[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [FOXMOLE SA 2016-07-20] Lupusec XT1 Alarm System - Multiple Issues
From: FOXMOLE Advisories <advisories () foxmole ! com>
Date: 2016-10-28 14:03:46
Message-ID: 9c4c1a39-1c34-8688-afc4-90be9de5acf3 () foxmole ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== FOXMOLE - Security Advisory 2016-07-20 ===
Lupusec XT1 Alarm System - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
Lupusec XT1 fw 1.0.80
Issue Overview
==============
Vulnerability Type: Cross Site Scripting, Cross Site Request Forgery, Unencrypted Connection, \
Remote Administrative Access, Denial of Service Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: Lupus-Electronics
Vendor URL: https://www.lupus-electronics.de/
Credits: FOXMOLE employees Niklas Abel, Daniel Dilger, Tim Herres, Sascha Kettler
Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-20.txt
Advisory Status: Private
CVE-Number: NA
CVE URL: NA
OVE-ID: OVE-20160808-0001
OVI-ID: NA
CWE-ID: CWE-671
CVSS 2.0: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Impact
======
The system uses an unencrypted connection. This means all information including username and \
password are transmitted in cleartext. Furthermore there is no protection against Cross Site \
Request Forgery attacks. This can be used by an attacker to change the admin credentials by \
tricking an administrative user to activate a malicious form. Also the application misses input \
validation and output encoding. This can be used to store JavaScript Code inside an input \
field. Moreover the system contains a non-documented root backdoor via telnet using a fixed \
password which can be abused within the local network to compromise the entire system. \
Addionally the system contains an outdated version of the DHCP client which is suspectible to \
shell injection via the DHCP server.
Issue Description
=================
The following findings are only examples there are quite more. The whole application should be \
reviewed.
All items tested using FF42.
1.) Stored Cross Site Scripting:
Authentication Required: Yes
PoC: Network --> Cameras --> URL Camera X --> Payload "foo://<script>alert('bar')</script>"
The payload gets executed on the main page : http://<IP>/setting/index.htm
2.) No protection against Cross Site Request Forgery Attacks:
PoC: Changing the admin user credentials.
POST /action/adminUserPost HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://<IP>/setting/index.htm
Content-Length: 61
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Parameter: admin_new_name=evil123&admin_new_pwd=topsecret&admin_new_pwd1=topsecret
If a privileged user activates the request the admin username is set to "evil123" and the \
password is set to "topsecret".
3.) Unencrypted connection:
The application only uses HTTP, that means all traffic including the basic authentication \
(base64 encoded username:password) is transmitted in cleartext. There is no way for an user to \
set SSL/TLS in the web panel.
4.) Remote Administrative Access:
The system contains a telnet server listening on port 55023 which allows remote administrative \
access within the local network with root privileges. The password for user 'root' can be \
obtained by cracking its 8-digit single DES encrypted password from the /etc/shadow of the \
system firmware image which can be downloaded from the vendor's website. \
(http://www.lupus-electronics.de/documents/lupusec_xt1_firmware_update_1.0.80.zip) This leads \
to full access to the entire system.
5.) Denial of Service:
The MiniUPnP Server is prone to a Denial of Service attack (CVE-2013-0229) which can lead to an \
inaccessible UPnP service. A suitable MSF-Module (miniupnpd_dos) is available and leads to a \
successful attack against the service.
Temporary Workaround and Fix
============================
FOXMOLE advises to deactivate the Lupusec XT1 alarm system until the vendor
publishes a complete fix. The vendor is working on an update.
History
=======
2016-07-20 Issue discovered
2016-08-19 Vendor contacted
2016-08-26 Vendor requested for new information, without reply.
2016-09-19 Vendor requested for new information, without reply.
2016-09-29 Vendor informed about release on the 30th of september. Vendor response: Working on \
update. 2016-10-24 Vendor contacted about firmware update. Vendor response: firmware update \
will be released until 2016-10-26 2016-10-28 Advisory released
GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYE1q/AAoJEDgSCSGZ4yd8kroP/27eyowMLcfIxDQYQsPdwyl9
A23iXLMKPzC7/nO8X8d8OFfJ7WA/8L7VHPc/9RdII4RqN9W6x90o6Mb1LZYXL8lj
bbZwi9nAyM6J7mvILfsrj345ZQ72tnCh+yMo2m/PlRW5Y7r14K2Cnrd/7AIMln8q
8fK5ou/4rEwb5XjWyDGHu8xaYMYtlWNnFmNdOfWPWWFGrh5TXP9cep/UomSVgcC/
cV4xd8hMK+0LQxubgdZheLyMQajAWm9AbWjbewW3kQYJZzO60nlQi2k90Ty6rIYf
ERrjphimiGM3AIyfnDX8tzOgsM78kOfdLGo0gYYsMsYO9fAU5uCrLJ+qQUt87sv6
9WX0+EgUdLPImYdNEYtQZ9wxrBUMq2G35/gdS4EOyjfiyYTRGp3SkzNyBPTjDn/6
/iaAbmZKE7u4cAnHFxKnYxcTlfkrKHWhvuzkYJk4kRCgwi8N6k8MPwQcwpCNnCAx
Lo8agV/N1WA1zN+4EpebAtghRXVWvm3F2GH0gcyUzmAg/Y7Vq4qJuCV9XRoDLxGq
EiGEDEi1PXhZqlv3a1DeVPoRdxpyHgPbXkVWHIg7qQURbx5fHPfGiiHc6epgcOuP
h+Fv+sCKwHv7CTWd08k8oEgXb5IwS0bGgzwQGFFt7AnMR5W+i+lhQDLE/v+BO44z
gAqHnyyjrNtXgFvOOOQL
=M7kq
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic