[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <02F5CA2A-F6B8-4421-80B7-AA47BAA83669@dataix.net>
Date: Sun, 25 Aug 2024 06:31:26 -0500
From: "J. Hellenthal via Fulldisclosure" <fulldisclosure@...lists.org>
To: noloader@...il.com
Cc: fulldisclosure@...lists.org, Sebastian Hamann <sebastian.hamann@...s.de>
Subject: Re: [FD] [SYSS-2024-038] DiCal-RED - Use of Password Hash Instead
of Password for Authentication
Correct me if I'm wrong but I believe he is trying to relay that "on the backend" where the password hashes are stored.... if accessed by those with admin access or a bad actor if you will gives them the immediate ability to access every account without needing to decrypt the passwords.
This is a very bad practice.
--
J. Hellenthal
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.
> On Aug 24, 2024, at 22:25, Jeffrey Walton <noloader@...il.com> wrote:
>
> There's no difference between sending the password or Hash(password)
> at the client. It is similar to (but weaker than) HTTP digest
> authentication.
>
> There's nothing to see here.
>
> Jeff
>
>> On Thu, Aug 22, 2024 at 5:13 PM Sebastian Hamann via Fulldisclosure
>> <fulldisclosure@...lists.org> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Advisory ID: SYSS-2024-038
>> Product: DiCal-RED
>> Manufacturer: Swissphone Wireless AG
>> Affected Version(s): Unknown
>> Tested Version(s): 4009
>> Vulnerability Type: Use of Password Hash Instead of Password for Authentication (CWE-836)
>> Risk Level: Medium
>> Solution Status: Open
>> Manufacturer Notification: 2024-04-16
>> Solution Date: None
>> Public Disclosure: 2024-08-20
>> CVE Reference: CVE-2024-36439
>> Author of Advisory: Sebastian Hamann, SySS GmbH
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Overview:
>>
>> DiCal-RED is a radio module for communication between emergency vehicles and
>> control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity
>> and runs a Linux- and BusyBox-based operating system.
>>
>> The manufacturer describes the product as follows (see [1]):
>>
>> "The DiCal-Red radio data module reliably guides you to your destination. This
>> is ensured by the linking of navigation (also for the transmission of position
>> data) and various radio modules."
>>
>> Due to the use of a password hash instead of a password for authentication,
>> the device is vulnerable to unauthorized access to administrative
>> functionality.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Vulnerability Details:
>>
>> The device provides an administrative web interface that requests the
>> administrative system password before it can be used. Instead of submitting
>> the user-supplied password, its MD5 hash is calculated on the client side
>> and submitted.
>> An attacker who knows the hash of the correct password but not the password
>> itself can simply replace the value of the password URL parameter with the
>> correct hash and subsequently gain full access to the administrative web
>> interface.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Proof of Concept (PoC):
>>
>> 1. Access the device's web interface and log in with an arbitrary password.
>> 2. Use a local proxy or browser plug-in to intercept the HTTP requests.
>> One of them looks like this:
>> http://192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=validatepassword&password=2ab96390c7dbe3439de74d0c9b0b1767
>> 3. Replace the value of the password parameter with the hash of the correct
>> device password.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Solution:
>>
>> The manufacturer recommends not running the device in an untrusted network.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Disclosure Timeline:
>>
>> 2024-02-29: Vulnerability discovered
>> 2024-04-16: Vulnerability reported to manufacturer
>> 2024-05-10: Manufacturer states that the vulnerability will not be fixed
>> 2024-05-14: Vulnerability reported to CERT-Bund
>> 2024-08-13: CERT-Bund informs us that the vendor declared the product EOL
>> 2024-08-20: Public disclosure of vulnerability
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> References:
>>
>> [1] Product website for DiCal-RED
>> https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
>> [2] SySS Security Advisory SYSS-2024-038
>> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-038.txt
>> [3] SySS Responsible Disclosure Policy
>> https://www.syss.de/en/responsible-disclosure-policy
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Credits:
>>
>> This security vulnerability was found by Sebastian Hamann of SySS GmbH.
>>
>> E-Mail: sebastian.hamann@...s.de
>> Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
>> Key ID: 0x9CE0E440429D8B96
>> Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Disclaimer:
>>
>> The information provided in this security advisory is provided "as is"
>> and without warranty of any kind. Details of this security advisory may
>> be updated in order to provide as accurate information as possible. The
>> latest version of this security advisory is available on the SySS website.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Copyright:
>>
>> Creative Commons - Attribution (by) - Version 3.0
>> URL: http://creativecommons.org/licenses/by/3.0/deed.en
>>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd
>> i5bDcg//QqSSeXrwj8+F+lGJBRgcwK8Qf7LWK3IWovj+DSKR0II7n6voq+ZG2LPS
>> BpO8EEjhSbWDkGHCBgyuvZ8NoXu3LSX3mAVpAvrK+Rq8rPXE1dTxINAilq9Z8Q0r
>> bjwybUrN6T0W7uc/Z9VtQiMH1hY1fbkcRbp0RWtzdo0cIjhKs7aBWf1bNIdDaiX8
>> Mnyc/5nM65IXPjUdGSFvgNDcUOxG7IRlrPvHncjeiJge8JVqSJUiD410ZpvcBS8x
>> 6SPBwl+OqWxF5mnmP2iOixDVMyiZl9AlzaUMA4BISsTRrkSugJmOJTwZGusCZIlZ
>> KjikGfjvtIIjC31pqzBuX9uwWT59YBlA4zoNl2gHBzFy0zwZKVSIX2IxhsmqfHci
>> XthTlkjX+sY8u9XiMKZU6hYAwUOGFo9+i6L34X/XykztFmwjUluOdOQDzXVoA0wm
>> mZ1OEAYOdccr/BakIhTJQONKGzGErZWEUGBcyHOccw4AYQwn19bR7kGXqXZ6/DQB
>> w0od4XFWuWVVO/OC6HPCH+vsrjFCze4pPAuGbzKzuPc3bBxWp/gYS5znKFGMwyTf
>> wOGCi3YKfPzqze4yC46wbviDfjStEe7ljbAVkuy4r8XLh5MPMLCb/3YPgbhdiqUk
>> X1OuQWRmHGp9WnzB2uYfK/+EKZNPthT3gDqZoyGWlISm+6C22no=
>> =Y5jL
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: https://seclists.org/fulldisclosure/
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: https://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists