OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[STANKOINFORMZASCHITA-10-01] Netbiter® webSCADA multiple vulnerabilities

infoitdefence.ru
Date: Fri Oct 01 2010 - 05:19:15 CDT


[STANKOINFORMZASCHITA-10-01] Netbiter® webSCADA – multiple vulnerabilities

Authors: Eugene Salov (eugeneitdefence.ru), Andrej Komarov (komarovitdefence.ru)
Product: Netbiter® webSCADA
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:R/C:C/I:C/A:C)
Impact Subscore: 10.0
Exploitability Subscore: 8.0
Availability of exploit: Yes

Product description:
Netbiter® webSCADA (WS100/WS200) is one of polular products in industrial automation, allowing to organize remote access to field devices based on MODBUS TCP through Ethernet, GSM, GPRS channels. The Netbiter is equipped with both Ethernet and a built-in GSM/GPRS modem for communication to remote equipment. This means that it can both communicate over an Ethernet LAN and wireless using the built-in modem. In addition it also supports an external GPS receiver to keep track of its geographical position. Netbiter solution had embedded WEB-server and HMI, which provides management functions by operations on detection of alarms and emergencies with the subsequent notification by SMS, E-mail, SNMP protocol.
URL: Intellicom Innovation AB (http://www.intellicom.se)

Vulnerability description:
1. Local File Disclosure (WASC Web Application Threat Classification):
/cgi-bin/read.cgi?page=../../../../../../../../../../../etc/passwd%00

2. Users information disclosure:
/cgi-bin/read.cgi?file=/home/config/users.cfg

3. An opportunity of malware code uploading by injection of special crafted GIF-image on the logo page modifying:
/cgi-bin/read.cgi?page=config.html&file=/home/config/pages/2.conf&section=PAGE2
 
In the context of GIF-image can be hidden special malware code («Web-shell»), which will be used for SCADA server management and unauthorized OS commands execution.

Solution:
There is no available security update for now. It is highly recommended not to use default passwords for user authorization. Moreover, additionally you can use ACL lists for allowing access only from trusted hosts. Another additional mesaure of safety is using of Web Application Firewalls (WAF) and IPS/IDS systems in the area where SCADA system is located.

About STC «STANKOINFORMZACHITA»:
Science Technology Center (STC) «STANKOINFORMZACHITA» is the leading russian information security company in sphere of automation and industrial security, providing information security consulting services, information security audit, penetration tesing of SCADA and industrial control systems.

Contact: infoitdefence.ru
Russia, Moscow, Bolshaya Bochtovaya st., 26, Business Center
Tel.: +7 (495) 790-16-60
http://itdefence.ru