Pierluigi Paganini
March 27, 2015
Recently the security firm Cylance has discovered a vulnerability (CVE-2015-0932) affecting the ANTLabs InnGate devices that are popular Internet gateway for visitor-based networks like the one we find in hotels and convention centers.
The exploitation of the flaw gives an attacker full access to the file system of an ANTLabs InnGate device, the experts explained that it is possible to obtain a remote access through an unauthenticated rsync daemon running on TCP 873. Rsync is Linux/UNIX OS utility that is used for file synchronization and file transfers.
The complete access allows an attacker to execute code remotely and enable a hacker to backdoor the ANTLabs InnGate devices, upload an executable or add a new authenticated root-level user.
“Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.When an attacker gains full read and write access to a Linux file system, it’s trivial to then turn that into remote code execution. The attacker could upload a backdoored version of nearly any executable on the system and then gain execution control, or simply add an additional user with root level access and a password known to the attacker. Once full file system access is obtained, the endpoint is at the mercy of the attacke” states a blog post from Cylance.
The attack is very easy to run, bad actors just need to find available rsync shares and list files in the root. Unfortunately, the attacks against users connected to Hotel networks and to WiFi provided in convention centers is a common practice, typically conducted for espionage purpose.
In Novermber 2014, the experts at Kaspersky lab published a report on the DarkHotel APT group which was conducting an espionage campaign, which is ongoing for at least four years while targeting selected corporate executives traveling abroad. According to Kaspersky threat actors behind the Darkhotel campaign aim to steal sensitive data from executives while they are staying in luxury hotels, the worrying news is that the hacking crew is still active. The list of targets includes CEOs, senior vice presidents, top R&D engineers, sales and marketing directors from the USA and Asia traveling for business in the APAC region.
The Darkhotel hackers target their victims while accessing to the hotel networks, they wait until the victim connects to the internal Wi-Fi providing his room number and surname to login. Once logged in, the attackers trick the company executive into downloading and installing a malware that pretends to be an update for legitimate software, such as Adobe Flash, Google Toolbar and Windows Messenger.
The flaw discovered by Cylance could be exploited by such kind of APT and doesn’t require a particular effort for the exploitation.
“An attacker exploiting the vulnerability in CVE-2015-0932 would have the access to launch DarkHotel-esque attacks against guests on the affected hotel’s WiFi. Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems,” Wallace said. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.” continues the report.
Cylance scanned the Internet’s IPv4 space for the ANTLabs devices and found 277 which could be exploited remotely, the majority of them was in North America, but some in Asia, the Middle East and Europe.
Users have to apply the patch released by ANTLabs, another mitigation strategy could be block unauthenticated rsync processes via a TCP-DENY command on port 873.
(Security Affairs – ANTLabs InnGate, hacking)
