(0-days) ENTTEC Lighting Controllers Vulnerabilities

In March 2019 I discovered numerous vulnerabilities in a number of ENTTEC’s Lighting Controller products. These vulnerabilities were identified in the current firmware versions publicly available from ENTTEC’s website product pages.

According to the comapany’s website, ENTTEC are “Leaders in the expert design and manufacture of LED lights and controls, ENTTEC are an Australian company operating on a global scale. We are proud that our products have played a role in projects for a range of international clientele, including:”

In order to replicate, verify, remediate, or discover further vulnerabilities in the product firmware, the following steps can be taken by researchers.

Obtain the product firmware from ENTTEC’s product pages.

Extract the contents of firmware using binwalk:

Uncompress the POSIX tar archive:

Change directory to the firmware searching for backdoors, weaknesses, and other interesting data. E.g. to find backdoor SSH keys issue the following command:

 
 
#### Hard-coded Backdoor SSH Keys ####

Products: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2
Versions: Latest product firmware revA, revB, and potentially previous firmware versions
Vendor: ENTTEC Pty Ltd
CVE-ID: Released as 0-day. CVE not assigned

The latest firmware provided by ENTTEC for their lighting controller products includes a hard-coded SSH backdoor for remote SSH and SCP access as the root user. The command located on line 145 of the relocate script and line 126 of the relocate_revB script copies the hardcoded key to the root user’s authorized_keys file, enabling anyone who with the associated private key to be able to gain remote root access to all affected products. The following command is executed by the firmware to copy the hardcoded key to the root user’s authorized_keys file.

The following hard-coded backdoor SSH key exists in the latest revA and revB firmware versions for Datagate Mk2, Storm 24, and Pixelator products.

The following hard-coded backdoor SSH key exists in the latest revB firmware version for the E-Streamer Mk2 product.

Customers using affected ENTTEC lighting controller products should consider removing the hard-coded backdoor keys from /root/.ssh/authorized_keys and ensure appropriate controls are taken to limit remote access to the device from unauthorised systems. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.
 
 
#### Unauthenticated Stored Cross-site Scripting (XSS) ####

Products: Datagate Mk2
Versions: Latest product firmware version
Vendor: ENTTEC Pty Ltd
CVE-ID: Released as 0-day. CVE not assigned

A number of stored XSS vulnerabilities have been identified in ENTTEC’s Datagate Mk2 web configuration software which could allow an unauthenticated threat actor to inject malicious code directly into the application.

The following screenshot shows the malicious code being stored in the Profile Description field in the Datagate Mk2 Profile Editor.

The following screenshot shows the execution of the injected malicious code to obtain a user’s PHP session ID when visiting the Profiles page on the Datagate Mk2 web application.

Customers using the affected ENTTEC Datagate Mk2 product should ensure appropriate controls are taken to limit remote unauthenticated access to the Datagate Mk2’s web application from unauthorised systems. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.
 
 
#### Weak Privileged Access Control ####

Products: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2
Versions: Latest product firmware revA, revB, and potentially previous firmware versions
Vendor: ENTTEC Pty Ltd
CVE-ID: Released as 0-day. CVE not assigned

The latest firmware provided by ENTTEC for their lighting controller products enables high privileged root access via sudo capability without requiring appropriate access control. Furthermore, the user account which controls the web application service is granted full access to run any system commands from an elevated privilege without the need for password authentication. Should vulnerabilities be identified and exploited within the web application it may be possible for a threat actor to create or run high privileged binaries or executables which are available within the operating system of the device.

The following shows a subset of the weak privilege access controls applied to all devices running the latest revision A and/or revision B firmware.

Both the relocate and the relocate_revB shell scripts copy the weak sudoers configuration file to the device when executed.

Customers using the affected ENTTEC products should ensure appropriate controls are taken to limit access to the product and/or associated web application. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.
 
 
#### Weak Directory Permissions ####

Products: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2
Versions: Latest product firmware revA, revB, and potentially previous firmware versions
Vendor: ENTTEC Pty Ltd
CVE-ID: Released as 0-day. CVE not assigned

The latest firmware provided by ENTTEC for their lighting controller products replaces secure and protected directory permissions set as default by the underlying operating system with highly insecure read, write, and execute directory permissions for all users. By default, /usr/local and all of its subdirectories should have permissions set to only allow non-privileged users to read and execute from the tree structure, and to deny users from creating or editing files in this location. ENTTEC’s firmware startup script permits all users to read, write, and execute (rwxrwxrwx) from the /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin/ directories.

The following is a subset of the startup script showing the weak directory permissions being set.

Customers using the affected ENTTEC products should ensure appropriate controls are taken to limit access to the product and/or associated web application. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.