Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability

[Vulnerability Lab <research () vulnerability-lab com>]

Document Title:
===============
Eisbär SCADA (All Versions - iOS, Android & W8) - Persistent UI Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1456


Release Date:
=============
2015-05-19


Vulnerability Laboratory ID (VL-ID):
====================================
1456


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
Polar Bear KNX is a modern EIB or KNX visualization for all types of buildings. Applications: lighting, shading, 
heating, air conditioning,
Ventilation and security integration and integrated control reduce capital and operating costs of buildings and 
systems, Flexibility in use and 
their adaptation, comfort, safety and optimization of running processes.

(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/eisbaer/id777598405 & 
http://www.busbaer.de/newbb_plus,viewtopic,topic_id,971,forum,81.html )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation vulnerability in the Eisbär 
SCADA v2.1.454.814 & v2.1.11 (iOS, Android & W8) application.


Vulnerability Disclosure Timeline:
==================================
2015-05-19: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Alexander Maier GmbH
Product: Eisbär SCADA - Mobile (Google Android, Windows Phone & Apple iOS) 2.1.11

Alexander Maier GmbH
Product: Eisbär SCADA - Software 2.1.454.814


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the officialEisbär SCADA v2.1.454.814 & 
v2.1.11 (iOS, Android & W8) application.
The security vulnerability allows an attacker to inject own script code to the application-side of the affected mobile 
software to compromise connected scada services.

We setup a secure environment that was able to execute scada controlled functions in our company by an android, ios and 
windows mobile device. Due to the implementation 
we discovered that the server configuration input impacts a common security risk.

The vulnerability is located in the `server name` value of the main network server settings module. Local attackers 
with physical device access are able to manipulate the 
`netzwerk server name` input to compromise the mobile application or connected eisbär scada services. The attacker 
includes a own script code payload to the servername 
and is able to execute the function in the server index listing and edit mode.

The attacker can prepare a qr code with a final configuration that impact a malicious injected server name. The 
execution of the payload occurs after the scan or on review of 
the server listing. The servername value is also in use by the Eisbär Solutions section with the DoorPhone-Knoten 
service. We verified that the main server name component can be 
used to unauthorized execute a function in the connected scada service. The servername can be changed by the app or in 
the node directly to manipulate the communication permanently.

The connection to the Polar Bear SCADA server is multi-client capable and configuration data required for the network 
settings of the app can be automatically 
transferred via QR code. In polar bears v2.1 there are also refer to a QR code component.

The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability 
scoring system) count of 5.2. 
Exploitation of the persistent input validation web vulnerability requires a low privilege application user account and 
low user interaction (click). 
Successful exploitation of the persistent web vulnerability results in mobile application/device compromise or 
connected service component manipulation.

Request Method(s):
                                [+] [Sync]

Vulnerable Module(s):
                                [+] Home > Server (Netzwerk)

Vulnerable Parameter(s):
                                [+] servername (name)

Affected Module(s):
                                [+] Home Index Server Listing
                                [+] Edit Server Entries


Proof of Concept (PoC):
=======================
The application-side input validation web vulnerability can be exploited by local attackers with low privileged 
application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below 
to continue.

Manual steps to reproduce the vulnerability ...
1. Install the mobile application to your windows phone, ios or android mobile device
2. Start the application
3. Configure a service that is successful connected with functions
4. Surf to the existing server home index listing
5. Change the internal or external server with existing address and payload
6. Save the input
7. The execution occurs in the main index server listing
8. Click the arrow next to the injected code
9. The second execution occurs in the header section were the servername description becomes visible
10. Successful reproduce of the security vulnerability!

Note: Include as payload a server that exists and attach your payload for a successful execution! The connection to the 
Polar Bear SCADA server is 
multi-client capable and configuration data required for the network settings of the app can be automatically 
transferred via QR code. 
In polar bears v2.1 there are also refer to a QR code component.


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the netzwerk - servername value. 
Restrict the input field and disallow the usage of script code tags and  special chars.
Filter the server name output in the edit mode and parse also the index listing output with the servername.


Security Risk:
==============
The security risk of the application-side input validation vulnerability in the server configuration is estimated as 
medium. (CVSS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/