Eisbar SCADA Script Insertion
Posted on 22 May 2015
Document Title: =============== Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1456 Release Date: ============= 2015-05-19 Vulnerability Laboratory ID (VL-ID): ==================================== 1456 Common Vulnerability Scoring System: ==================================== 5.2 Product & Service Introduction: =============================== Polar Bear KNX is a modern EIB or KNX visualization for all types of buildings. Applications: lighting, shading, heating, air conditioning, Ventilation and security integration and integrated control reduce capital and operating costs of buildings and systems, Flexibility in use and their adaptation, comfort, safety and optimization of running processes. (Copy of the Vendor Homepage: https://itunes.apple.com/en/app/eisbaer/id777598405 & http://www.busbaer.de/newbb_plus,viewtopic,topic_id,971,forum,81.html ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side input validation vulnerability in the Eisbär SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application. Vulnerability Disclosure Timeline: ================================== 2015-05-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Alexander Maier GmbH Product: Eisbär SCADA - Mobile (Google Android, Windows Phone & Apple iOS) 2.1.11 Alexander Maier GmbH Product: Eisbär SCADA - Software 2.1.454.814 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ An application-side input validation web vulnerability has been discovered in the officialEisbär SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application. The security vulnerability allows an attacker to inject own script code to the application-side of the affected mobile software to compromise connected scada services. We setup a secure environment that was able to execute scada controlled functions in our company by an android, ios and windows mobile device. Due to the implementation we discovered that the server configuration input impacts a common security risk. The vulnerability is located in the `server name` value of the main network server settings module. Local attackers with physical device access are able to manipulate the `netzwerk server name` input to compromise the mobile application or connected eisbär scada services. The attacker includes a own script code payload to the servername and is able to execute the function in the server index listing and edit mode. The attacker can prepare a qr code with a final configuration that impact a malicious injected server name. The execution of the payload occurs after the scan or on review of the server listing. The servername value is also in use by the Eisbär Solutions section with the DoorPhone-Knoten service. We verified that the main server name component can be used to unauthorized execute a function in the connected scada service. The servername can be changed by the app or in the node directly to manipulate the communication permanently. The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network settings of the app can be automatically transferred via QR code. In polar bears v2.1 there are also refer to a QR code component. The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 5.2. Exploitation of the persistent input validation web vulnerability requires a low privilege application user account and low user interaction (click). Successful exploitation of the persistent web vulnerability results in mobile application/device compromise or connected service component manipulation. Request Method(s): [+] [Sync] Vulnerable Module(s): [+] Home > Server (Netzwerk) Vulnerable Parameter(s): [+] servername (name) Affected Module(s): [+] Home Index Server Listing [+] Edit Server Entries Proof of Concept (PoC): ======================= The application-side input validation web vulnerability can be exploited by local attackers with low privileged application user account and low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the mobile application to your windows phone, ios or android mobile device 2. Start the application 3. Configure a service that is successful connected with functions 4. Surf to the existing server home index listing 5. Change the internal or external server with existing address and payload 6. Save the input 7. The execution occurs in the main index server listing 8. Click the arrow next to the injected code 9. The second execution occurs in the header section were the servername description becomes visible 10. Successful reproduce of the security vulnerability! Note: Include as payload a server that exists and attach your payload for a successful execution! The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network settings of the app can be automatically transferred via QR code. In polar bears v2.1 there are also refer to a QR code component. Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the netzwerk - servername value. Restrict the input field and disallow the usage of script code tags and special chars. Filter the server name output in the edit mode and parse also the index listing output with the servername. Security Risk: ============== The security risk of the application-side input validation vulnerability in the server configuration is estimated as medium. (CVSS 5.2) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
