New research from Claroty’s Team82 research arm uncovered three vulnerabilities in Hunting Planet WGS-804HPT industrial switch that could allow an attacker to remotely execute code on a vulnerable device. These vulnerabilities include separate buffer and integer overflow vulnerabilities and an OS command injection flaw; an exploit was developed that leverages these bugs and remotely runs code on the device. An attacker who is able to remotely control one of these devices can use them to further exploit devices in an internal network and do lateral movement. 

The Planet WGS-804HPT industrial switch is designed for building and home automation networks to connect IoT devices, IP surveillance cameras, and wireless LAN applications. It is equipped with a web service and SNMP (Simple Network Management Protocol) management interface. Like many embedded IoT devices, the switch provides a management interface operable through a web browser. This service was the focus of Team82’s research, as it is the main component allowing clients to control their device and is most commonly exposed to the network.

Team82 privately disclosed these vulnerabilities to Taiwan-based Planet Technology, which addressed the security issues and advised users to upgrade firmware in the device to version 1.305b241111, Tomer Goldschmidt disclosed in a blog post last week. “We found three vulnerabilities in Planet Technology’s WGS-804HPT industrial switches that could be chained and exploited to gain remote code execution on the device.”

Emulation involves replicating operations from a different system architecture on a host machine by simulating CPU instructions and facilitating OS interactions between guest and host systems. Tools like the open-source, cross-platform QEMU framework are essential for researchers in vulnerability analysis. QEMU and similar emulators provide excellent environments for examining software and firmware for vulnerabilities and safely testing exploits. 

For Team82, emulation platforms like QEMU are crucial, especially when accessing the actual target device is challenging, Goldschmidt Goldschmidt. “QEMU was essential to our success in finding the three vulnerabilities in the Planet Technology industrial switch. We were able to emulate critical components of the device, understand where vulnerabilities may be uncovered, and managed to develop PoCexploits to present probable impact to the device.”

Qemu can be utilized in two distinct modes: user space emulation, which involves emulating a single executable within a specific guest architecture context, and system emulation, which entails emulating an entire system, including its kernel, I/O peripherals, and drivers, within a specific architecture context.

System emulation with qemu is a little bit more complicated, but following the guidelines provided with the documentation for the tool, one can set up a working environment and boot a working emulated system. Using the system emulation capabilities can come in very handy when fronted with multi-component system security research.

Goldschmidt detailed that as this toolset is rich in features and options, “we are going to focus on our most common use case for this aspect of qemu. And so we will boot up a Debian-based distribution of the Linux operating system supporting MIPS 32-bit architecture- based systems.”

As Team82 began previously with userscape executable emulation with qemu, it is also necessary to install qemu-system emulation toolsets. Next, a directory will be created to contain the artifacts necessary to boot a working Linux Debian system for MIPS architecture. The Linux kernel includes cross-compiled specifically for MIPS architecture, while the root filesystem covers Debian distribution. 

“Knowing now how to emulate a simple userspace application and a full operating system we can go ahead and tackle our original goal of emulating the web service provided by the WGS-804HPT industrial switch for vulnerability research and exploit development,” Goldschmidt noted. “We already have the firmware of the device and managed to extract the filesystem out of it. All that remains is to set up the environment for emulation.”

He pointed out that the real challenge is when the system has highly coupled components interacting with each other and dependent on specific peripherals that are not accessible. “This observation is key to understanding that being able to emulate an embedded system is often a gradual process with trial and error. In our case, we deliberately chose a target that doesn’t have much coupling to other system services, which effectively means it can be emulated alone and work in a functional operating state.”

The Planet WGS-804HPT industrial switch provides a web service using the boa webserver. The boa web service delegates pre-authenticated client requests to the dispatcher.cgi. This is an endpoint CGI interface that we are interested in analyzing and finding vulnerabilities because it is exposed and accessible for unauthenticated clients, making it suitable as a security attack surface.

The next step in Team82’s research was to test the discovered vulnerability and create a working PoC to demonstrate exploitability and its impact. “In order to develop our working PoC, we will use our knowledge of Qemu userspace program emulation, starting with emulating the whole boa web server and verifying we are able to interact with it.” 

“Doing this will allow us to test the web service when we have a working exploit,” according to Goldschmidt. “But for our exploit development, we need to be able to debug the dispatcher[dot]cgi CGI process. And so we will actually begin by just running the dispatcher.cgi program with a remote debugger attached to it. This is actually possible because qemu provides the option to initialize a gdb-server listener interface to debug an emulated application.” 

He added that “having an ability to debug our dispatcher.cgi program we can start developing our exploit. One of the first things to do when trying to develop our exploitation technique is to check the memory security mitigation applied to our target executable.”

In this case, Goldschmidt said “we are lucky to have our target without confining security mitigations on the executable. As such, we relied on the fact that the executable is compiled without the NX bit enabled which means the stack is also executable. This means it is possible to embed a shellcode in our request cookie and later jump into the stack where our payload shellcode is stored.”

He added “Our final shellcode invoked the execve syscall with controlled parameters also found in our payload on the stack and referenced using the $sp register as a base to offset from.”

Goldschmidt highlighted that attempting “to exploit this vulnerability with our python PoC script, we managed to control the code flow and achieve code execution. We then divert the code into our controlled shellcode and gain remote OS command execution capability.”