Deliberately hidden backdoor account in several AMX devices

Disclaimer:
Although the backdoor vulnerability is quite a serious matter, we have published an accompanying blog post to this technical advisory which sheds a more funny light on this topic. Visit our blog at www.sec-consult.com/blog/detail/deliberately-hidden-backdoor-account-in/ for more information.


SEC Consult Vulnerability Lab Security Advisory < 20160121-0 >
=======================================================================
title: Deliberately hidden backdoor account
product: Several AMX (HARMAN Professional) devices, see section "Vulnerable / tested versions"

vulnerable version: v1.2.322, v1.3.100 for AMX NX-1200, multiple other products
fixed version: untested hotfix and firmware updates available
CVE number: CVE-2015-8362
impact: critical
homepage: www.amx.com
found: 2015-03-10
by: Matthias Klinski, Manuel Hofer (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow 
Singapore - Vienna (HQ) - Vilnius - Zurich

www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"AMX® (www.amx.com) is part of the HARMAN Professional Division, and the
leading brand for the business, education, and government markets for the
company. As such, AMX is dedicated to integrating AV solutions for an IT World.
AMX solves the complexity of managing technology with reliable, consistent and
scalable systems comprising control and automation, system-wide switching and
AV signal distribution, digital signage and technology management. AMX systems
are deployed worldwide in conference rooms, homes, classrooms, network
operation/command centers, hotels, entertainment venues and broadcast
facilities, among others."

Source: www.amx.com/automate/aboutamx.aspx


Business recommendation:
------------------------
Attackers are able to completely compromise the affected devices as they can gain
higher privileges than even administrative access to the system via the backdoor.

It is highly recommended by SEC Consult not to use these products until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Deliberately hidden backdoor account
While analysing the application binary /bin/bw, SEC Consult discovered a
function called "setUpSubtleUserAccount" which adds an administrative 
account to the internal user database. This account can be used to log on to
the web interface as well as SSH.
Functions to retrieve a list of all users in the database were found to
deliberately hide this user. Further, using this backdoor account grants
additional features on the remote-cli, such as a facility to capture packets
on the network interface which not even an administrator account can perform.


Proof of concept:
-----------------
The binary /bin/bw which provides core functionality as well as user management 
for the AMX NX-1200 implements a function called "setUpSubtleUserAccount",
which is called on system boot. This function adds an administrative account
with hardcoded credentials to the user database:

STMFD   SP!, {R4-R7,LR}
LDR     R4, =aMu1cqhrnyu4 ; "QmxhY2tXaWRvdw"
SUB     SP, SP, #0x44
ADD     R12, R4, #0x38
ADD     LR, SP, #0x58+cSubtleUserPassword
MOV     R5, this
LDMIA   R12!, {this-R3} ; "<removed from PoC>"
STMIA   LR!, {R0-R3}
ADD     R3, R4, #0x54
LDMIA   R12, {R0,R1}
MOV     R4, #0
ADD     R12, SP, #0x58+cSubtleUserUserName+0x10
STR     R0, [LR],#4
STRB    R4, [R12],#1
STRH    R1, [LR],#2
ADD     R6, SP, #0x58+cSubtleUserUserName

By decoding the strings which are loaded from memory and passed as arguments to 
cSubtleUserPassword and cSubtleUserUserName, the following user and password
can be recovered:
user: BlackWidow
password: <removed from PoC>

Using these credentials a successful login has been performed to the web based
management interface, as well as the command line interface. Using this
backdoor account grants additional features on the command line interface, such 
as capturing packets on the network interface.

Parts of the application which display a list of users are designed to
deliberately hide the backdoor account.

The backdoor did not get removed by AMX in their first patch, but the backdoor 
username has only been changed to a DC superhero name.
The new username now was: 1MB@tMaN

The hotfix from 2016-01-15 is untested by SEC Consult and it is unknown
whether the backdoor has been removed properly now. Hence the password will
not be published.


