EyeLock nano NXT 3.5 Remote Root Exploit

Title: EyeLock nano NXT 3.5 Remote Root Exploit
Advisory ID: ZSL-2016-5357
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 10.08.2016
Summary
EyeLock is an advanced iris authentication and recognition solutions company focused on developing next-generation systems for global access control and identity management.

nano NXT® - the next generation of EyeLock’s revolutionary access control solutions. nano NXT renders all other access control peripherals obsolete by revolutionizing how identities are protected, authenticated, and managed. With a sleek low profile and powerful capabilities, the nano NXT redefines the future of access control. An optional SDK is available to customers who want to customize their security solutions to integrate seamlessly with existing applications. The nano NXT authenticates up to 20 people per minute, in-motion and at-a-distance with unparalleled accuracy. nano NXT can be used in a variety of environments including commercial/enterprise, corrections, data centers, education, financial services, government, healthcare facilities and hospitality.

Nano NXT is the most advanced compact iris-based identity authentication device in Eyelock's comprehensive suite of end-to-end identity authentication solutions. Nano NXT is a miniaturized iris-based recognition system capable of providing real-time identification, both in-motion and at a distance. The Nano NXT is an ideal replacement for card-based systems, and seamlessly controls access to turnstiles, secured entrances, server rooms and any other physical space. Similarly the device is powerful and compact enough to secure high-value transactions, critical databases, network workstations or any other information system.
Description
EyeLock's nano NXT firmware latest version 3.5 (released 25.07.2016) suffers from multiple unauthenticated command injection vulnerabilities. The issue lies within the 'rpc.php' script located in the '/scripts' directory and can be triggered when user supplied input is not correctly sanitized while updating the local time for the device and/or get info from remote time server. The vulnerable script has two REQUEST parameters 'timeserver' and 'localtime' that are called within a shell_exec() function for setting the local time and the hardware clock of the device. An attacker can exploit these conditions gaining full system (root) access and execute OS commands on the affected device by injecting special characters to the affected parameters and further bypass the access control in place.

--------------------------------------------------------------------------------

/scripts/rpc.php:
------------------------

9: if (isset($_REQUEST['action']))
10: {
11: switch($_REQUEST['action'])
...
...
181: case 'updatetime':
182: {
183: // do something, the put our response in the response field...
184: $strDate = shell_exec("rdate -s {$_REQUEST['timeserver']} 2>&1");
185:
186: // set the hardware clock.
187: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
188:
189: $strtheDate = shell_exec("date 2>&1");
190:
191: echo "updatetime|{$strDate}|{$strtheDate}";
192:
193: break;
194: }
195:
196: case 'updatelocaltime':
197: {
198: // do something, the put our response in the response field...
199: $strDate = shell_exec("date -s '{$_REQUEST['localtime']}' 2>&1");
200:
201: // set the hardware clock
202: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
203:
204: $strtheDate = shell_exec("date 2>&1");
205:
206: echo "updatelocaltime|{$strDate}|{$strtheDate}";
207:
208: break;
209: }

--------------------------------------------------------------------------------

Vendor
EyeLock, LLC - http://www.eyelock.com
Affected Version
NXT Firmware: 3.05.1193 (ICM: 3.5.1)
NXT Firmware: 3.04.1108 (ICM: 3.4.13)
NXT Firmware: 3.03.944 (ICM: 3.3.2)
NXT Firmware: 3.01.646 (ICM: 3.1.13)
Tested On
GNU/Linux (armv7l)
lighttpd/1.4.35
SQLite/3.8.7.2
PHP/5.6.6
Vendor Status
[10.06.2016] Vulnerability discovered.
[27.06.2016] Contact with the vendor.
[09.07.2016] No response from the vendor.
[10.08.2016] Public security advisory released.
[11.08.2016] Vendor responds confirming the issues scheduling patch release.
[15.08.2016] Vendor releases NXT Firmware: 3.06.1260 (ICM: 3.5.1) to address these issues.
PoC
eyelock_root.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40228/
[2] https://exchange.xforce.ibmcloud.com/vulnerabilities/115918
[3] https://packetstormsecurity.com/files/138275
[4] https://cxsecurity.com/issue/WLB-2016080102
[5] http://www.eyelock.com/index.php/nxt-downloads
Changelog
[10.08.2016] - Initial release
[13.08.2016] - Added reference [1], [2], [3] and [4]
[17.08.2016] - Added vendor status and reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk