Disclaimer:
Although the backdoor vulnerability is quite a serious matter, we have published an accompanying blog post to this technical advisory which sheds a more funny light on this topic. Visit our blog at blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html for more information.
SEC Consult Vulnerability Lab Security Advisory < 20160121-0 >
=======================================================================
title: Deliberately hidden backdoor account
product: Several AMX (HARMAN Professional) devices, see section "Vulnerable / tested versions"
vulnerable version: v1.2.322, v1.3.100 for AMX NX-1200, multiple other products
fixed version: untested hotfix and firmware updates available
CVE number: CVE-2015-8362
impact: critical
homepage: www.amx.com
found: 2015-03-10
by: Matthias Klinski, Manuel Hofer (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"AMX® (www.amx.com) is part of the HARMAN Professional Division, and the
leading brand for the business, education, and government markets for the
company. As such, AMX is dedicated to integrating AV solutions for an IT World.
AMX solves the complexity of managing technology with reliable, consistent and
scalable systems comprising control and automation, system-wide switching and
AV signal distribution, digital signage and technology management. AMX systems
are deployed worldwide in conference rooms, homes, classrooms, network
operation/command centers, hotels, entertainment venues and broadcast
facilities, among others."
Source: www.amx.com/automate/aboutamx.aspx
Business recommendation:
------------------------
Attackers are able to completely compromise the affected devices as they can gain
higher privileges than even administrative access to the system via the backdoor.
It is highly recommended by SEC Consult not to use these products until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Deliberately hidden backdoor account
While analysing the application binary /bin/bw, SEC Consult discovered a
function called "setUpSubtleUserAccount" which adds an administrative
account to the internal user database. This account can be used to log on to
the web interface as well as SSH.
Functions to retrieve a list of all users in the database were found to
deliberately hide this user. Further, using this backdoor account grants
additional features on the remote-cli, such as a facility to capture packets
on the network interface which not even an administrator account can perform.
Proof of concept:
-----------------
The binary /bin/bw which provides core functionality as well as user management
for the AMX NX-1200 implements a function called "setUpSubtleUserAccount",
which is called on system boot. This function adds an administrative account
with hardcoded credentials to the user database:
STMFD SP!, {R4-R7,LR}
LDR R4, =aMu1cqhrnyu4 ; "QmxhY2tXaWRvdw"
SUB SP, SP, #0x44
ADD R12, R4, #0x38
ADD LR, SP, #0x58+cSubtleUserPassword
MOV R5, this
LDMIA R12!, {this-R3} ; "<removed from PoC>"
STMIA LR!, {R0-R3}
ADD R3, R4, #0x54
LDMIA R12, {R0,R1}
MOV R4, #0
ADD R12, SP, #0x58+cSubtleUserUserName+0x10
STR R0, [LR],#4
STRB R4, [R12],#1
STRH R1, [LR],#2
ADD R6, SP, #0x58+cSubtleUserUserNameBy decoding the strings which are loaded from memory and passed as arguments to
cSubtleUserPassword and cSubtleUserUserName, the following user and password
can be recovered:
user: BlackWidow
password: <removed from PoC>
Using these credentials a successful login has been performed to the web based
management interface, as well as the command line interface. Using this
backdoor account grants additional features on the command line interface, such
as capturing packets on the network interface.
Parts of the application which display a list of users are designed to
deliberately hide the backdoor account.
The backdoor did not get removed by AMX in their first patch, but the backdoor
username has only been changed to a DC superhero name.
The new username now was: 1MB@tMaN
The hotfix from 2016-01-15 is untested by SEC Consult and it is unknown
whether the backdoor has been removed properly now. Hence the password will
not be published.
