Claroty’s research team, Team82, has discovered three vulnerabilities in Planet Technology’s WGS-804HPT Industrial switches. The switches are widely used in building and home automation systems for various networking applications such as IP surveillance and wireless LANs. These severe vulnerabilities could allow attackers to remotely execute code on affected devices and move laterally throughout the network.
The Claroty researchers used a popular open-source emulation platform known as QEMU to conduct their investigation. Essentially, they could emulate the relevant system components of Planet Technology’s industrial switches and then simulate an attack to uncover the vulnerabilities.
Emulators such as the open-source, cross-platform QEMU framework are invaluable tools for researchers conducting vulnerability research. QEMU and other emulators act as great testing environments where software and firmware can be analysed for exploitable vulnerabilities. They can also be taken a step further for testing exploits within a safe space.
For Team82, QEMU and other emulation platforms are centre stage in much of its research, in particular where it may be difficult to obtain an actual target device. This article explains how Team82 used QEMU to emulate the relevant system components of Planet Technology Corp’s WGS-804HPT Industrial switch, and how it was used to uncover three vulnerabilities that could allow an attacker to remotely execute code on a vulnerable device. The vulnerabilities include separate buffer and integer overflow vulnerabilities and an OS command injection flaw. Team82 were able to develop an exploit that leverages these bugs and remotely runs code on the device.
These switches are widely used in building and home automation systems for various networking applications. An attacker who is able to remotely control one of these devices can use them to further exploit devices in an internal network and do lateral movement. Claroty privately disclosed these vulnerabilities to Taiwan-based Planet Technology, which addressed the security issues and advised users to upgrade firmware in the device to version 1.305b241111.
The Planet WGS-804HPT industrial switch is designed to be used in building and home automation networks to provide connectivity of internet of things devices, IP surveillance cameras, and wireless LAN network applications. The WGS-804HPT is equipped with a web service and SNMP management interface.
One of the first steps of any embedded device research project is to obtain the contents of the firmware that is deployed on the target device. The firmware is valuable because it contains the most important components of a functional device, without it the device will be as good as a paper weight. These components include system configurations, operating system (kernel), and file systems.
This stage of research is very important and, in many cases, determines early on the chances for a successful project. This project was no exception, and Team82 were able to find the target’s firmware image quickly by surfing the vendor’s website.
As with many embedded IoT devices, the Planet WGS-804HPT industrial switch provides owners with a management interface operable through a web browser. This management service was the component of the system we chose to focus on during Team82’s research because it is the main component allowing a client to control their device and is most commonly exposed to the network.
Team82 says QEMU was essential to finding the three vulnerabilities in the Planet Technology industrial switch. The cyber threat hunters were able to emulate critical components of the device, understand where vulnerabilities may be uncovered and managed to develop PoCexploits to present probable impacts to the device.
