Exploit for WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials CVE-2016-6301 CVE-2015-0235 CVE-2014-9984 CVE-2014-4043 CVE-2010-0296 CVE-2013-1813 CVE-2014-9402 CVE-2019-12550 CVE-2015-9261 CVE-2012-4412 CVE-2016-2147 CVE-2019-12549 CVE-2017-16544 CVE-2010-3856 CVE-2016-2148 CVE-2011-5325 CVE-2011-2716 CVE-2014-9761 CVE-2015-1472

## https://sploitus.com/exploit?id=PACKETSTORM:153278
SEC Consult Vulnerability Lab Security Advisory < 20190612-0 >  
=======================================================================  
title: Multiple vulnerabilities  
product: WAGO 852 Industrial Managed Switch Series  
vulnerable version: 852-303: <v1.2.2.S0  
852-1305: <v1.1.6.S0  
852-1505: <v1.1.5.S0  
fixed version: 852-303: v1.2.2.S0  
852-1305: v1.1.6.S0  
852-1505: v1.1.5.S0  
CVE number: CVE-2019-12550, CVE-2019-12549  
impact: high  
homepage: https://www.wago.com  
found: 2019-03-08  
by: T. Weber (Office Vienna)  
IoT Inspector  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"New ideas are the driving force behind our success WAGO is a family-owned  
company headquartered in Minden, Germany. Independently operating for three  
generations, WAGO is the global leader of spring pressure electrical  
interconnect and automation solutions. For more than 60 years, WAGO has  
developed and produced innovative products for packaging, transportation,  
process, industrial and building automation markets amongst others. Aside from  
its innovations in spring pressure connection technology, WAGO has introduced  
numerous innovations that have revolutionized industry. Further ground-breaking  
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."  
  
Source: http://www.wago.us/wago/  
  
  
  
Business recommendation:  
------------------------  
SEC Consult recommends to immediately apply the available patches  
from the vendor. A thorough security review should be performed by  
security professionals to identify further potential security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
The industrial managed switch series 852 from WAGO is affected by multiple  
vulnerabilities such as old software components embedded in the firmware.  
Furthermore, hardcoded password hashes and credentials were also found by doing  
an automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and  
CVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable  
firmware runtime. The validity of the password hashes and the embedded keys were  
also verified by emulating the device.  
  
  
1) Known BusyBox Vulnerabilities  
The used BusyBox toolkit in version 1.12.0 is outdated and contains multiple  
known vulnerabilities. The outdated version was found by IoT Inspector.  
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using  
the MEDUSA scaleable firmware runtime.  
  
2) Known GNU glibc Vulnerabilities  
The used GNU glibc in version 2.8 is outdated and contains multiple known  
vulnerabilities. The outdated version was found by IoT Inspector. One of  
the discovered vulnerabilities (CVE-2015-0235, "GHOST") was verified by  
using the MEDUSA scaleable firmware runtime.  
  
3) Hardcoded Credentials (CVE-2019-12550)  
The device contains hardcoded users and passwords which can be used to login  
via SSH and Telnet.  
  
4) Embedded Private Keys (CVE-2019-12549)  
The device contains hardcoded private keys for the SSH daemon. The fingerprint  
of the SSH host key from the corresponding SSH daemon matches to the embedded  
private key.  
  
  
Proof of concept:  
-----------------  
1) Known BusyBox Vulnerabilities  
BusyBox version 1.12.0 contains multiple CVEs like:  
CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325,  
CVE-2015-9261, CVE-2016-2147 and more.  
  
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on  
an emulated device. A file with the name "\ectest\n\e]55;test.txt\a" was created  
to trigger the vulnerability.  
  
-------------------------------------------------------------------------------  
# ls "pressing <TAB>"  
test  
]55;test.txt  
#  
-------------------------------------------------------------------------------  
  
  
2) Known GNU glibc Vulnerabilities  
GNU glibc version 2.8 contains multiple CVEs like:  
CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402,  
CVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more.  
  
The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help  
of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled  
and executed on the emulated device to test the system.  
  
  
3) Hardcoded Credentials (CVE-2019-12550)  
The following credentials were found in the 'passwd' file of the firmware:  
<Password Hash> <Plaintext> <User>  
<removed> <removed> root  
No password is set for the account [EMPTY PASSWORD] admin  
  
By using these credentials, it's possible to connect via Telnet and SSH on the  
emulated device. Example for Telnet:  
-------------------------------------------------------------------------------  
[root@localhost ~]# telnet 192.168.0.133  
Trying 192.168.0.133...  
Connected to 192.168.0.133.  
Escape character is '^]'.  
  
L2SWITCH login: root  
Password:  
~ #  
-------------------------------------------------------------------------------  
Example for SSH:  
-------------------------------------------------------------------------------  
[root@localhost ~]# ssh 192.168.0.133  
root@192.168.0.133's password:  
~ #  
-------------------------------------------------------------------------------  
  
  
4) Embedded Private Keys (CVE-2019-12549)  
The following host key fingerprint is shown by accessing the SSH daemon on  
the emulated device:  
  
[root@localhost ~]# ssh 192.168.0.133  
The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established.  
RSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso.  
RSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2.  
  
This matches the embedded private key (which has been removed from this advisory):  
SSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2  
  
  
Vulnerable / tested versions:  
-----------------------------  
According to the vendor, the following versions are affected:  
* 852-303: <v1.2.2.S0  
* 852-1305: <v1.1.6.S0  
* 852-1505: <v1.1.5.S0  
  
  
Vendor contact timeline:  
------------------------  
2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation  
2019-03-26: Asking for a status update, VDE CERT is still waiting for details  
2019-03-28: VDE CERT requests information from WAGO again  
2019-04-09: Asking for a status update  
2019-04-11: VDE CERT: patched firmware release planned for end of May, requested  
postponement of advisory release  
2019-04-16: VDE CERT: update regarding affected firmware versions  
2019-04-24: Confirming advisory release for beginning of June  
2019-05-20: Asking for a status update  
2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date  
2019-05-29: Asking for a status update  
2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published  
on 7th June, SEC Consult proposes new advisory release date for  
12th June  
2019-06-07: VDE CERT provides security advisory information from WAGO;  
WAGO releases security patches  
2019-06-12: Coordinated release of security advisory  
  
  
Solution:  
---------  
The vendor provides patches to their customers at their download page. The  
following versions fix the issues:  
* 852-303: v1.2.2.S0  
* 852-1305: v1.1.6.S0  
* 852-1505: v1.1.5.S0  
  
According to the vendor, busybox and glibc have been updated and the embedded  
private keys are being newly generated upon first boot and after a factory reset.  
The root login via Telnet and SSH has been disabled and the admin account is  
documented and can be changed by the customer.  
  
  
  
Workaround:  
-----------  
Restrict network access to the device & SSH server.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T. Weber / @2019