Phoenix Sid Unpacker
Maryanna Vernia
In response to the issues we found, Phoenix Contact produced a new firmware release (v4.0.10) that addresses all the reported vulnerabilities and asserted that these issues affect not only the 6121-WXPS device but the whole WP6000 product family.
As described in the first blog, the WP 6121-WXPS is one of the newest web-based HMIs (i.e., Human Machine Interface) produced by Phoenix Contact. Traditionally, HMIs are installed inside industrial control facilities and act as the main visual connection to the monitoring system of an automation solution. After configuring the HMI, the device interacts with the designated monitoring system (i.e., a local or remote web service) leveraging its embedded web browser which then renders the output through the display.
As we can see from the location / ... block of the configuration file, as soon as an HTTP request comes to the nginx, it then forwards the request to another server running on the same machine at port TCP/8080 (i.e., :8080). We discovered that this application is the /opt/cockpit/cockpit binary.
We executed the pkg-unpacker tool on the cockpit NodeJS application (i.e., the application which implements the HTTPS server exposed by the Phoenix Contact device) and were able to extract the embedded JavaScript source code.
As we can see from its package.json file, since the cockpit application was compiled with the default "license" property set to "ISC", vercel/pkg has written both JS bytecodes and the raw JS codes inside the virtual file system of the NodeJS application. As previously confirmed, this behavior allows automatic tools, such as the pkg-unpacker, to extract the embedded JS code.
After extracting all JavaScript source code files embedded inside the cockpit application, we found that they were obfuscated to prevent an outsider from reading them and retrieving sensitive information.
As shown in the following evidence, the JavaScript function concatenates all parameters received into the HTTP body and uses them as arguments for "timedatectl". This command is then executed on the underlying Linux OS through the standard NodeJS child_process.execSync() function so that the date is finally set on the WP 6121-WXPS device.
The string passed to the execSync function is processed directly by the shell and special characters (vary based on shell) need to be dealt with accordingly. Since the final command is computed at run-time and then passed to the underlying Linux shell to be executed, this condition allows an attacker to easily trigger an OS command injection.
Leveraging this knowledge, we were able to craft a malicious HTTP POST request where the "min" (i.e., minutes) value contains a Bash subshell command: because the cockpit process is executed with root privileges, as soon as it receives this HTTP POST request, our malicious payload is executed on the target Linux OS with root privileges.
In part 3, we'll drill down into the process we used to analyze and exploit all the vulnerabilities affecting the SNMP protocol, and specifically how an attacker could chain these issues to get an administrative shell without authentication. Stay tuned!
All sunxi devices use LiveSuit as a default flasher and updater for retail customer and PhoenixCard or PhoenixUSB for flashing when devices are manufactured. LiveSuit/Phoenix protocol and data are closed-source standard used by many companies and devices. To decrypt/unpack firmware you need unpacker and 3 keys. These keys are same across all sunxi devices and can be different on other brands (SoChip, Rockchip and others). Keys are usually shipped with firmware as .key file.
With the introduction of the Protobuf transport, Avatica is moving towards backwards compatibility with the provided thin JDBC driver. There are no such backwards compatibility guarantees for the JSON API.
The primary client implementation is currently a JDBC driver with minimal dependencies. The default and primary transport mechanism since Phoenix 4.7 is Protobuf, the older JSON mechanism can still be enabled. The distribution includes the sqlline-thin.py CLI client that uses the JDBC thin client.
If using the standalone library you will either need to rebuild it from source to include the client library (See BUILDING.md), or manually copy the phoenix thick client library into the installation directory.
Phoenix provides two mechanisms for interacting with the query server. A JDBC driver is provided in the standalone phoenix-queryserver-client-.jar. The script bin/sqlline-thin.py is available for the command line.
As a word of warning: there is no end-to-end test coverage for the HBase 0.98 and 1.1 Phoenix releases because of missing test-related code in those HBase releases. While we expect no issues on these Phoenix release lines, we recommend additional testing by the user to verify that there are no issues.
PQS Metrics use Hadoop Metrics 2 internally for metrics publishing. Hence it publishes various JVM related metrics. Metrics can be filtered based on certain tags, which can be configured by the property specified in hbase-site.xml on the classpath. Further details are provided in Configuration section.
Server components are spread across a number of java packages, so effective logging configuration requires updating multiple packages. The default server logging configuration sets the following log levels:
The ZooKeeper-based load balancer functions by automatically registering PQS instances in ZooKeeper and then allows clients to query the list of available servers. This implementation, unlike the others mentioned above, requires that client use the advertised information to make a routing decision. In this regard, this ZooKeeper-based approach is more akin to a service-discovery layer than a traditional load balancer. This load balancer implementation does not support SASL-based (Kerberos) ACLs in ZooKeeper (see PHOENIX-4085).
b37509886e