Vulnerable / tested versions:
-----------------------------
The following software versions of the AMX NX-1200 have been tested / verified
to be vulnerable:
v1.2.322
v1.3.100
Apart from the NX-1200, we have found at least the following products to be
affected by this vulnerability as well:
* AMX DGX16-ENC (Digital Media Switchers)
* AMX DGX32-ENC-A (Digital Media Switchers)
* AMX DGX64-ENC (Digital Media Switchers)
* AMX DGX8-ENC (Digital Media Switchers)
* AMX DVX-2100HD (All-In-One Presentation Switchers)
* AMX DVX-2210HD (All-In-One Presentation Switchers)
* AMX DVX-2250HD (All-In-One Presentation Switchers)
* AMX DVX-2255HD (All-In-One Presentation Switchers)
* AMX DVX-3250HD (All-In-One Presentation Switchers)
* AMX DVX-3255HD (All-In-One Presentation Switchers)
* AMX DVX-3256HD (All-In-One Presentation Switchers)
* AMX ENOVADGX64-ENC (Digital Media Switchers)
* AMX MCP-106 (ControlPads)
* AMX MCP-108 (ControlPads)
* AMX NI-2000 (Central Controllers)
* AMX NI-2100 (Central Controllers)
* AMX NI-3000 (Central Controllers)
* AMX NI-3100 (Central Controllers)
* AMX NI-3101-SIG (Central Controllers)
* AMX NI-4000 (Central Controllers)
* AMX NI-4100 (Central Controllers)
* AMX NI-700 (Central Controllers)
* AMX NI-900 (Central Controllers)
* AMX NX-1200 (Central Controllers)
* AMX NX-2200 (Central Controllers)
* AMX NX-3200 (Central Controllers)
* AMX NX-4200 (Central Controllers)
* AMX NXC-ME260-64 (Central Controllers)
* AMX NXC-MPE (Central Controllers)
* AMX NetLinx NX Integrated Controller (Media)
Vendor contact timeline:
------------------------
2015-03-10: SEC Consult provides PoC to AMX through European sales.
2015-10-12: Vendor provides "fixed" version
2015-10-12: SEC Consult verifies the new version. Backdoor username has only
been changed to a leet-speak DC superhero name
2015-11-04: Contacting vendor amxservice@harman.com again, setting responsible
disclosure deadline to 2015-12-24
2015-11-16: No response. Contacting vendor with extended recipient list:
- amxservice@harman.com
- Kevin.Morrison@harman.com
- Debbie.Franklin@harman.com
- Mark.Stoldt@harman.com
- Mike.Ramoz@harman.com
2015-11-24: No response. Again extending the recipient list with emails found
on the web (Paul.Zielie@harman.com), asking for encryption keys
and security contact
2015-11-24: AMX responds, requests advisory to be sent unencrypted.
2015-11-24: Providing advisory and proof of concept through insecure channel
as requested.
2015-12-02: Asking for status update.
2015-12-16: No response, offered postponing of advisory release to 2016-01-20
due to Christmas holidays and asked for status update again.
2016-01-14: No response, informed vendor again about upcoming advisory release
2016-01-15: Vendor releases hotfix without notification of SEC Consult, hotfix
is untested and unconfirmed, unsure whether all products are
properly fixed.
2016-01-16: Informed local CERT teams.
2016-01-17: Informed US CERT/CC.
2016-01-20: AMX informs SEC Consult about released hotfix & firmware versions
2016-01-20: Informing AMX that the advisory will be released on 2016-01-21.
The update and hotfixes are untested, hence the advisory will be
released without the password.
2016-01-21: Release of security advisory & blog post.
Solution:
---------
Immediately apply the hotfix for the corresponding device.
Covered products and firmware versions:
* NX Series (X200) Master, NX Series DVX-325x/225x Master, Massio ControlPads
Master v.1.4.65
Information on this firmware update and a link for authorized users to download
the update are at:
www.amx.com/techcenter/NXSecurityBrief/
NI Series Controllers
* Hotfix For NI Series (NI-700 and NI-900) 64 MB Duet v.4 Master Firmware
v.4.1.419 available from AMX Technical Support
* Hotfix For NI Series (X100) Duet v.4 Master Firmware v. 4.1.419 available
from AMX Technical Support
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF Manuel Hofer, Matthias Klinski / @2016