Introduction
Prior to the release of our binary zero-day identification feature, where we identify potentially critical vulnerabilities such as command injections, stack-based buffer overflows, or format string injections in compiled binaries, we tested and validated it on our firmware corpus to make sure we were providing meaningful analysis results. In the process, we identified numerous vulnerabilities that we reported to vendors. Over the course of 2024, we hope to make most of these vulnerabilities public, such as the ones identified in Cisco WAP321. We continue in this blog post with another EOL device (hence the early release) from Delta Electronics.
After conclusion of the automated analysis, we performed a quick manual validation to confirm findings. We validated 3 "dangerous service launch", 16 command injections, and 189 buffer overflows. All of these paths are valid and unique but corresponds to a variation of the same vulnerability repeated over and over again.
For device manufacturers, having such capabilities will not only empower their PSIRT team to quickly assess bug reports but also enhance their ability to identify variations of reported bugs, thereby maximizing the impact of vulnerability fixes. Consequently, this will reduce the risk of cybercriminals, state-sponsored attackers, and opportunistic security researchers exploiting variations of reported and resolved issues, and thus void reputational and brand damage. After all, nothing is more embarrassing than locking down one door, just to leave the door next to it wide open.
A quick word about "dangerous service launch" before we dive into the different vulnerabilities. Our binary static analysis capabilities will spot and report locations in binaries where remote management services are launched. This includes telnet, SSH, FTP, or even bind and reverse shells. While not a vulnerability per se - a web management could have a feature to enable/disable SSH - this feature usually highlights "interesting" capabilities of affected binaries. In our case: the ability to enable/disable SSH, telnet, and web management via SNMP or the web management interface.
Now onto the vulnerabilities !
Remote Command Execution
Affected vendor & product | Delta Electronics DVW W02W2 industrial Ethernet router |
Vendor Advisory | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2024-00005_Delta%20Electronics%20DVW-W02W2-E2%20Advisory%20for%20CVE-2024-3871_EN.pdf |
Vulnerable version | ALL |
Fixed version | N/A |
CVE IDs | CVE-2024-3871 |
Impact (CVSS) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Credit | Q. Kaiser, ONEKEY Research Lab Research supported by Certainity |
Summary
The Delta Electronics DVW devices expose a web administration interface to users. This interface implements multiple features that are affected by command injection and stack overflow vulnerabilities.
Impact
Successful exploitation of these flaws would allow remote unauthenticated attackers to gain remote code execution with elevated privileges on the affected devices.
Description
Stack Buffer Overflow through Login
The net-cgi
binary defines an array containing structures for each request handler. A request handler defines a path, content-type, cache-control, and up to three different functions that I defined as preprocessor, processor, and postprocessor. Pre-processor and post-processor are optional.
In the authentication handler (checkauth.cgi
) preprocessor, request parameters login
and password
are read and saved as temporary configuration data tmp_http_username
and tmp_http_passwd
:
These values are then used in the authentication handler processor, where they are copied without bound checking using strcpy
into arrays stored on the stack. This is what the platform picked up:
Of course, this is not the only example as different binaries are riddled with config_get
-> strcpy
operations. In net-cgi
alone, more than 170 valid buffer overflows were identified.
Remote Code Execution through TFTP Settings Management
The tftp_server
and tftp_dfirm_name
parameters can be used to inject arbitrary commands in the TFTP command constructed by the web management interface:
Remote Code Execution through Admin Password Setting
When the administrator chooses a new password, this password is used unsanitized in a system call, leading to a command injection.
