(CVE-2019-12774 –> CVE-2019-12777) ENTTEC Lighting Controllers Vulnerabilities
In March 2019 I discovered numerous vulnerabilities in a number of ENTTEC’s Lighting Controller products. These vulnerabilities were identified in the current firmware versions publicly available from ENTTEC’s website product pages.
According to the comapany’s website, ENTTEC are “Leaders in the expert design and manufacture of LED lights and controls, ENTTEC are an Australian company operating on a global scale. We are proud that our products have played a role in projects for a range of international clientele, including:”
In order to replicate, verify, remediate, or discover further vulnerabilities in the product firmware, the following steps can be taken by researchers.
Obtain the product firmware from ENTTEC’s product pages.
|
1 |
wget http://dol2kh495zr52.cloudfront.net/download/dg_mk2/70044_update_05032019-482.bin |
Extract the contents of firmware using binwalk:
|
1 |
binwalk -e 70044_update_05032019-482.bin |
Uncompress the POSIX tar archive:
|
1 |
tar xvf _70044_update_05032019-482.bin.extracted/0 |
Change directory to the firmware searching for backdoors, weaknesses, and other interesting data. E.g. to find hard-coded SSH keys issue the following command:
|
1 2 3 |
cd dg_update && find ./ -name authorized_keys ./revB/system/authorized_keys ./system/authorized_keys |
#### (CVE-2019-12776) Hard-coded SSH Keys ####
Products: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2
Versions: Latest product firmware revA, revB, and potentially previous firmware versions
Vendor: ENTTEC Pty Ltd
CVE-ID: CVE-2019-12776
CWE: CWE-321 Use of Hard-coded Cryptographic Key
The latest firmware provided by ENTTEC for their lighting controller products includes hard-coded SSH keys for remote SSH and SCP access as the root user. The command located on line 145 of the relocate script and line 126 of the relocate_revB script copies the hardcoded key to the root user’s authorized_keys file, enabling anyone who with the associated private key to be able to gain remote root access to all affected products. The following command is executed by the firmware to copy the hardcoded key to the root user’s authorized_keys file.
|
1 |
cp -f $SYSTEM_DIR/authorized_keys /root/.ssh/authorized_keys |
The following hard-coded SSH key exists in the latest revA and revB firmware versions for Datagate Mk2, Storm 24, and Pixelator products.
|
1 |
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmPWrQGUkItC/YilJ/HcupVU41MKpu5AsysKLLOuiSOvMOLiEh50dausAO+njQRya5Oxb22BktEsSFn4zOsQdsG0SwBxr8T7lm12ltN7Y60KL2O2ZVfpUTgMWRA3qXUXhs7XkIDQpaLmJfFvthGgPAtyBJgLWZV/7btJSEX4e5oiD7/PNDXq6fJhRIk9pNH2YpjT75DG9YFY/kQqhX0/uYpJEB5pZIC0ZrgBpSCGwc5ojiKNY8THj43gQLWiDCHuRhza38T2BHS/Vd+IVJvy7pHO/M3raNsLVyDJogTthoPX4Y24XCXLMq2sYJgxInENXsQaWLNsiFSnGCDFn03owBw== root@web01 |
The following hard-coded SSH key exists in the latest revB firmware version for the E-Streamer Mk2 product.
|
1 |
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3AOykf0hXvHmyL3lCmyOLucU1EYmXgZkIsnkV8n0JrdhgQgCXxnqpbyJOxOxUlV2KVMfgQtb3ybddjFQvs23IAK44/a1CTsjye8o+5ZLsv8/uPFwjdAfMCKRVdJTIC/0aA36WPkrX+lIaq2n1Ha5GueH2Hfu9b0KD8ukVeIDAEtugF0cdDAwRDeduyGBLNM3p74pFlN9hva+VzsnWYPRsvRbC04sxjZOM/woaf/3HUbLUprMAyW2qrRTEIX4rmNyEHNxcKX9vvQZ8rjmWKtADXu6f9hV8g65ePIkHzE29m90UDHvO8U66LJ4uSemE+OCKdWaM/m9LKmZisIODC9hPQ== root@web01 |
Customers using affected ENTTEC lighting controller products should consider removing the hard-coded SSH keys from /root/.ssh/authorized_keys and ensure appropriate controls are taken to limit remote access to the device from unauthorised systems. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.
