[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] SICUNET Physical Access Controller - Multiple Vulnerabilities

SICUNET Physical Access Controller - Multiple Vulnerabilities




Multiple vulnerabilities were identified in the SICUNET Access Controller
Products. The vulnerabilities were discovered during a black box security
assessment and therefore the vulnerability list should not be considered

Affected Software and Versions


Known vulnerable version is 0.32-05z. This version string was taken from



No CVEs have been assigned.

Vulnerability Overview


0. SN-01: HIGH: Outdated software

1. SN-02: HIGH: PHP include()

2. SN-03: CRITICAL: Unauthenticated remote code execution

3. SN-04: CRITICAL: Hardcoded root credentials

4. SN-05: High: Passwords stored in plaintext

Vulnerability Details



SN-01: Outdated software


Severity: High

A variety of software running on the device is outdated, making
exploitation of certain bugs far easier than it would be had they been
patched, or running up to date software.

 /usr/local/php_b2/bin # ./php -v

 PHP 5.2.14 (cli) (built: Jul  8 2012 22:45:11)

 Copyright (c) 1997-2010 The PHP Group

 Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

http://php.net/eol.php has more information about PHP 5.2 being End Of
Life, and associated security issues.

 /usr/local/lighttpd/sbin # ./arm-linux-lighttpd -v

 lighttpd/1.4.30 (ssl) - a light and fast webserver

 Build-Date: Dec 26 2013 15:13:53

https://www.lighttpd.net/download/ has more information about security
changes in lighttpd.

 # uname -a
 Linux SICUNET #72 PREEMPT Tue Feb 28 15:25:12 KST 2012 armv7l

It is recommended that software is kept up to date, and that configurations
are reviewed to ensure that they’re secure. For example, there may have
been configuration options for PHP which may have made exploitation harder.


SN-02: PHP include()


Severity: High

When sending a request to /, the 'c' parameter is used as part of an
include() statement.

Excerpt from /spider/web/webroot/index.php:

 $class  = Input::get('c', 'layout');
 $method = Input::get('m', 'index');

 include APP_DIR.'/controllers/'.$class.EXT;

(where EXT is defined as '.php’).

By crafting the c parameter, it’s possible to access arbitrary files on the

 wget 'http://victim.ip.address/?c=../../../../../etc/passwd%00'

The %00 trick is a known issue, and is addressed in a later PHP update. For
more information, please see SN-01.

It is recommended that the code be refactored to not require passing user
supplied input to the include() function. Alternatively, a strict whitelist
approach of known modules may be used instead.


SN-03: Unauthenticated remote code execution


Severity: Critical

A variety of functionality is implemented via insecure string concatenation
then passed to underlying exec() functions:

For example, in card_scan_decoder.php

16     $No = $_GET['No'];
17     $door = $_GET['door'];
19     $result = array();
21     $db   = new PDO('sqlite:/tmp/SpiderDB/Spider.db');

28     if ($No < 1)
29     {
30         $DelTemp = $db->prepare("DELETE FROM CardRawData");
31         $DelTemp->execute();
33         exec("/spider/sicu/spider-cgi getrawdata ".$door." on");
34     }

This vulnerability can be exploited by:

 wget 'http://victim.ip.address/card_scan_decoder.php?No=0&door=$(sleep 3)’

This is just an example of the pattern of insecurely creating strings to be
executed, and not an exhaustive listing.

It is recommended that injection-proof API's are used instead of
error-prone string concatenation, or whitelist / blacklist being used (for
example, escapeshellcmd). However, it appears as if the closest option in
PHP is http://php.net/manual/en/function.pcntl-exec.php which requires the
user to perform a lot more work to avoid shooting themselves in the foot
(such as forking the process first).


SN-04: Hardcoded root credentials


Severity: Critical

There are 3 password fingerprints in /etc/passwd


The plaintext root password can be found in /spider/sicu binaries. The root
password may be used for the ftp or telnet service on the device. From our
observation, it appears as if FTP is running by default, along with the
ability to login as root via FTP.

The hardcoded root credentials are used by binaries on the system to run
commands as root. It is currently unknown what the purpose of the e3user
and lighttpd hardcoded passwords are.

For example, the root password is used in a variety of ways in the
following format:

 echo %s | su -c 'mkdir -p %s >& /tmp/message'
 echo %s | su -c 'chown %s %s >& /tmp/message'

Where %s is replaced at run time with the cleartext root password before
being passed to the system() function.

It is recommended that hardcoded credentials be removed, and instead
replaced with a more suitable mechanism. For example; sudo may be suitable,
combined with the NOPASSWD directive.

FTP access should be replaced with a more secure transfer mechanism (such
as SSH FTP, or SCP), and authentication should be managed by a user
(preferably via SSH public keys).


SN-05: Passwords stored in plaintext


Severity: High

A variety of credentials (for example, used for accessing the web front
end, or other devices part of the installation) are stored unencrypted on
the device in /tmp/SpiderDB/Spider.db:

sqlite> SELECT Name,Password FROM WebUser;
sqlite> SELECT Name,ID,Password FROM Controller;

It is recommended that where passwords must be stored, that they are
suitably cryptographically hashed using an appropriate standard (for more
information, please see https://password-hashing.net).



The vulnerabilities were discovered by Andrew Griffiths from Google
Security Team.



2016/12/06 - Contacted sicunet.com domain registrar, and sales AT sicunet.com
            for a point of contact to report security issues.

2016/12/08 - Pinged earlier email for a point of contact, additionally
            included tech AT sicunet.com on an email.

2016/12/08 - Report sent to Ike Huh, CEO.

2016/12/12 - Mentioned that reviewing spider-api would be worthwhile as it
            listens on port 7000, and strings suggests that there may be
            command injection / other vulnerabilities. No reply.

2017/01/17 - Asked point of contact if they had any questions about the
            advisory sent earlier. No reply.

2017/01/24 - Pinged vendor again, asked about resellers who may be able to
            make recommendations about restricting network access to the
            devices from the internet.

2017/01/30 - No contact from vendor.

2017/02/24 - Asked vendor if the affected users can expect patches. No

2017/03/01 - Sent an email to the vendor, reminding them disclosure is
            up soon.

2017/03/08 - 90 day disclosure deadline.

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/