The Claroty researchers used a popular open-source emulation platform known as QEMU to conduct their investigation – essentially, they were able to emulate the relevant system components of Planet Technology’s industrial switches and then simulate an attack to uncover the vulnerabilities.
QEMU and other emulators act as great testing environments where software and firmware can be analysed for exploitable vulnerabilities.
To learn more about the study, please refer to the attached report; embedded below is the brief overview.
You may also access the full report HERE or the attached.
Introduction
Emulators such as the open-source, cross-platform QEMU framework are invaluable tools for researchers conducting vulnerability research. QEMU and other emulators act as great testing environments where software and firmware can be analyzed for exploitable vulnerabilities. They can also be taken a step further for testing exploits within a safe space.
For Team82, QEMU and other emulation platforms are center stage in much of our research, in particular where it may be difficult to obtain an actual target device. In this blog, we will explain how we used QEMU to emulate the relevant system components of Planet Technology Corp’s WGS-804HPT Industrial switch, and how it was used to uncover three vulnerabilities that could allow an attacker to remotely execute code on a vulnerable device. The vulnerabilities include separate buffer and integer overflow vulnerabilities and an OS command injection flaw; we were able to develop an exploit that leverages these bugs and remotely runs code on the device.
These switches are widely used in building and home automation systems for a variety of networking applications. An attacker who is able to remotely control one of these devices can use them to further exploit devices in an internal network and do lateral movement. We privately disclosed these vulnerabilities to Taiwan-based Planet Technology, which addressed the security issues and advised users to upgrade firmware in the device to version 1.305b241111.
Our Research Target: Planet WGS-804HPT
The Planet WGS-804HPT industrial switch is designed to be used in building and home automation networks to provide connectivity of internet of things (IoT) devices, IP surveillance cameras, and wireless LAN network applications. The WGS-804HPT is equipped with a web service and SNMP management interface.
Obtaining Device’s Firmware
One of the first steps of any embedded device research project is to obtain the contents of the firmware that is deployed on the target device. The firmware is valuable because it contains the most important components of a functional device, without it the device will be as good as a paper weight. These components include:
- System configurations
- Operating system (kernel)
- File systems
This stage of research is very important and in many cases determines early on the chances for a successful project. In our case, this project was no exception and we were able to find the target’s firmware image quickly by surfing the vendor’s website.
As with many embedded IoT devices, the Planet WGS-804HPT industrial switch provides owners with a management interface operable through a web browser. This management service was the component of the system we chose to focus on during our research, because it is the main component allowing a client to control their device and is most commonly exposed to the network.
Summary
We found three vulnerabilities in Planet Technology’s WGS-804HPT industrial switches that could be chained and exploited to gain remote code execution on the device. The vulnerabilities were privately disclosed and fixed by the vendor.
In this blog, we explained the importance of emulators such as the open-source QEMU framework to cybersecurity research. QEMU and other emulators allow researchers to emulate operating system components for vulnerability and exploit testing in a safe environment. This is especially crucial when equipment is not physically available to a researcher.
QEMU was essential to our success in finding the three vulnerabilities in the Planet Technology industrial switch. We were able to emulate critical components of the device, understand where vulnerabilities may be uncovered, and managed to develop PoCexploits to present probable impact to the device.
