-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 === FOXMOLE - Security Advisory 2016-07-20 === Lupusec XT1 Alarm System - Multiple Issues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected Versions ================= Lupusec XT1 fw 1.0.80 Issue Overview ============== Vulnerability Type: Cross Site Scripting, Cross Site Request Forgery, Unencrypted Connection, Remote Administrative Access, Denial of Service Technical Risk: critical Likelihood of Exploitation: medium Vendor: Lupus-Electronics Vendor URL: https://www.lupus-electronics.de/ Credits: FOXMOLE employees Niklas Abel, Daniel Dilger, Tim Herres, Sascha Kettler Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-20.txt Advisory Status: Private CVE-Number: NA CVE URL: NA OVE-ID: OVE-20160808-0001 OVI-ID: NA CWE-ID: CWE-671 CVSS 2.0: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C) Impact ====== The system uses an unencrypted connection. This means all information including username and password are transmitted in cleartext. Furthermore there is no protection against Cross Site Request Forgery attacks. This can be used by an attacker to change the admin credentials by tricking an administrative user to activate a malicious form. Also the application misses input validation and output encoding. This can be used to store JavaScript Code inside an input field. Moreover the system contains a non-documented root backdoor via telnet using a fixed password which can be abused within the local network to compromise the entire system. Addionally the system contains an outdated version of the DHCP client which is suspectible to shell injection via the DHCP server. Issue Description ================= The following findings are only examples there are quite more. The whole application should be reviewed. All items tested using FF42. 1.) Stored Cross Site Scripting: Authentication Required: Yes PoC: Network --> Cameras --> URL Camera X --> Payload "foo://" The payload gets executed on the main page : http:///setting/index.htm 2.) No protection against Cross Site Request Forgery Attacks: PoC: Changing the admin user credentials. POST /action/adminUserPost HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http:///setting/index.htm Content-Length: 61 Authorization: Basic YWRtaW46YWRtaW4= Connection: close Parameter: admin_new_name=evil123&admin_new_pwd=topsecret&admin_new_pwd1=topsecret If a privileged user activates the request the admin username is set to "evil123" and the password is set to "topsecret". 3.) Unencrypted connection: The application only uses HTTP, that means all traffic including the basic authentication (base64 encoded username:password) is transmitted in cleartext. There is no way for an user to set SSL/TLS in the web panel. 4.) Remote Administrative Access: The system contains a telnet server listening on port 55023 which allows remote administrative access within the local network with root privileges. The password for user 'root' can be obtained by cracking its 8-digit single DES encrypted password from the /etc/shadow of the system firmware image which can be downloaded from the vendor's website. (http://www.lupus-electronics.de/documents/lupusec_xt1_firmware_update_1.0.80.zip) This leads to full access to the entire system. 5.) Denial of Service: The MiniUPnP Server is prone to a Denial of Service attack (CVE-2013-0229) which can lead to an inaccessible UPnP service. A suitable MSF-Module (miniupnpd_dos) is available and leads to a successful attack against the service. Temporary Workaround and Fix ============================ FOXMOLE advises to deactivate the Lupusec XT1 alarm system until the vendor publishes a complete fix. The vendor is working on an update. History ======= 2016-07-20 Issue discovered 2016-08-19 Vendor contacted 2016-08-26 Vendor requested for new information, without reply. 2016-09-19 Vendor requested for new information, without reply. 2016-09-29 Vendor informed about release on the 30th of september. Vendor response: Working on update. 2016-10-24 Vendor contacted about firmware update. Vendor response: firmware update will be released until 2016-10-26 2016-10-28 Advisory released GPG Signature ============= This advisory is signed with the GPG key of the FOXMOLE advisories team. The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJYE1q/AAoJEDgSCSGZ4yd8kroP/27eyowMLcfIxDQYQsPdwyl9 A23iXLMKPzC7/nO8X8d8OFfJ7WA/8L7VHPc/9RdII4RqN9W6x90o6Mb1LZYXL8lj bbZwi9nAyM6J7mvILfsrj345ZQ72tnCh+yMo2m/PlRW5Y7r14K2Cnrd/7AIMln8q 8fK5ou/4rEwb5XjWyDGHu8xaYMYtlWNnFmNdOfWPWWFGrh5TXP9cep/UomSVgcC/ cV4xd8hMK+0LQxubgdZheLyMQajAWm9AbWjbewW3kQYJZzO60nlQi2k90Ty6rIYf ERrjphimiGM3AIyfnDX8tzOgsM78kOfdLGo0gYYsMsYO9fAU5uCrLJ+qQUt87sv6 9WX0+EgUdLPImYdNEYtQZ9wxrBUMq2G35/gdS4EOyjfiyYTRGp3SkzNyBPTjDn/6 /iaAbmZKE7u4cAnHFxKnYxcTlfkrKHWhvuzkYJk4kRCgwi8N6k8MPwQcwpCNnCAx Lo8agV/N1WA1zN+4EpebAtghRXVWvm3F2GH0gcyUzmAg/Y7Vq4qJuCV9XRoDLxGq EiGEDEi1PXhZqlv3a1DeVPoRdxpyHgPbXkVWHIg7qQURbx5fHPfGiiHc6epgcOuP h+Fv+sCKwHv7CTWd08k8oEgXb5IwS0bGgzwQGFFt7AnMR5W+i+lhQDLE/v+BO44z gAqHnyyjrNtXgFvOOOQL =M7kq -----END PGP SIGNATURE-----