#### (CVE-2019-12774) Unauthenticated Stored Cross-site Scripting (XSS) ####
Products: Datagate Mk2
Versions: Latest product firmware version
Vendor: ENTTEC Pty Ltd
CVE-ID: CVE-2019-12774
CWE: CWE-79 Improper neutralization of user supplied input
A number of stored XSS vulnerabilities have been identified in ENTTEC’s Datagate Mk2 web configuration software which could allow an unauthenticated threat actor to inject malicious code directly into the application.
The following screenshot shows the malicious code being stored in the Profile Description field in the Datagate Mk2 Profile Editor.
The following screenshot shows the execution of the injected malicious code to obtain a user’s PHP session ID when visiting the Profiles page on the Datagate Mk2 web application.
Customers using the affected ENTTEC Datagate Mk2 product should ensure appropriate controls are taken to limit remote unauthenticated access to the Datagate Mk2’s web application from unauthorised systems. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.
#### (CVE-2019-12775) Weak Privileged Access Control ####
Products: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2
Versions: Latest product firmware revA, revB, and potentially previous firmware versions
Vendor: ENTTEC Pty Ltd
CVE-ID: CVE-2019-12775
CWE: CWE-284 Improper Access Control
The latest firmware provided by ENTTEC for their lighting controller products enables high privileged root access via sudo capability without requiring appropriate access control. Furthermore, the user account which controls the web application service is granted full access to run any system commands from an elevated privilege without the need for password authentication. Should vulnerabilities be identified and exploited within the web application it may be possible for a threat actor to create or run high privileged binaries or executables which are available within the operating system of the device.
The following shows a subset of the weak privilege access controls applied to all devices running the latest revision A and/or revision B firmware.
|
1 2 3 4 5 6 |
# User privilege specification Root ALL=(ALL) ALL #No passwd www-data ALL=(ALL) NOPASSWD: ALL root ALL=(ALL) NOPASSWD: ALL |
Both the relocate and the relocate_revB shell scripts copy the weak sudoers configuration file to the device when executed.
|
1 |
cp -f $CONFIG_DIR/sudoers /etc/sudoers |
Customers using the affected ENTTEC products should ensure appropriate controls are taken to limit access to the product and/or associated web application. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.
#### (CVE-2019-12777) Weak Directory Permissions ####
Products: Datagate Mk2, Storm 24, Pixelator, E-Streamer Mk2
Versions: Latest product firmware revA, revB, and potentially previous firmware versions
Vendor: ENTTEC Pty Ltd
CVE-ID: CVE-2019-12777
CWE: CWE-732 Incorrect Permission Assignment for Critical Resource
The latest firmware provided by ENTTEC for their lighting controller products replaces secure and protected directory permissions set as default by the underlying operating system with highly insecure read, write, and execute directory permissions for all users. By default, /usr/local and all of its subdirectories should have permissions set to only allow non-privileged users to read and execute from the tree structure, and to deny users from creating or editing files in this location. ENTTEC’s firmware startup script permits all users to read, write, and execute (rwxrwxrwx) from the /usr, /usr/local, /usr/local/dmxis, and /usr/local/bin/ directories.
The following is a subset of the startup script showing the weak directory permissions being set.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
chmod 777 /usr chmod 777 /usr/local/ chmod 777 /usr/local/bin/ ## change permissions on dmxis folder if [ -d /usr/local/dmxis ]; then chmod 777 /usr/local/dmxis else cd /usr/local; mkdir dmxis fi # only if dir is not empty if [ "$(ls -A $DMXIS_DIR)" ]; then cd $DMXIS_DIR; chmod 666 * chmod 777 $DMXIS_DIR fi |
Customers using the affected ENTTEC products should ensure appropriate controls are taken to limit access to the product and/or associated web application. Devices should be located behind appropriate firewalls and network controls, and not accessible from the Internet.