Vulnerable / tested versions:
-----------------------------
The following software versions of the AMX NX-1200 have been tested / verified
to be vulnerable:
v1.2.322
v1.3.100

Apart from the NX-1200, we have found at least the following products to be
affected by this vulnerability as well:
* AMX DGX16-ENC (Digital Media Switchers)
* AMX DGX32-ENC-A (Digital Media Switchers)
* AMX DGX64-ENC (Digital Media Switchers)
* AMX DGX8-ENC (Digital Media Switchers)
* AMX DVX-2100HD (All-In-One Presentation Switchers)
* AMX DVX-2210HD (All-In-One Presentation Switchers)
* AMX DVX-2250HD (All-In-One Presentation Switchers)
* AMX DVX-2255HD (All-In-One Presentation Switchers)
* AMX DVX-3250HD (All-In-One Presentation Switchers)
* AMX DVX-3255HD (All-In-One Presentation Switchers)
* AMX DVX-3256HD (All-In-One Presentation Switchers)
* AMX ENOVADGX64-ENC (Digital Media Switchers)
* AMX MCP-106 (ControlPads)
* AMX MCP-108 (ControlPads)
* AMX NI-2000 (Central Controllers)
* AMX NI-2100 (Central Controllers)
* AMX NI-3000 (Central Controllers)
* AMX NI-3100 (Central Controllers)
* AMX NI-3101-SIG (Central Controllers)
* AMX NI-4000 (Central Controllers)
* AMX NI-4100 (Central Controllers)
* AMX NI-700 (Central Controllers)
* AMX NI-900 (Central Controllers)
* AMX NX-1200 (Central Controllers)
* AMX NX-2200 (Central Controllers)
* AMX NX-3200 (Central Controllers)
* AMX NX-4200 (Central Controllers)
* AMX NXC-ME260-64 (Central Controllers)
* AMX NXC-MPE (Central Controllers)
* AMX NetLinx NX Integrated Controller (Media)


Vendor contact timeline:
------------------------
2015-03-10: SEC Consult provides PoC to AMX through European sales.
2015-10-12: Vendor provides "fixed" version
2015-10-12: SEC Consult verifies the new version. Backdoor username has only 
            been changed to a leet-speak DC superhero name
2015-11-04: Contacting vendor amxservice@harman.com again, setting responsible
            disclosure deadline to 2015-12-24 
2015-11-16: No response. Contacting vendor with extended recipient list:
             - amxservice@harman.com
             - Kevin.Morrison@harman.com
             - Debbie.Franklin@harman.com
             - Mark.Stoldt@harman.com
             - Mike.Ramoz@harman.com
2015-11-24: No response. Again extending the recipient list with emails found 
            on the web (Paul.Zielie@harman.com), asking for encryption keys
            and security contact
2015-11-24: AMX responds, requests advisory to be sent unencrypted.
2015-11-24: Providing advisory and proof of concept through insecure channel
            as requested.
2015-12-02: Asking for status update.
2015-12-16: No response, offered postponing of advisory release to 2016-01-20
            due to Christmas holidays and asked for status update again.
2016-01-14: No response, informed vendor again about upcoming advisory release
2016-01-15: Vendor releases hotfix without notification of SEC Consult, hotfix
            is untested and unconfirmed, unsure whether all products are
            properly fixed.
2016-01-16: Informed local CERT teams.
2016-01-17: Informed US CERT/CC.
2016-01-20: AMX informs SEC Consult about released hotfix & firmware versions
2016-01-20: Informing AMX that the advisory will be released on 2016-01-21. 
            The update and hotfixes are untested, hence the advisory will be
            released without the password.
2016-01-21: Release of security advisory & blog post.    


Solution:
---------
Immediately apply the hotfix for the corresponding device.

Covered products and firmware versions:
* NX Series (X200) Master, NX Series DVX-325x/225x Master, Massio ControlPads 
  Master v.1.4.65

Information on this firmware update and a link for authorized users to download
the update are at:
www.amx.com/techcenter/NXSecurityBrief/


NI Series Controllers
* Hotfix For NI Series (NI-700 and NI-900) 64 MB Duet v.4 Master Firmware 
  v.4.1.419 available from AMX Technical Support
* Hotfix For NI Series (X100) Duet v.4 Master Firmware v. 4.1.419 available 
  from AMX Technical Support


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/career/

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/contact/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult

EOF Manuel Hofer, Matthias Klinski  / @2016