Remote Code Execution through Network Scan Feature
The remote_ip
request parameter is used unsanitized in a system call, allowing authenticated users to inject commands at will:
Remote Code Execution through ACLs Management
The /usr/sbin/net-cgi
file is responsible for handling all web requests. Authenticated users can provide a MAC address to filter or authorize through ACLs:
void FUN_1002e600(undefined4 param_1,undefined4 param_2) { char *acl_idx; long acl_idx_long; char* select_del; int acl_id; FILE *__stream; char acStack_178 [32]; char wlacl_id [64]; char wlacl_id_value [268]; acl_idx = get_request_parameter("select_del",param_1,param_2); acl_idx_long = strtol(acl_idx, 0, 10); if (0 < acl_idx_long) { sprintf(wlacl_id,"wlacl%d", acl_idx_long); acl_idx = config_get(wlacl_id); // NOTE: copy user controlled 'select_del' parameter to wlacl_id_value strcpy(wlacl_id_value, acl_idx); select_del = get_request_parameter("select_del",param_1,param_2); acl_id = config_update("wlacl", select_del); if (acl_id != -1) { sprintf(acStack_178,"%d", acl_id); config_set("wl_acl_num",acStack_178); } endis_wps_stuff(); __stream = fopen("/tmp/Aclmacaddr", "w"); if (__stream != (FILE *)0x0) { // NOTE: write user controlled 'select_del' to /tmp/Aclmacaddr fputs(wlacl_id_value, __stream); fclose(__stream); } } return; }
The content of this file is then used to kick the MAC address from the wireless network, and this is the command injection that was identified by our platform:
Remote Code Execution through WPS PIN Management
Another but similar injection flow exists. If the user sets WPS authentication they can provide a hidden_PIN value through the web interface. This will be saved in /tmp/wps_client_pin
:
void FUN_1002e1bc(undefined4 param_1,undefined4 param_2) { char* hidden_pin; config_set("WPS_type","PIN Number"); write_val_to_file("start","/tmp/wps_process_state"); hidden_pin = get_request_parameter("hidden_PIN", param_1, param_2); if (hidden_pin != 0) { write_val_to_file(hidden_pin,"/tmp/wps_client_pin"); } return; }
Then, this value is used unsanitized in a system call, as reported by the platform:
Some checks are performed on the client side, but this is not sufficient since an attacker can simply submit the request directly to the server.
Recommendation
This product being EOL, Delta Electronics will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
Key Takeaways
A year ago, CISA released an ICS advisory about this exact device due to the publication of CVE-2022-42139, an authenticated command injection identified by Cyber Danube. Since then, it's quite clear that the device did not receive any attention in the form of extended security testing or source code review. They simply patched that specific vulnerability and released an update.
ICS devices such as industrial ethernet routers are usually installed for long term deployments that, sadly, usually exceed the manufacturer device support lifespan (an issue that will be addressed by the upcoming EU Cyber Resilience Act). With our recently introduced binary static analysis feature, we not only demonstrate how manufacturers can maximize return of PSIRT efforts and run effective vulnerability discovery and management programs, but it also provides ICS device operators the tools required to perform meaningful supply-chain risk assessment.
Timeline
- 2024-01-24 –Report submitted to Delta Electronics PSIRT through email and webform.
- 2024-04-03 –Reminder email sent to Delta Electronics.
- 2024-04-11 –Delta Electronics indicates they did not receive our previous emails for unknown reasons. Ask for the report.
- 2024-04-11 –Report submitted to Delta Electronics.
- 2024-04-15 –Delta Electronics indicates that "since DVW-W02W2 is no longer in production and maintenance, Delta decided not to patch these vulnerabilities."
- 2024-04-24 –Release ONEKEY advisory in coordination with Delta Electronics.
About Onekey
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
CONTACT:
Sara Fortmann
Marketing Manager
sara.fortmann@onekey.com
euromarcom public relations GmbH
+49 611 973 150
team@euromarcom.de
RELATED RESEARCH ARTICLES
The X in XFTP Stands For eXecute
Find out how our platform enhances firmware security by identifying vulnerabilities & bugs in ICT products, ensuring compliance with DORA & NIS2 directive.
Ready to automate your Product Cybersecurity & Compliance?
Make cybersecurity and compliance efficient and effective with ONEKEY.