camera X --> Payload "foo://<script>alert('bar')</script>"
The payload gets executed on the main page : http://<IP>/setting/index.htm

2.) No protection against Cross Site Request Forgery Attacks:
PoC: Changing the admin user credentials.

POST /action/adminUserPost HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://<IP>/setting/index.htm
Content-Length: 61
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Parameter: admin_new_name=evil123&admin_new_pwd=topsecret&admin_new_pwd1=topsecret

If a privileged user activates the request the admin username is set to "evil123" and the password is set to "topsecret".

3.) Unencrypted connection:
The application only uses HTTP, that means all traffic including the basic authentication (base64 encoded username:password) is transmitted in cleartext.
There is no way for an user to set SSL/TLS in the web panel.

4.) Remote Administrative Access:
The system contains a telnet server listening on port 55023 which allows remote administrative access within the local network with root privileges.
The password for user 'root' can be obtained by cracking its 8-digit single DES encrypted password from the /etc/shadow of the system firmware image
which can be downloaded from the vendor's website. (http://www.lupus-electronics.de/documents/lupusec_xt1_firmware_update_1.0.80.zip)
This leads to full access to the entire system.

5.) Denial of Service:
The MiniUPnP Server is prone to a Denial of Service attack (CVE-2013-0229) which can lead to an inaccessible UPnP service.
A suitable MSF-Module (miniupnpd_dos) is available and leads to a successful attack against the service.

Temporary Workaround and Fix
FOXMOLE advises to deactivate the Lupusec XT1 alarm system until the vendor
publishes a complete fix. The vendor is working on an update.

2016-07-20  Issue discovered
2016-08-19  Vendor contacted
2016-08-26  Vendor requested for new information, without reply.
2016-09-19  Vendor requested for new information, without reply.
2016-09-29  Vendor informed about release on the 30th of september. Vendor response: Working on update.
2016-10-24  Vendor contacted about firmware update. Vendor response: firmware update will be released until 2016-10-26
2016-10-28  Advisory released

GPG Signature
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc


Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/