Critical
Advisory ID
ZSL-2016-5346
Release Date
26 July 2016
Affected Version
ICU Software: 1.00.08, ICU OS: 1.3.8, ICU File system: 1.3.8, EIF Firmware [Channel 1]: 1.9, EIF Firmware [Channel 2]: 1.9, Iris TwoPi: 1.4.5
Tested On
GNU/Linux 3.0.51 (armv7l), mylighttpd v1.0, PHP/5.5.13
Summary
The ICU 7000-2 is an optional component used when the client requires iris template data to be matched on the secure side of the door. When using ICU no data is stored in the iCAM7 Iris Reader itself. The ICU also ensures that portal operation can continue if the there is an interruption in communication with the host computer. In such circumstances, the ICU retains the records of portal activity, then automatically updates the host upon resumption of host communication. Every ICU in the iCAM4000 / 7 series runs on a LINUX OS for added reliability. Independent and fault tolerant, ICUs are connected up to 2 iCAMs and handle up to 100,000 users.
Description
The Iris ID IrisAccess ICU 7000-2 device suffers from an unauthenticated remote command execution vulnerability. The vulnerability exist due to several POST parameters in the '/html/SetSmarcardSettings.php' script not being sanitized when using the exec() PHP function while updating the Smart Card Settings on the affected device. Calling the '$CommandForExe' variable which is set to call the '/cgi-bin/setsmartcard' CGI binary with the affected parameters as arguments allows the attacker to execute arbitrary system commands as the root user and bypass the biometric access control in place.
/html/SetSmarCardSettings.php:
------------------------
53: <?php
54: $ChNo = $_POST['HidChannelID'];
55: if(0 == $ChNo )
56: echo "1";
57: else
58: echo $ChNo;
59: ?>
61: <?php
62: echo "<input type = \"hidden\" name=\"HidChannelID\" value=\"$ChNo\">";
63: echo "<input type=\"hidden\" name=\"ssid\" value=\"1234\">"
64: ?>
81: <td class="menuMain">Smart Card Settings</td>
88: <!-- Content: BOF -->
97: <?php
99: $FileAvaToUpload = $_POST['HidIsFileSelect'];
100: //echo "<br>File availabe is: ";
101: //echo $FileAvaToUpload;
102: //echo "<br>";
104: $BookVal = $_POST['cmbBook'];
105: //echo "<br>BookVal is ";
106: //echo $BookVal;
108: //echo "<br>Channel value is ";
109: //echo $ChNo;
111: $OffSet = $_POST['txtOffSet'];
112: //echo "<br>Offset is ";
113: //echo $OffSet;
115: $DataFormat = $_POST['DataFormat'];
117: //echo "<br>DataFormat is ";
118: //echo $DataFormat;
120: $EncryptAlg = $_POST['EncryAlg'];
122: if(0 == $DataFormat )
123: $EncryptAlg = 4;
125: //echo "<br>Encryption Algarithm is ";
126: //echo $EncryptAlg;
128: $UseAsProxyCard = $_POST['chkUseAsProxCard'];
129: if( "" == $UseAsProxyCard )
130: $UseAsProxyCard = "0";
132: //echo "<br>Use as ProxyCard is ";
133: //echo $UseAsProxyCard;
135: $target_dir = "/tmp/temp_SmartCardKey";
137: //$target_dir = $target_dir . basename( $_FILES["file1"]["name"]);
139: if(1 == $FileAvaToUpload ) {
140: if (move_uploaded_file($_FILES["file1"]["tmp_name"], $target_dir)) {
141: //echo "The file ". basename( $_FILES["file1"]["name"]). " has been uploaded.";
142: } else {
143: //echo "Sorry, there was an error uploading your file.";
144: }
145: }
147: $out = null;
148: $rc= 0;
149: $CommandForExe = "../cgi-bin/setsmartcard $ChNo $BookVal $OffSet $DataFormat $EncryptAlg $UseAsProxyCard $FileAvaToUpload";
150: //$CommandForExe = "../cgi-bin/setsmartcard 1 0 10 1 1 0";
151: echo exec($CommandForExe, $out, $rc);
153: //print_r( $out);
154: //echo 'rc = '.$rc."\n";
156: //echo "After calling binary";
158: //echo "Return value is: ";
159: //echo $rc;
160: //echo $out;
162: $sICUVersion = $_POST['HidVerForPHP'];
163: ?>
Disclosure Timeline
06.05.2016Vulnerability discovered.
09.05.2016Vendor contacted.
12.06.2016Vendor contacted again.
26.07.2016No response from the vendor.
27.07.2016Public security advisory released.