Access Control Flaws

07 Apr 2017

[ICS] Cambium ePMP SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.

AFFECTED PRODUCTS

  1. Cambium ePMP 1000
  2. Cambium ePMP 2000
  3. Cambium PMP XXX
  4. Cambium ForceXXX models
  5. Potentially all other models


IMPACT
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for details & poc.

Read more

07 Apr 2017

[ICS] SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

SenNet Data Logger appliances and Electricity Meters Multiple Vulnerabilities

About
SenNet is a trademark of Satel Spain that offers monitoring and remote-control solutions for businesses. Our engineers develop, integrate and test the products of SenNet in our facilities in Madrid (Spain).
http://www.sennetmonitoring.com/wp-content/uploads/2016/05/Datasheet_owa31I-.pdf

VULNERABILITY DETAILS
1. No access control on the remote shell
2. Shell services running with excessive privileges (superuser)
3. OS Command Injection
4. Insecure Transport

Read on for poc.

Read more

20 Mar 2017

[ICS] LAquis SCADA Advisory Access Control Vulnerability

ICS-CERT published an advisory on one of my reports recently -
https://ics-cert.us-cert.gov/advisories/ICSA-17-075-01

CVE-ID
CVE-2017-6016

Vendor: LCDS - Leão Consultoria e Desenvolvimento de Sistemas LTDA ME
Equipment: LAquis SCADA
Vulnerability: Improper Access Control

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-075-01

AFFECTED PRODUCTS

The following versions of LAquis SCADA, an industrial automation software, are affected:
LAquis SCADA software, Versions 4.1 and prior versions released before January 20, 2017.

Read on for details and poc.

Read more

05 Sep 2016

[ICS] Multiple vulnerabilities – Powerlogic/Schneider Electric IONXXXX series Smart Meters

Reported multiple security issues in Powerlogic/Schneider Electric IONXXXX series power meters.

Affected Devices
The following IONXXXX series power meter versions are affected:

  • ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series.

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-03

CVE-IDs
CVE-2016-5809
CVE-2016-5815

Read on for details and poc.

Read more

05 Jul 2016

[ICS] RS232-NET Converter (model JTC-200) – Multiple vulnerabilities

Found multiple vulnerabilities in RS232-NET Converter (model JTC-200), and have been coordinating with ICS-CERT for quite a while now. IMHO it is time for a public disclosure.

Product details -> http://www.jantek.com.tw/en/product/73

Seen deployed in:
  • CHTD, Chunghwa Telecom Co., Ltd. (Taiwan)
  • HiNet (Taiwan & China)
  • PT Comunicacoes (Portugal)
  • Sony Network Taiwan Limited (Taiwan)
  • Vodafone Portugal (Portugal)

This hardware seems to be in use on several large corporate networks, and has a backdoor shell quietly listening in offering unauthenticated access!

Read on for details and poc.

Read more

05 Jul 2016

CIMA DocuClass Enterprise Content Management – Multiple Vulnerabilities

On a recent pentest, I came across CIMA DocuClass Enterprise Content Management application. I found multiple security vulnerabilities which can lead to unauthorized access to stored documents, access to underlying database, and code execution on the server via SQL Injection.

There has been no response from vendor as expected.

Read on for poc.

Read more