Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access

Title: Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
Advisory ID: ZSL-2016-5347
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 26.07.2016
Summary
The 4th generation IrisAccess™ 7000 series iris recognition solution offered by Iris ID provides fast, secure, and highly accurate, non-contact identification by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy integration with many Wiegand and network based access control, time and attendance, visitor management and point of sale applications.

The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess 4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust, iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional wall-mount is used.
Description
The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the JAR file there is an account 'rou' with password 'iris4000' that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 gaining access to sensitive information and/or FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.

--------------------------------------------------------------------------------

/html/ICAMClient.jar (ICAMClient.java):
------------------------

97: param_host = getParameter("host");
98: param_user = "rou";//getParameter("user");
99: param_pass = "iris4000";//getParameter("pass"); // password
100: param_path = getParameter("path"); // path on the server


/etc/ftpd/ftpd.conf:
------------------------

69: # User list:
70: # Format: user=
71: # user name
72: # password or * for anonymous access
73: # (internally appended to serverroot)
74: # the user has access to the WHOLE SUBTREE,
75: # if the server has access to it
76: # maximal logins with this usertype
77: # D - download
78: # U - upload + making directories
79: # O - overwrite existing files
80: # M - allows multiple logins
81: # E - allows erase operations
82: # A - allows EVERYTHING(!)
101:
103: user=rou iris4000 / 5 A

--------------------------------------------------------------------------------

Vendor
Iris ID, Inc. - http://www.irisid.com
Affected Version
iCAM4000:
iCAM Software: 3.09.02
iCAM File system: 1.3
CMR Firmware: 5.5 and 3.8
EIF Firmware: 9.5 and 8.0
HID iClass Library: 2.01.05
ImageData Library: 1.153
Command Process: 1.02

iCAM7000:
iCAM Software: 8.01.07
iCAM File system: 1.4.0
EIF Firmware: 1.9
HID iClass Library: 1.00.00
ImageData Library: 01.01.32
EyeSeek Library: 5.00
Countermeasure Library: 3.00
LensFinder Library: 5.00
Tilt Assist Library: 4.00
Tested On
GNU/Linux 2.4.19 (armv5tel)
Vendor Status
[06.05.2016] Vulnerability discovered.
[09.05.2016] Vendor contacted.
[12.06.2016] Vendor contacted again.
[26.07.2016] No response from the vendor.
[27.07.2016] Public security advisory released.
PoC
irisid_hardcoded.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/40167/
[2] https://cxsecurity.com/issue/WLB-2016070201
[3] https://packetstormsecurity.com/files/138078
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/115506
Changelog
[26.07.2016] - Initial release
[27.07.2016] - Added reference [1], [2] and [3]
[29.07.2016] - Addded reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk