Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Kaa IoT Platform SdkServlet / RecordServlet Java Object Deserialization Remote Code Execution

High

Synopsis

Kaa? Yeah, it was kind of new to some of us too! From the vendor page:

Kaa is a production-ready, multi-purpose middleware platform for building complete end-to-end IoT solutions, connected applications, and smart products. The Kaa platform jump-starts the development of your IoT product and dramatically reduces associated costs, risks, and time-to-market. Kaa facilitates the data exchange among connected devices, the IoT cloud, data analytics and visualisation systems, and other IoT ecosystem components.

So this is all Internet of Things. All that talk about remotely owning your toaster, refrigerator, or toothbrush may be possible now! They currently advertise Kaa is compatible with Intel, Android, Apple, Microsoft, and many other vendors. Given the wide variety of devices and platforms that may use, or come to use Kaa, this has all the potential to be a virtual joyride.

Exploit Vector

Kaa offers an administrator interface over HTTP on TCP port 8080. This interface requires authentication, but if you are lucky, the default credentials will work (kaa / kaa123). Two of the admin servlets, SdkServlet and RecordServlet, convert base64ed request parameters to Java Objects:


RecordServlet.java:
RecordKey key = (RecordKey) Base64.decodeToObject(recordKeyBase64, Base64.URL_SAFE, null);

SdkServlert.java:
SdkPropertiesDto key = (SdkPropertiesDto)Base64.decodeToObject(sdkKeyBase64, Base64.URL_SAFE, null);

DecodeToObject calls into the package net.iharder.Base64 which strips away the base64 encoding and converts the raw bytes to a Java object via an ObjectOutputStream using readObject().

Apache Commons FileUpload Exploitation

Apache Commons FileUpload contains an object called DiskFileItem, which is normally harmless. However, the object can be modified after it is serialized to behave in ways that were not intended. Specifically we can modify DiskFileItem to:

  1. Create a new file anywhere the Java process has permission.
  2. Write anything we would like to that new file.
  3. We can also move (copy and delete) any file on the remote system that we have permission to.

There are two limitations though:

  1. We don’t control the filename. This is generated by DiskFileItem class as upload_$uuid_$counter.tmp.
  2. Files are created using the File.createTempFile() interface. That means the lifetime of the file is totally dependent on the usage of deleteOnExit(), how long the JVM runs, and if it is moved after creation (If the move is done by the exploit then it will still be deleted. However, if the move is done by the InvokerTransformer exploit then it will not be deleted). It is our observation that files appear do not appear to get deleted until the server is shutdown.

Spring Framework

Kaa also has the Spring Framework on the classpath. Deserialization attacks using Spring allows the attacker to execute arbitrary commands in the context of Kaa.

Tenable has generated proofs-of-concept that allow for create files with custom content (FileUpload), moving files (FileUpload), and executing arbitrary OS commands (Spring). We shared them and the vendor still didn't opt to fix the issues.

Solution

We are not aware of a solution.

Disclosure Timeline

2016-02-01 - Issue discovered to affect Kaa
2016-02-08 - Submitted to ZDI for consideration, case bmartin008
2016-02-10 - ZDI declines, as they are "not interested in vulnerabilities affecting this product"
2016-02-10 - Use Kaa inquiry form to ask preferred way for vuln reporting, no response
2016-02-14 - Ask @KaaIoT on Twitter for preferred way of vuln reporting, no response
2016-02-17 - Opened KAA-866 via their JIRA to ask for preferred way of vuln reporting, no response
2016-03-01 - Sales mail from Vendor asking for feedback on platform
2016-03-01 - Replied to sales mail asking for security contact
2016-03-02 - CTO of CyberVision replies, asking for details
2016-03-02 - Tenable sends over writeup with PoCs
2016-04-20 - Ping vendor for update
2016-05-17 - Ping vendor for update
2016-06-22 - Ping vendor for update
2016-07-20 - Ping vendor for update
2016-08-18 - Ping vendor for update, remind them it's been 5 months since we heard from them.
2016-09-20 - Ping vendor, remind them that we can disclose at any time if we feel it is in the best interest of customers.
2016-10-19 - Left comment on KAA-866 with timeline and asking for some form of acknowledgement.
2016-11-20 - KAA JIRA Administrator deletes KAA-866 without comment.
2016-11-24 - Send timeline and vuln details to ICS-CERT via ics-cert@hq.dhs.gov, ask for help with vendor and put them on 45 day clock
2016-11-29 - Ping ICS-CERT to confirm receipt, ask for tracking ID assignment
2016-11-30 - ICS-CERT acks mail, assigns ICS-VU-021384
2017-02-27 - Ping ICS-CERT, ask them to follow 45 day disclosure policy and publish.
2017-02-28 - ICS-CERT wants to involve their leadership and continue to pursue coordination
2017-03-07 - ICS-CERT says their leadership has been on travel, escalating today
2017-03-07 - ICS-CERT confirms they have tried to contact vendor 12 times at this point, with a single response
2017-03-23 - ICS-CERT says they are almost ready to publish, has a couple questions.
2017-03-23 - Tenable provides answers and revised write-up.
2017-04-26 - ICS-CERT says draft advisory ready, sent to OPA (Office of Public Affairs), vendor, and us for review, tentative release date May 2.
2017-05-02 - ICS-CERT publishes ICSA-17-122-02

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email advisories@tenable.com