[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 20 May 2015 11:16:33 +0200
Document Title:
===============
Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1456


Release Date:
=============
2015-05-19


Vulnerability Laboratory ID (VL-ID):
====================================
1456


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
Polar Bear KNX is a modern EIB or KNX visualization for all types of buildings. 
Applications: lighting, shading, heating, air conditioning,
Ventilation and security integration and integrated control reduce capital and 
operating costs of buildings and systems, Flexibility in use and 
their adaptation, comfort, safety and optimization of running processes.

(Copy of the Vendor Homepage: 
https://itunes.apple.com/en/app/eisbaer/id777598405 & 
http://www.busbaer.de/newbb_plus,viewtopic,topic_id,971,forum,81.html )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input 
validation vulnerability in the Eisbär SCADA v2.1.454.814 & v2.1.11 (iOS, 
Android & W8) application.


Vulnerability Disclosure Timeline:
==================================
2015-05-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Alexander Maier GmbH
Product: Eisbär SCADA - Mobile (Google Android, Windows Phone & Apple iOS) 
2.1.11

Alexander Maier GmbH
Product: Eisbär SCADA - Software 2.1.454.814


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in 
the officialEisbär SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application.
The security vulnerability allows an attacker to inject own script code to the 
application-side of the affected mobile software to compromise connected scada 
services.

We setup a secure environment that was able to execute scada controlled 
functions in our company by an android, ios and windows mobile device. Due to 
the implementation 
we discovered that the server configuration input impacts a common security 
risk.

The vulnerability is located in the `server name` value of the main network 
server settings module. Local attackers with physical device access are able to 
manipulate the 
`netzwerk server name` input to compromise the mobile application or connected 
eisbär scada services. The attacker includes a own script code payload to the 
servername 
and is able to execute the function in the server index listing and edit mode.

The attacker can prepare a qr code with a final configuration that impact a 
malicious injected server name. The execution of the payload occurs after the 
scan or on review of 
the server listing. The servername value is also in use by the Eisbär Solutions 
section with the DoorPhone-Knoten service. We verified that the main server 
name component can be 
used to unauthorized execute a function in the connected scada service. The 
servername can be changed by the app or in the node directly to manipulate the 
communication permanently.

The connection to the Polar Bear SCADA server is multi-client capable and 
configuration data required for the network settings of the app can be 
automatically 
transferred via QR code. In polar bears v2.1 there are also refer to a QR code 
component.

The security risk of the application-side web vulnerabilities are estimated as 
medium with a cvss (common vulnerability scoring system) count of 5.2. 
Exploitation of the persistent input validation web vulnerability requires a 
low privilege application user account and low user interaction (click). 
Successful exploitation of the persistent web vulnerability results in mobile 
application/device compromise or connected service component manipulation.

Request Method(s):
                                [+] [Sync]

Vulnerable Module(s):
                                [+] Home > Server (Netzwerk)

Vulnerable Parameter(s):
                                [+] servername (name)

Affected Module(s):
                                [+] Home Index Server Listing
                                [+] Edit Server Entries


Proof of Concept (PoC):
=======================
The application-side input validation web vulnerability can be exploited by 
local attackers with low privileged application user account and low user 
interaction.
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the mobile application to your windows phone, ios or android mobile 
device
2. Start the application
3. Configure a service that is successful connected with functions
4. Surf to the existing server home index listing
5. Change the internal or external server with existing address and payload
6. Save the input
7. The execution occurs in the main index server listing
8. Click the arrow next to the injected code
9. The second execution occurs in the header section were the servername 
description becomes visible
10. Successful reproduce of the security vulnerability!

Note: Include as payload a server that exists and attach your payload for a 
successful execution! The connection to the Polar Bear SCADA server is 
multi-client capable and configuration data required for the network settings 
of the app can be automatically transferred via QR code. 
In polar bears v2.1 there are also refer to a QR code component.


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the netzwerk - 
servername value. 
Restrict the input field and disallow the usage of script code tags and  
special chars.
Filter the server name output in the edit mode and parse also the index listing 
output with the servername.


Security Risk:
==============
The security risk of the application-side input validation vulnerability in the 
server configuration is estimated as medium. (CVSS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a 
particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential 
loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen 
material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                        - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                        - admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-db.com       - 
vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
                        - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All 
other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, 
advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To 
record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a 
permission.

                                Copyright © 2015 | Vulnerability Laboratory - 
[Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
PGP KEY: 
http://www.vulnerability-lab.com/keys/admin@xxxxxxxxxxxxxxxxxxxxx%280x198E9928%29.txt
Prev by Date: Stored XSS in WP Photo Album Plus WordPress Plugin
Next by Date: [security bulletin] HPSBUX03334 SSRT102000 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Other Vulnerabilities
Previous by thread: Stored XSS in WP Photo Album Plus WordPress Plugin
Next by thread: [security bulletin] HPSBUX03334 SSRT102000 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Other Vulnerabilities
Index(es):
- Date
- Thread