SEC Consult SA-20140710-2 :: Multiple critical vulnerabilites in
--hUhuuq5UbGQHMKTRHOjnXfAFj9Chapq6p
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
SEC Consult Vulnerability Lab Security Advisory < 20140710-2 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
title: Multiple critical vulnerabilites
product: Schrack MICROCONTROL emergency light system
vulnerable version: before 1.7.0 (937)
fixed version: 1.7.0 (937)
impact: critical
homepage: http://www.schrack.at/shop/sicherheitsbeleuchtung.ht=
ml
found: 2014-02-05
by: C. Kudera
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Vendor description:
-------------------
"The microControl is a decentralized power supply system with limited pow=
er
(LowPower system) for 1-, 3- or 8-hour operation. This system combines th=
e high
reliability of a decentralized single-battery system with the ease and co=
mfort
of a central battery system. "
Source: http://image.schrack.com/datenblaetter/h_nlmi102_de.pdf
Business recommendation:
------------------------
The Microcontrol emergency light system, distributed by Schrack Technik G=
mbH,
is an autarchic emergency light system, which is configurable over a web
interface.
Through the vulnerabilities described in this advisory an attacker can
reconfigure the whole emergency light system without authentication.
Furthermore he can perform attacks against the users of the web applicati=
on
to deploy Cross-Site-Scripting Trojan Horses or steal sensitive data.
It is highly recommended by SEC Consult not to use this product until a
thorough security review has been performed by security professionals and=
all
identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Access data disclosure
The access data for the ftp and telnet services is accessible without
authentication. This information enables an attacker to access the file s=
ystem
of the emergency light system, where he can reconfigure the whole system.=
2) Weak default password
The password for the web interface can't be changed. The emergency light =
system
is always delivered with the same weak password to every customer. An att=
acker
can reverse engineer the firmware of the emergency light system or reques=
t the
password from Schrack Technik GmbH.
3) Permanent Cross Site Scripting (XSS)
The emergency light system doesn=E2=80=99t encode user input properly. Th=
is leads to
Cross-Site Scripting vulnerabilities. The vulnerability can be used to
persistently include HTML- or JavaScript code to the affected web page. T=
he code
is executed in the browser of users if they visit the manipulated site. T=
he
vulnerability can be used to change the contents of the displayed site, r=
edirect
to other sites or steal user credentials. Additionally, users are potenti=
al
victims of browser exploits and JavaScript Trojan Horses.
4) Clear text authentication
Login data of users is transmitted in clear text. By intercepting network=
traffic, an attacker can eavesdrop authentication data and take over the
victim's account.
Proof of concept:
-----------------
1) Access data disclosure
The ZTPUsrDtls.txt can be accessed via http://<system_ip>/ZTPUsrDtls.txt
2) Weak default password
The credentials are user:not
3) Permanent Cross Site Scripting (XSS)
Several Permanent Cross Site Scripting vulnerabilities were noticed in th=
e
product during the audit (e.g position textbox in the configuration menu)=
=2E
4) Clear text authentication
The web page is only accessible via the HTTP protocol. Login data can be
recorded with a network sniffer.
Furthermore a telnet service is running (plain text protocol).
Vulnerable / tested versions:
-----------------------------
The system tested was the MICROCONTROL 4 emergency light system.
Vendor contact timeline:
------------------------
2014-05-13: Contacted vendor through info@schrack.com, requesting encrypt=
ion
keys and attaching responsible disclosure policy
2014-05-13: Reply from vendor, no encryption keys
2014-05-13: Phone call to clarify the transmission of the advisory (encry=
ption)
2014-05-13: Sending the advisory encrypted to Schrack Technik GmbH
2014-06-03: Asking for status update
2014-06-03: Receiving information regarding patch / firmware update
2014-06-11: Asking for more details about the regarding patch / firmware =
update
2014-07-09: Phone call to clarify details about the regarding patch / fir=
mware
update
2014-07-10: SEC Consult releases security advisory
Solution:
---------
In order to solve issue 1) and 2) install firmware 1.7.0 (937), available=
by
sending a mail to info@schrack.com
3) Schrack Technik GmbH is working on a patch for this vulnerability
4) For the embedded system, used by the product, SSL is not available.
Schrack Technik GmbH recommends using an own network segment for the emer=
gency
light system.
Devices deliverd after 2014-07-01 already contain firmware 1.7.0 (937)
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF C. Kudera / @2014
--hUhuuq5UbGQHMKTRHOjnXfAFj9Chapq6p
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBAgAGBQJTvmYJAAoJECyFJyAEdlkK1ycH/RGvTvE9JFGpZ12hHnfuJrtW
KEo7s5+JhvyAHnHn39iaz/plPjb8Esptr6z/c06R/GglDXtjkePP4t/F99IjnRbW
UYtbLGbT/zhHNQ3kJJA9nnyTRJ/hnPwDbzO50J96upF1oJcO/qC0c8Oo3aLS6Woc
VYS3fw4KrLob9LL74VeEiEhQ8Uge7dv9gs82DPIE1UDpddnlNbwgFkMei7uT8Nh+
Rbvcn7DS1hw6L8I/f9MjRZE4l3wvnH1IyPVQFPoOKOVgZrkQAMDBqFAopVhHzIOG
Qib4vuU1ZyMPukiRLt29VgmU4GEeONUnGltXMGfCox3z/BtF0kVsmL47xNNBDEE=
=904P
-----END PGP SIGNATURE-----
--hUhuuq5UbGQHMKTRHOjnXfAFj9Chapq6p--