May 24, 2018

My first Exploit-DB Post!!

(Last Updated On: 31st January 2017)

Recently I’ve started to get interested in bug hunting to further my understanding of all sorts of programming languages and I highly recommend it!

Today I decided to turn my attention to the Netman 204 card by Riello which is a small network management card which provides the ability to monitor Riello UPS products and sends alerts if there are issues around power (outages. battery temperature alerts etc).  The firmware is readily available on the Riello website for download so you don’t even need a product to test it against.

You’d be amazed at what the humble 7-zip can extract and this firmware is no different.  After opening some nested archives, we land upon a directory structure for the device.  This structure is not the generic structure for a linux file system but jumping in and out of the directories and we soon come across some recognisable files.

The html folder has a cgi-bin directory with a load of bash scripts that can be called from a web browser.  There are plenty of scripts in here and the first I will draw attention to is the login script as it is an interesting implementation.

get_parameter ()
{
echo "$query" | sed -n "s/^.*$1=\([^&]*\).*$/\1/p" | sed "s/%20/ /g"
}

if [ "$REQUEST_METHOD" = POST ]; then
query=$( head -c "$CONTENT_LENGTH" )
else
query="$QUERY_STRING"
fi

VAL0=$( get_parameter username )
VAL1=$( get_parameter password )

if ./wrongpass $VAL0 $VAL1 ; then
... SNIPPED

If you can follow that then great, if not then I’ll do a quick run through.  The first function is going to parse what the browser sends and pull out the value associated with the key its given.  We see it being utilised further down with VAL0 and VAL1 to grab the username and password.  These values are then passed to the custom application ‘wrongpass’ which is a Python wrapper for the login utility that tests credentials.  What makes this interesting is that it is actually not exploitable (I couldn’t anway) but it does do two rather unusual things.

  1. It translates %20 back to ” ” ands the variables are passed straight to the wrongpass command we can actually just put the password in the username parameter like so username%20password.  Not necessarily a problem here but quite unusual.
  2. It doesn’t care if the input is taken from GET or POST parameters, so we can login just by browsing to http://[ip]/cgi-bin/login.cgi?username=username%20password.

Very odd indeed but not necessarily a security problem.  The fact wrongpass is using the login command though shows us that it is using the OS to manage credentials.  A quick look and there is a shadow file included in the firmware image too.  As it happens this file is used to reset all the system passwords but we will come back to this later.  There are a number of accounts listed in the shadow file but oddly one of them doesn’t have an associated password reset script in the cgi folder.  I guess that makes it a vendor backdoor account!  Unfortunately, when I googled this account name it transpires that this was in fact discovered last September so has been “public” knowledge for quite some time.

Okay so we have an account with a simple password (I won’t record it here) that can not be changed through conventional administrative means.  The exploit-db article from September though does provide a method for gaining shell access through SSH so a diligent admin could go in and change it through novel methods.

My final discovery of the day was the recover2.cgi script which allows someone to reset all of the account passwords by providing their MAC address to Reillo support.  Unfortunately the process by which it does this is rather simple and should probably be restricted to console access.

The process is documented on my exploit-db article, but in short you take the MAC address, prefix “204:” and generate an MD5 hash from it.  A substring of this hash becomes the secret key which is passed in by browsing the url:

http://[ip]/recover2.cgi?password=[SecretKey]

If only you could find out the MAC address remotely… Well if you are on the same subnet you could just ping it and view your arp table??

Note:  As I said the ship has sailed on this one as it was made public last September but at least I had some fun finding this stuff!  Unfortunately the interaction between this card and the underlying UPS is beyond my skillset (for now?) so this bug could only be used to deny the UPS monitoring functionality or maybe as a SOCKS proxy pivot once SSH is enabled through the WebUI.

Previous «
Next »

Simon is a sysadmin for Local Government in North Yorkshire with a real passion for security and coding.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: