← Advisories

Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access

Critical

Advisory ID

ZSL-2016-5347

Release Date

26 July 2016

Vendor

Iris ID, Inc. - http://www.irisid.com

Affected Version

iCAM4000:, iCAM Software: 3.09.02, iCAM File system: 1.3, CMR Firmware: 5.5 and 3.8, EIF Firmware: 9.5 and 8.0, HID iClass Library: 2.01.05, ImageData Library: 1.153, Command Process: 1.02, iCAM7000:, iCAM Software: 8.01.07, iCAM File system: 1.4.0, EIF Firmware: 1.9, HID iClass Library: 1.00.00, ImageData Library: 01.01.32, EyeSeek Library: 5.00, Countermeasure Library: 3.00, LensFinder Library: 5.00, Tilt Assist Library: 4.00

CVE

N/A

Tested On

GNU/Linux 2.4.19 (armv5tel)

Summary

The 4th generation IrisAccess™ 7000 series iris recognition solution offered by Iris ID provides fast, secure, and highly accurate, non-contact identification by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy integration with many Wiegand and network based access control, time and attendance, visitor management and point of sale applications.

The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess 4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust, iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional wall-mount is used.

Description

The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials. When visiting the device interface with a browser on port 80, the application loads an applet JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the JAR file there is an account 'rou' with password 'iris4000' that has read and limited write privileges on the affected node. An attacker can access the device using these credentials starting a simple telnet session on port 23 gaining access to sensitive information and/or FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.

	/html/ICAMClient.jar (ICAMClient.java):
------------------------

 param_host = getParameter("host");
 param_user = "rou";//getParameter("user");
 param_pass = "iris4000";//getParameter("pass"); // password
param_path = getParameter("path"); // path on the server

/etc/ftpd/ftpd.conf:
------------------------

 # User list:
 # Format:  user=
 #                user name
 #               password or * for anonymous access
 #               (internally appended to serverroot)
 #                       the user has access to the WHOLE SUBTREE,
 #                       if the server has access to it
 #            maximal logins with this usertype
 #                D - download
 #                       U - upload + making directories
 #                       O - overwrite existing files
 #                       M - allows multiple logins
 #                       E - allows erase operations
 #                       A - allows EVERYTHING(!)

user=rou iris4000 / 5 A

Proof of Concept

irisid_hardcoded.txtTXT

Disclosure Timeline

06.05.2016Vulnerability discovered.

09.05.2016Vendor contacted.

12.06.2016Vendor contacted again.

26.07.2016No response from the vendor.

27.07.2016Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/40167/

[2]https://cxsecurity.com/issue/WLB-2016070201

[3]https://packetstormsecurity.com/files/138078

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/115506

Changelog

26.07.2016Initial release

27.07.2016Added reference [1], [2] and [3]

29.07.2016Addded reference [4]