Lupusec XT1 alarm system version 1.0.80 suffers from cross site request forgery, cross site scripting, insecure transit, and denial of service vulnerabilities.
fbecfed3f109bd160d9f55aa41dc3945ae1969cf15d279a1575d8d43d248f32f
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== FOXMOLE - Security Advisory 2016-07-20 ===
Lupusec XT1 Alarm System - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
Lupusec XT1 fw 1.0.80
Issue Overview
==============
Vulnerability Type: Cross Site Scripting, Cross Site Request Forgery, Unencrypted Connection, Remote Administrative Access, Denial of Service
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: Lupus-Electronics
Vendor URL: https://www.lupus-electronics.de/
Credits: FOXMOLE employees Niklas Abel, Daniel Dilger, Tim Herres, Sascha Kettler
Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-20.txt
Advisory Status: Private
CVE-Number: NA
CVE URL: NA
OVE-ID: OVE-20160808-0001
OVI-ID: NA
CWE-ID: CWE-671
CVSS 2.0: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Impact
======
The system uses an unencrypted connection. This means all information including username and password are transmitted in cleartext.
Furthermore there is no protection against Cross Site Request Forgery attacks.
This can be used by an attacker to change the admin credentials by tricking an administrative user to activate a malicious form.
Also the application misses input validation and output encoding. This can be used to store JavaScript Code inside an input field.
Moreover the system contains a non-documented root backdoor via telnet using a fixed password which can be abused within the
local network to compromise the entire system. Addionally the system contains an outdated version of the DHCP client
which is suspectible to shell injection via the DHCP server.
Issue Description
=================
The following findings are only examples there are quite more. The whole application should be reviewed.
All items tested using FF42.
1.) Stored Cross Site Scripting:
Authentication Required: Yes
PoC: Network --> Cameras --> URL Camera X --> Payload "foo://<script>alert('bar')</script>"
The payload gets executed on the main page : http://<IP>/setting/index.htm
2.) No protection against Cross Site Request Forgery Attacks:
PoC: Changing the admin user credentials.
POST /action/adminUserPost HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://<IP>/setting/index.htm
Content-Length: 61
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Parameter: admin_new_name=evil123&admin_new_pwd=topsecret&admin_new_pwd1=topsecret
If a privileged user activates the request the admin username is set to "evil123" and the password is set to "topsecret".
3.) Unencrypted connection:
The application only uses HTTP, that means all traffic including the basic authentication (base64 encoded username:password) is transmitted in cleartext.
There is no way for an user to set SSL/TLS in the web panel.
4.) Remote Administrative Access:
The system contains a telnet server listening on port 55023 which allows remote administrative access within the local network with root privileges.
The password for user 'root' can be obtained by cracking its 8-digit single DES encrypted password from the /etc/shadow of the system firmware image
which can be downloaded from the vendor's website. (http://www.lupus-electronics.de/documents/lupusec_xt1_firmware_update_1.0.80.zip)
This leads to full access to the entire system.
5.) Denial of Service:
The MiniUPnP Server is prone to a Denial of Service attack (CVE-2013-0229) which can lead to an inaccessible UPnP service.
A suitable MSF-Module (miniupnpd_dos) is available and leads to a successful attack against the service.
Temporary Workaround and Fix
============================
FOXMOLE advises to deactivate the Lupusec XT1 alarm system until the vendor
publishes a complete fix. The vendor is working on an update.
History
=======
2016-07-20 Issue discovered
2016-08-19 Vendor contacted
2016-08-26 Vendor requested for new information, without reply.
2016-09-19 Vendor requested for new information, without reply.
2016-09-29 Vendor informed about release on the 30th of september. Vendor response: Working on update.
2016-10-24 Vendor contacted about firmware update. Vendor response: firmware update will be released until 2016-10-26
2016-10-28 Advisory released
GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYE1q/AAoJEDgSCSGZ4yd8kroP/27eyowMLcfIxDQYQsPdwyl9
A23iXLMKPzC7/nO8X8d8OFfJ7WA/8L7VHPc/9RdII4RqN9W6x90o6Mb1LZYXL8lj
bbZwi9nAyM6J7mvILfsrj345ZQ72tnCh+yMo2m/PlRW5Y7r14K2Cnrd/7AIMln8q
8fK5ou/4rEwb5XjWyDGHu8xaYMYtlWNnFmNdOfWPWWFGrh5TXP9cep/UomSVgcC/
cV4xd8hMK+0LQxubgdZheLyMQajAWm9AbWjbewW3kQYJZzO60nlQi2k90Ty6rIYf
ERrjphimiGM3AIyfnDX8tzOgsM78kOfdLGo0gYYsMsYO9fAU5uCrLJ+qQUt87sv6
9WX0+EgUdLPImYdNEYtQZ9wxrBUMq2G35/gdS4EOyjfiyYTRGp3SkzNyBPTjDn/6
/iaAbmZKE7u4cAnHFxKnYxcTlfkrKHWhvuzkYJk4kRCgwi8N6k8MPwQcwpCNnCAx
Lo8agV/N1WA1zN+4EpebAtghRXVWvm3F2GH0gcyUzmAg/Y7Vq4qJuCV9XRoDLxGq
EiGEDEi1PXhZqlv3a1DeVPoRdxpyHgPbXkVWHIg7qQURbx5fHPfGiiHc6epgcOuP
h+Fv+sCKwHv7CTWd08k8oEgXb5IwS0bGgzwQGFFt7AnMR5W+i+lhQDLE/v+BO44z
gAqHnyyjrNtXgFvOOOQL
=M7kq
-----END PGP SIGNATURE-----