CVE-2022-38625: Patlite-NH-FB.md

**Patlite NH-FB series vulnerability.****Product Description:
**

The NH-FB series devices from Patlite are network monitoring and real-time notifications of predesignated events and device failures via visual signals and email alerts.

**Affected Products:
**

All Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) devices from version 1.46 and under.

Vulnerability Summary:

• Vulnerability 1 [CVE-2022-35911] - Unauthenticated Remote Denial of Service.
  The binary file control (/etc/lighttpd/api/control) allocates a buffer for each read operation that occurs for a request, could allow an unauthenticated, remote attacker to cause a denial of service (memory consumption) by removing expected GET parameter. The vulnerability is due to an insufficient logic condition and does not check if any GET parameters are present during the API the call. An attacker could exploit this vulnerability by sending a high rate of TCP packets to the specific API endpoint control on a targeted device.

• Vulnerability 2 - Insufficient firmware validation
  Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) is affected by an insufficient firmware validation during the upgrade firmware file upload process. An authenticated, remote attacker can build his own custom firmware and inject malicious code inside. A successful exploit could allow the attacker to have a full control of the device This issue affects all Patlite NH-FB series (NHL-xFB1 / NHP-xFB2 / NHL-xFB2 ) version 1.46 and under.

Reproduction Steps:

1. Unauthenticated Remote Denial of Service.
   A simple request to the endpoint /api/control/AAAAAAAAAAAAAAAAAA will confuse the program which is theoretically expecting to receive a GET parameter alert (/api/control?alert=1) but as this is not expected for by the program it will cause a denial of service and display the contents of the binary file control after some times keeping loading.

Payload

for i in {0…1000}; do echo "[$i]: "; echo -ne “GET /api/control/AAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHost: 172.31.42.235\r\n\r\n” | nc 172.31.42.235 80; done > /dev/null 2>&1

This loop will consume all the memory of the device and make it temporarily unusable.

Video PoC Patlite memory consumption (dos) - CVE-2022-35911

2. Insufficient firmware validation
This vulnerability gives us the possibility to craft our own custom firmware as there is no firmware validation during the upgrade device process. In the following proof of concept we are going to add a reverse shell payload in the /pns-b/install-web script file that will be triggered when the malicious firmware will be uploaded in the target machine.

Step 1 - Download the Patlite firmware from the offcial website and extract the content.

Step 2 - Let’s modify the content of the script /pns-b/install-web to add our reverse shell payload.

Step 3 - Repack the firmware

Step 4 - Upload the backdoored firmware in the device, create a listener and wait for the Patlite device to connect to us.

As you can see, the reverse shell was perfectly executed during the update process. We have now full control on the device with root privilege.

Video PoC Patlite ver1.43 - Insufficient firmware validation

Recommendation Fixes / Remediation:

Vulnerability 1: Just before the function getShareMemoryAddr is called a condition must check if the current request really contains 2 GET parameters.

More info: https://cwe.mitre.org/data/definitions/703.html

Vulnerability 2: To accept an update, the Patlite device needs to verify the respective code signature of all software components included in the firmware update. This integrity protection ensures that no unauthorized entity can modify the firmware image.
More info: https://cwe.mitre.org/data/definitions/347.html

Vulnerable Devices Found:

As of 25Jul2022, there were 5 Patlite NH-FB series devices exposed to the internet and were affected by the vulnerabilities discovered.

Reference:

https://www.patlite.co.jp/product/detail0000021462.html
https://www.patlite.com/network-products/lineup/nh-fb.html

Security researchers:

• Thomas Knudsen
• Samy Younsi