exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Advantech EKI-6340 2.05 Command Injection

Advantech EKI-6340 2.05 Command Injection
Posted Nov 20, 2014
Authored by Core Security Technologies, Anibal Sacco, Facundo Pantaleo, Joaquin Rodriguez Varela, Flavio Cangini | Site coresecurity.com

Core Security Technologies Advisory - Advantech EKI-6340 series is vulnerable to an OS command injection, which can be exploited by remote attackers to execute arbitrary code and commands, by using a non privileged user against a vulnerable CGI file.

tags | exploit, remote, arbitrary, cgi
advisories | CVE-2014-8387
SHA-256 | a64726d244d547419fa3a47c114cb81761f6e477ec05f980a3199ab9e0a55aca

Advantech EKI-6340 2.05 Command Injection

Change Mirror Download
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Advantech EKI-6340 Command Injection


1. *Advisory Information*

Title: Advantech EKI-6340 Command Injection
Advisory ID: CORE-2014-0009
Advisory URL:
http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release


2. *Vulnerability Information*

Class: OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-8387


3. *Vulnerability Description*


The Advantech EKI-6340 [1] series are wireless Mesh AP for outdoor
deployment. With self-healing and self-forming capabilities, the
wireless network is free from interruption even part of Mesh nodes
failed. It's especially critical to infrastructures where wired
solutions are hard to deploy. This Mesh network covers growing rich data
demands such as video security, surveillance and entertainment.

Advantech EKI-6340 series is vulnerable to a OS Command Injection,
which can be exploited by remote attackers to execute arbitrary code and
commands, by using a non privileged user against a vulnerable CGI file.


4. *Vulnerable packages*


. Advantech EKI-6340 V2.05
. Other versions may probably be affected too, but they were not checked.


5. *Vendor Information, Solutions and Workarounds*


Considering that the vendor is not going to fix or update this
device the following recommendations should be taken into consideration
in case of using a vulnerable device:

- Change the 'guest' user password (or delete the user in case
is not used)
- Edit the fshttpd.conf and remove the line
'guest_allow=/cgi/ping.cgi'.
- Check that the 'admin' user doesn't has the default password
as well.


6. *Credits*


This vulnerability was discovered and researched by Facundo Pantaleo
and Flavio Cangini from Core Security Engineering Team. The publication
of this advisory was coordinated by Joaquín Rodríguez Varela from Core
Advisories Team.


7. *Technical Description / Proof of Concept Code*


This vulnerability is caused by an incorrect sanitization of the
input parameters of the file "ping.cgi" that is a symbolic link of
"utility.cgi".
It allows to concatenate commands after the IP direction parameter,
therefore enabling a user to inject OS commands. The "call_ping"
function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where
the vulnerability lays.

The CGI file requieres authentication, but the "admin" user is not
the only one allowed to execute it. Based on the webservers default
configuration file, the "guest" has permissons over it as well. This
user is rarely disbled and its password tends to remain unchanged. This
default credentials are username "user" and password "user" as well.
Below is an example of the webserver (based on Mongoose webserver [2])
default configuration file "fshttpd.conf":


/-----

listening_ports=80,443s
user_admin=admin
pass_admin=admin
user_guest=user
pass_guest=user
document_root=/usr/webui/webroot
authorize_uri=/authorize
unauthorize_uri=/unauthorize
login_uri=/login.html
logout_uri=/logout.html
login_fail_uri=/err/login_fail.html
sessions_full_uri=/err/nosessions.html
no_redirect_uri=/cgi/fwupstatus.cgi
guest_allow=/admin/FWUPStatus.html
guest_allow=/status/*
guest_allow=/utility/Ping.html
guest_allow=/utility/RssiCalc.html
guest_allow=/utility/FresnelZone.html
guest_allow=/cgi/ping.cgi
guest_allow=/cgi/status_query.cgi
guest_allow=/cgi/nodeinfo_query_MAC.cgi
guest_allow=/cgi/nodeinfo_query.cgi
guest_allow=/cgi/nodeinfo_query_AP.cgi
guest_allow=/cgi/fwupstatus.cgi
nologin_allow=/
nologin_allow=/index.*
nologin_allow=/css/*
nologin_allow=/template/*
nologin_allow=/images/*
nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/*
nologin_allow=/js/*
nologin_allow=/favicon.ico
nologin_allow=/err/*

-----/


7.1. *Proof of Concept*


/-----



http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3

When requested for credentials use the following:

User: user
Password: user


-----/


8. *Report Timeline*

. 2014-10-01:

Initial notification sent to ICS-CERT informing of the vulnerability
and requesting the vendor's contact information.

. 2014-10-01:

ICS-CERT informs that they will ask the vendor if they want to
coordinate directly with us or if they prefer to have ICS-CERT mediate.
They request the vulnerability report.

. 2014-10-01:

ICS-CERT informs that the vendor answered that they would like the
ICS-CERT to mediate the coordination of the advisory. They requested
again the vulnerability report.

. 2014-10-01:

We send the vulnerability detail, including technical description
and a PoC.

. 2014-10-09:

We request a status update on the reported vulnerability.

. 2014-10-20:

ICS-CERT informs that the vendor plans to discontinue EKI-6340 early
next year and therefore they will not fix it.

. 2014-11-13:

We inform them that we will publish this advisory as user release on
Wednesday 19th of November.

. 2014-11-19:

Advisory CORE-2014-0009 published.


9. *References*

[1]
http://www.advantech.com.tw/products/56bfcf50-1ada-4ac6-aaf5-4e726ebad002/EKI-6340/mod_04f43dee-f991-44f1-aa1b-bbb1b30f2a72.aspx.

[2] https://code.google.com/p/mongoose/.


10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security including system vulnerabilities, cyber attack
planning and simulation, source code auditing, and cryptography. Our
results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.


11. *About Core Security*


Core Security enables organizations to get ahead of threats with
security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security can
be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


12. *Disclaimer*

The contents of this advisory are copyright (c) 2014 Core Security
and (c) 2014 CoreLabs, and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/


13. *PGP/GPG Keys*


This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close