Abstract.
This write up is about the discovery of two vulnerabilities (CVE-2019-11326, CVE-2019-11327) in the Net-G5 GNSS Receiver from Topcon Positioning.
The Story.
The ones who are interested in the vulnerabilities itself can skip this topic. Everyone else is invited to keep reading.
Every now and then friends of mine ask me to take a look at products they use during their private or business life. So this time… In order to not damage the device with any malicious and extensive automated scans, I took a manual approach on this black-box assessment.
Quickly I discovered two critical vulnerabilities which allowed an external attacker to take full control of the device.
There may be more vulnerabilities, these two may be the top of an iceberg.
The Hurdle.
The next step was contacting the vendor. My goal was of course a coordinated disclosure. The vendor and I could have worked hand in hand to solve the issue and then agree on a disclosure date. I tried contacting the vendor several times on some of his active Twitter accounts and several public e-mail addresses. I was not able to get a security contact at all…
For example the following messages were send on Twitter.
Since this approach was not successful I had to go one step further. I contacted a Swiss retailer for Topcon Positioning products. They forwarded me to a German representative. Finally I had a call with this guy, we agreed on transferring the details about the vulnerabilities in a password protected ZIP file by e-mail. He convinced me in the fact that none of this devices is present on the internet. All of them are protected behind strong VPN. Nevertheless, an attacker with adjacent network access can take advantage of these issues. So I send him the password protected file with all the details necessary to address the vulnerabilities. From this moment the radio was silent again…
Fortunately we agreed on a disclosure date.
Since I have not received any feedback, I assume that the vulnerabilities have been addressed.
I will disclose the vulnerability details to the public on 21st, June 2019.
Please let me know, if you need more time to address the vulnerabilities.
Translation of the e-mail from the 14th, June 2019 to the German representative
If you’re a vendor and a security researcher reaches out on you, with serious concerns. I recommend taking this contact serious as well. Usually the researcher spends his time off in order to work on stuff like these. Furthermore, you would pay huge amounts of money for a researcher doing this kind of assessment during business hours. But who am I to judge?
Enough of these fancy words, so let’s dig into the action 😈.
CVE-2019-11326 Privilege Escalation NET-G5 GNSS Receiver.
We’ll start of with something I would place as a privilege escalation. The devices web interface is of course well protected with a login mask like the following.
The attentive observer may have realized that there is a so called Guest Login. Believe me or not, this feature is present in reality.
So when you press Guest Login, the form is filled automatically with some high security credentials and the login action is performed. Now you’re presented with the web interface which allows you observing the actual state of the device as well as some metadata.
To be honest I have no idea what all of this stuff means, anyway that’s not what we’re here for. So let’s move on.
It would be nice to have some more privileges, maybe Admin privileges or something like this. In order to see what else is around… Therefore, I closely observed the JavaScript code. Which is always a good starting point.
Wait… What if the file called adminpasswd is reachable from the web server? 🤭
Guess what? Yes, of course it is… and it holds the actual set admin password.
Affected Firmware.
5.2.2 Dec.06.2018CVSS 3 Score.
8.8 (High) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HProof-of-Concept.
Password Administrator:
http(s)://xxx.xxx.xxx.xxx/receiver/settings/users/roles/adminpasswd
Password User:
http(s)://xxx.xxx.xxx.xxx/receiver/settings/users/roles/userpasswdSo that’s all of the magic 🙄. Since I had administrative privileges from now I were able to get a closer look at other features the devices web interface had. Some firmware update functionality and other funny stuff.
CVE-2019-11327 Path Traversal NET-G5 GNSS Receiver.
Like mentioned before there are additional functionalities available once you successfully login as the administrator. For example the following File Explorer.
It’s in the nature of a human to trust each other. So did the developers of the File Explorer feature. They fully trusted in the user supplied input. That leads of course to the next vulnerability a path traversal.
This vulnerability allows an external attacker browsing the file system with the rights of the root user. Furthermore, all files present on the device and attached external media can be downloaded.
Affected Firmware.
5.2.2 Dec.06.2018CVSS 3 Score.
4.9 (Medium) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NProof-of-Concept.
http(s)://X.X.X.X/ftp?action=getFiles&directory=../../etc
http(s)://X.X.X.X/ftp?action=downloadFile&filename=/../../etc/passwdConclusion.
Unfortunately this is another bad example on how a vendor should not handle a case related to information security issues. My friend has not yet received a firmware update which addresses the vulnerabilities. Anyway since all devices are protected by VPN, the vendor seems to accept the risks.
I’m happy to pop one item from my stack of undisclosed vulnerabilities. 🎉
I highly recommend an in-depth security analysis of the device. Furthermore, all identified vulnerabilities should be addressed in a reasonable time-frame. All owners of the devices should be informed that they should treat their admin and user passwords as no longer secret, so they must be changed asap.