Thursday, January 21, 2016

Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices

Your conference room, a watchful protector.

About the vendor: "AMX ( is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management. AMX systems are deployed worldwide in conference rooms, homes, classrooms, network operation/command centers, hotels, entertainment venues and broadcast facilities, among others." Source:

To be fair, their products really do offer a wide variety of features, which is probably also the reason why US President Barrack Obama is sometimes seen in front of a control panel by AMX, while sitting in a meeting at the White House. According to the case studies published by AMX they have multiple governmental and military bodies equipped with their conference room gear. This includes but is not limited to the White House, the U.S. Forces Afghanistan as well as the Center for Strategic and International Studies (CSIS).
Some of the affected devices seem to be "tested and approved by the US DoD as a JITC certified secure command and control, conference, training and briefing room solution" as well according to this AMX web page. Further AMX market customer profiles can be accessed here: AMX customer profiles

Black Widow and Batman, the watchful AMX protectors
Black Widow and Batman, the watchful protectors within the AMX device
(Image sources, AMX:
Black Widow:

With that said, lets talk about security.

How AMX (HARMAN Professional) handles security.

In early 2015 SEC Consult decided to take a look into the security of a conference room solution provided by AMX. Let's not waste any words on the tiring process of getting the binaries out of the small black box and jump right to the meat of it all.

During the analysis of the authentication procedure of one of the central controller systems (AMX NX-1200), something strange popped up:

IDA excerpt: "setUpSubtleUserAccount" function
IDA excerpt: "setUpSubtleUserAccount" function

A function, which they decided to call "setUpSubtleUserAccount". And this function does exactly what the name would suggest.
It sets up a subtle user account. The strings seen in the above screenshot, revealed an interesting detail about the vendor's security strategy. AMX apparently called for a little extra help in the universe of Marvel superheroes to protect their products (and coincidentally also the U.S. military) from the evil super villain hackers. At least that is what we assume, because the expert spy and top S.H.I.E.L.D. agent Black Widow has her own personalized account on the device.

"Natasha Romanova, known by many aliases, is an expert spy, athlete, and assassin. Trained at a young age by the KGB's infamous Red Room Academy, the Black Widow was formerly an enemy to the Avengers. She later became their ally after breaking out of the U.S.S.R.'s grasp, and also serves as a top S.H.I.E.L.D. agent"

Like most superheroes, Black Widow prefers to stay under the radar, not requesting any credit for her heroic actions. Because of that, the vendor made an effort in hiding her details from eyes of innocent admins and users alike:

AMX Master Configuration Manager: Black Widow backdoor account is hidden and does not show up anywhere
AMX Master Configuration Manager: Black Widow backdoor account is hidden and does not show up anywhere
As the daily work of a superhero, especially for an IT SECURITY SUPERHERO, is quite challenging, AMX went ahead and implemented some additional tools like a packet-capture/sniffing facility, to aid the expert spy Black Widow in the fight against the super villain hackers. These tools are only available to our superhero as the power they hold should not be available to simple administrators.

Responsible disclosure

As usual, SEC Consult Vulnerability Lab communicated this issue according to our responsible disclosure policy. Initial contact and exchange of the security advisory was performed through the European sales team at AMX. About seven months(!) later AMX provided a fix for the backdoor. A quick review of the new firmware showed that the backdoor was still in place, but Black Widow was gone. Did she decide to step down after being exposed? Did they fire her? Unfortunately we don't have any details on this.

(Image source:
(Image source:

Whatever the reason may be, the vendor decided to hire somebody from the DC universe this time. Na na na na na na na na ... you guessed it. BATMAN! But not the usual Batman, the leet-hacker-Batman, who uses numbers and special characters to write his own name:

IDA excerpt: New backdoor username 1MB@tMaN
IDA excerpt: New backdoor username 1MB@tMaN
(Image source:
This time around, we decided (tried) to get in direct contact with somebody responsible for security at AMX (HARMAN Professional). After numerous emails requesting a security contact to exchange the information about the vulnerability, finally somebody replied. We exchanged the security advisory unencrypted, as requested by AMX. Then they went silent again.

Fast forward another three months to early 2016, we had still not heard back from AMX, despite asking for a status update several times, and even postponing the release of the security advisory in order to give them (even) more time for sorting things out with Batman and Black Widow.

Yesterday (2016-01-20) AMX finally replied, informing SEC Consult that they have released firmware updates for the affected products. These updates are untested and unconfirmed by SEC Consult.
Grab them here while they're hot: - we were told that some of the updates can only be retrieved through AMX tech support.

Furthermore, our contact stated that AMX will be starting a major security initiative which is a very good thing to do!

For the tech geeks, here is our advisory with additional technical information, a contact timeline detailing the communication attempts and a list of affected devices.

Be aware though, that the backdoor password is only for agents of S.H.I.E.L.D. and hence will not be disclosed.

Tuesday, January 12, 2016

McAfee Application Control - The dinosaurs want their vuln back

(c) Fotolia 69135396

Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems

The experts of the SEC Consult Vulnerability Lab conducted research in the field of the security of application whitelisting in critical infrastructures. In the course of that research the security of McAfee Application Control was checked.

The experts developed several methods to bypass the provided protections (application whitelisting, read- and write protections as well as memory corruption protections).

Moreover different vulnerabilities were identified including the installation of software from 1999 with a well-known buffer overflow in it on all protected systems.

McAfee was notified by SEC Consult on 2015-06-03. Since the vendor didn't fix the described vulnerabilities within the responsible disclosure deadline an advisory was released on 2015-07-28. McAfee claimed to provide fixes for the identified vulnerabilities by the end of third quarter 2015, however, at the current moment all issues remain unfixed.

Due to this fact the experts of the SEC Consult Vulnerability Lab now release the whitepaper on the security of McAfee Application Control.

The whitepaper can be downloaded from our website here:
McAfee Application Control whitepaper

Talks on that topic were already presented at conferences such as IT-SeCX 2015, DeepSec 2015 and BSides Vienna 2015. Additional information can be found in the slides from the talks.

Out of our experience we at SEC Consult consider it necessary for critical infrastructures to regularly install new updates, use only software reviewed by security professionals and further increase the awareness of end users with security trainings. For such systems it’s not enough to solely rely on a security layer such as application whitelisting. Rather, the underlying security of the system itself must be increased.

We do not see a reason for not using application whitelisting if the software is secure and doesn’t tear holes in the overall system security but it’s important to understand that it doesn’t replace robust security measures.


The slides with further details including vendor response from IT-SeCX 2015 are available here:

A (German) video of the IT-SeCX 2015 talk can be found on YouTube:

Update (2016-01-20): The English video from DeepSec 2015 Vienna can be found here:

Link to the advisory (including workarounds):