1. Advisory Information
Title: Advantech EKI-6340 Command Injection
Advisory ID: CORE-2014-0009
Advisory URL: http://www.coresecurity.com/advisories/advantech-eki-6340-command-injection
Date published: 2014-11-19
Date of last update: 2014-11-19
Vendors contacted: Advantech
Release mode: User release
2. Vulnerability Information
3. Vulnerability Description
The Advantech EKI-6340  series are wireless Mesh AP for outdoor deployment. With self-healing and self-forming capabilities, the wireless network is free from interruption even part of Mesh nodes failed. It's especially critical to infrastructures where wired solutions are hard to deploy. This Mesh network covers growing rich data demands such as video security, surveillance and entertainment.
Advantech EKI-6340 series is vulnerable to a OS Command Injection, which can be exploited by remote attackers to execute arbitrary code and commands, by using a non privileged user against a vulnerable CGI file.
4. Vulnerable packages
- Advantech EKI-6340 V2.05
- Other versions may probably be affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Considering that the vendor is not going to fix or update this device the following recommendations should be taken into consideration in case of using a vulnerable device:
- Change the 'guest' user password (or delete the user in case is not used)
- Edit the fshttpd.conf and remove the line 'guest_allow=/cgi/ping.cgi'.
- Check that the 'admin' user doesn't have the default password as well.
This vulnerability was discovered and researched by Facundo Pantaleo and Flavio Cangini from Core Security Engineering Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Advisories Team.
7. Technical Description / Proof of Concept Code
This vulnerability is caused by an incorrect sanitization of the input parameters of the file "ping.cgi" that is a symbolic link of "utility.cgi". It allows to concatenate commands after the IP address parameter, therefore enabling a user to inject OS commands. The "call_ping" function inside the file "/usr/webui/webroot/cgi/utility.cgi" is where the vulnerability lays.
The CGI file requieres authentication, but the "admin" user is not the only one allowed to execute it. Based on the webservers default configuration file, the "guest" has permissons over it as well. This user is rarely disbled and its password tends to remain unchanged. This default credentials are username "user" and password "user" as well. Below is an example of the webserver (based on Mongoose webserver ) default configuration file "fshttpd.conf":
listening_ports=80,443s user_admin=admin pass_admin=admin user_guest=user pass_guest=user document_root=/usr/webui/webroot authorize_uri=/authorize unauthorize_uri=/unauthorize login_uri=/login.html logout_uri=/logout.html login_fail_uri=/err/login_fail.html sessions_full_uri=/err/nosessions.html no_redirect_uri=/cgi/fwupstatus.cgi guest_allow=/admin/FWUPStatus.html guest_allow=/status/* guest_allow=/utility/Ping.html guest_allow=/utility/RssiCalc.html guest_allow=/utility/FresnelZone.html guest_allow=/cgi/ping.cgi guest_allow=/cgi/status_query.cgi guest_allow=/cgi/nodeinfo_query_MAC.cgi guest_allow=/cgi/nodeinfo_query.cgi guest_allow=/cgi/nodeinfo_query_AP.cgi guest_allow=/cgi/fwupstatus.cgi nologin_allow=/ nologin_allow=/index.* nologin_allow=/css/* nologin_allow=/template/* nologin_allow=/images/* nologin_allow=/images/dhtmlxcalendar_dhx_skyblue/* nologin_allow=/js/* nologin_allow=/favicon.ico nologin_allow=/err/*
7.1. Proof of Concept
http://localhost:80/cgi/ping.cgi?pinghost=127.0.0.1;sleep%2010&pingsize=3 When requested for credentials use the following: User: user Password: user
8. Report Timeline
- 2014-10-01: Initial notification sent to ICS-CERT informing of the vulnerability and requesting the vendor's contact information.
- 2014-10-01: ICS-CERT informs that they will ask the vendor if they want to coordinate directly with us or if they prefer to have ICS-CERT mediate. They request the vulnerability report.
- 2014-10-01: ICS-CERT informs that the vendor answered that they would like the ICS-CERT to mediate the coordination of the advisory. They requested again the vulnerability report.
- 2014-10-01: We send the vulnerability detail, including technical description and a PoC.
- 2014-10-09: We request a status update on the reported vulnerability.
- 2014-10-20: ICS-CERT informs that the vendor plans to discontinue EKI-6340 early next year and therefore they will not fix it.
- 2014-11-13: We inform them that we will publish this advisory as user release on Wednesday 19th of November.
- 2014-11-19: Advisory CORE-2014-0009 published.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.