what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Paradox IP150 Internet Module 1.40.00 Cross Site Request Forgery

Paradox IP150 Internet Module 1.40.00 Cross Site Request Forgery
Posted Jun 24, 2024
Authored by Jakob Pachmann, Fabian Funder | Site sba-research.org

Paradox IP150 Internet Module version 1.40.00 suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
advisories | CVE-2024-5676
SHA-256 | 9e102cbe93f6192c8caedc9ff1e998a3150ce7386317dc22ddbf5e4b3f736fbf

Paradox IP150 Internet Module 1.40.00 Cross Site Request Forgery

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# Paradox IP150 Internet Module Cross-Site Request Forgery #

Link: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240321-01_Paradox_Cross_Site_Request_Forgery

## Vulnerability Overview ##

The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to
Cross-Site Request Forgery (CSRF) attacks due to
a lack of countermeasures and the use of the HTTP method `GET` to introduce
changes in the system.

* **Identifier** : SBA-ADV-20240321-01
* **Type of Vulnerability** : Cross-Site Request Forgery (CSRF)
* **Software/Product Name** : [IP150 Internet Module](https://www.paradox.com/Products/default.asp?CATID=3&SUBCATID=38&PRD=563)
* **Vendor** : [Paradox Security Systems (Bahamas) Ltd.](https://www.paradox.com/)
* **Affected Versions** : 1.40.00 (possibly others too)
* **Fixed in Version** : Not yet
* **CVE ID** : CVE-2024-5676
* **CVSS Vector** : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H
* **CVSS Base Score** : 6.8 (Medium)

## Vendor Description ##

> IP150
> Internet Module
> Supports SWAN Server
>
> Features
>
> * Controls and monitors a control panel through an IP network (LAN / WAN / Internet)
> * Reports control panel events via IP to the Paradox IPR512 GPRS / IP Monitoring Receiver and / or IPRS-7 GPRS / IP PC Receiver Software
> * Two I/Os on board; controlled via the web interface, triggering an email
> * Sends notification and alarm system events via email
> * Arm / Disarm individual partitions via Insite GOLD app
> * Connects to Swan for easy installation (no port forwarding)
> * Enables Insite GOLD, or BabyWare to access your system through the Internet
> * Push notification to Insite GOLD app
> * HTTPS support for improving security (HyperText Transfer Protocol Secure; a widely used communications protocol for secure communication over a computer network)
> * Very low bandwidth consumption
> * Easy installation; built-in clip for mounting in a metal box
> * Supported language: English
> * Compatible with EVO Series, Spectra SP Series, MG5000, MG5050 and MG5075

Source: <https://www.paradox.com/Products/default.asp?PID=404>

## Impact ##

An attacker can coerce an administrator into clicking a link, which issues
a HTTP request that changes the state of the system.
Depending on the configuration, meaning which downstream component is
controlled by the affected component, the impact will be different.
As an example the *IP150 Internet Module* might control an alarm unit.
Thus an attacker can deactivate the alarm by performing a CSRF attack.

## Vulnerability Description ##

The server cannot verify whether a request was sent intentionally. This
makes it possible for an attacker to trick a client into making
unintentional requests to the web server which will be treated as an
authentic request. In combination with a social engineering attack,
this allows an attacker to perform server-side actions as the victim.

In addition, the functionality of activation and deactivation of the alarm
systems, is accessed via a HTTP `GET` request.
Changing the state of the server with `GET` is discouraged in the HTTP
standard, since it is defined to be a *safe* method [1].
This makes the exploitation of the vulnerability easier, as an attacker
can craft an URL.
If the victim opens this URL, the CSRF attack is carried out and an action
is performed.

## Proof of Concept ##

For example, the following HTTP request disables the alarm in area `00`:

```http
GET /statuslive.html?area=00&value=d HTTP/1.1
Host: 192.0.2.1
```

It is vulnerable to CSRF, since it does not apply any CSRF countermeasures.
Therefore, it is possible to craft an URL that performs this action:

```text
http://192.0.2.1/statuslive.html?area=00&value=d
```

## Recommended Countermeasures ##

We are not aware of a vendor fix yet. Please contact the vendor.

A generally valid solution against CSRF, which however requires a server-side
state, is the implementation of an unpredictable token that is unique for
each session.
The OWASP project gives further recommendations [2] [3].

## Timeline ##

* `2024-02-09` Identified the vulnerability in version 1.40.00
* `2024-02-12` First contact to the system owner to acquire more information about the system configuration and version
* `2024-03-08` System owner provided all details on the affected system
* `2024-03-21` First attempt to contact vendor via support email
* `2024-04-03` Second attempt to contact vendor via web form and support email
* `2024-06-19` No reaction from vendor to all previous contact attempts
* `2024-06-19` SBA Research assigned CVE-2024-5676
* `2024-06-19` Public disclosure

## References ##

1. RFC 7231. HTTP/1.1 Semantics and Content. Safe Methods: <https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.1>
2. OWASP Cheat Sheet Series. Cross-Site Request Forgery Prevention Cheat Sheet: <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html>
3. OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Cross Site Request Forgery: <https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/05-Testing_for_Cross_Site_Request_Forgery.html>

## Credits ##

* Jakob Pachmann ([SBA Research](https://www.sba-research.org/))
* Fabian Funder ([SBA Research](https://www.sba-research.org/))
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmZyq50ACgkQ+7iGL1j3
dbIISw/8CO95qAHA1sNw43g7j202gLt4zyIRHAjowX1btaOb5SwEPKgZCMa+Trnz
fF/Ck5opN/Y8QvKE4C75TJVXVZBja4cTWeNa0bqXXNlvGsUB/9y5N2d7NTAN+CLc
ew61aTFrudgjHL1hHyhzj74vt0rb44vrBlhQ562jwmHDgkixrek7m5FqLAa4nVVf
yglBLbUlvi5MVCL1v3b1P5TTTBJfThRps5xhHpMpflyxsBWAdQZ+dZb000K+P5gf
jnmMYAcDhe1Peun/ui4dYfsNapha16gpZ9vjjq0gBh+Si8t+Ri6Gup3d6AJuWVCV
zcqjrYN+kwK0/I8e25MCpPNV3rIw16Gb+8HCeSKhVXEQalF1Gw+GVUsVua65hsoa
JMF2gGN9p89Wcn5HD7Az3pv0HmdjrTghXhyf6JzP+k1NJscPbLQ9Lo7ea7Y4CBTG
zkPoPEX3Ida05YxMgMesq60fXx9/Eq7vxIJtdnJSwjJVAhbEA+phkuX201ykK7WN
iWIJVBY2EEZUOt2xBy/PLu6Eh5Bm11vCWqi8KeCyZj7OUYVNIPFbh52W+PJ9B13B
1j0gf3TZF4nIO+ncvdKw3LQINkdj3G74VwKMFqLxSJQdzxDA0kDjWvZxst45n23J
6HUGL0ur4KDQCMpeyqqgB46qF1GGl+iqAGJW4lTITUJO62EqRlo=
=HcOX
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close