Thursday, January 21, 2016

Deliberately hidden backdoor account in several AMX (HARMAN Professional) devices

Your conference room, a watchful protector.

About the vendor: "AMX (www.amx.com) is part of the HARMAN Professional Division, and the leading brand for the business, education, and government markets for the company. As such, AMX is dedicated to integrating AV solutions for an IT World. AMX solves the complexity of managing technology with reliable, consistent and scalable systems comprising control and automation, system-wide switching and AV signal distribution, digital signage and technology management. AMX systems are deployed worldwide in conference rooms, homes, classrooms, network operation/command centers, hotels, entertainment venues and broadcast facilities, among others." Source: http://www.amx.com/automate/aboutamx.aspx

To be fair, their products really do offer a wide variety of features, which is probably also the reason why US President Barrack Obama is sometimes seen in front of a control panel by AMX, while sitting in a meeting at the White House. According to the case studies published by AMX they have multiple governmental and military bodies equipped with their conference room gear. This includes but is not limited to the White House, the U.S. Forces Afghanistan as well as the Center for Strategic and International Studies (CSIS).
Some of the affected devices seem to be "tested and approved by the US DoD as a JITC certified secure command and control, conference, training and briefing room solution" as well according to this AMX web page. Further AMX market customer profiles can be accessed here: AMX customer profiles

Black Widow and Batman, the watchful AMX protectors
Black Widow and Batman, the watchful protectors within the AMX device
(Image sources, AMX: http://www.amx.com/government/_WebResources/imgs/slider_Automation_1920x1005.jpg
Batman:
http://hypesrus.com/files/the-dark-knight-rises-batman-1-4-scale-figure-by-hot-toys-1.jpg
Black Widow:
http://i2.wp.com/geekdad.com/wp-content/uploads/2014/04/blackwidow2.jpg)


With that said, lets talk about security.

How AMX (HARMAN Professional) handles security.


In early 2015 SEC Consult decided to take a look into the security of a conference room solution provided by AMX. Let's not waste any words on the tiring process of getting the binaries out of the small black box and jump right to the meat of it all.

During the analysis of the authentication procedure of one of the central controller systems (AMX NX-1200), something strange popped up:

IDA excerpt: "setUpSubtleUserAccount" function
IDA excerpt: "setUpSubtleUserAccount" function


A function, which they decided to call "setUpSubtleUserAccount". And this function does exactly what the name would suggest.
It sets up a subtle user account. The strings seen in the above screenshot, revealed an interesting detail about the vendor's security strategy. AMX apparently called for a little extra help in the universe of Marvel superheroes to protect their products (and coincidentally also the U.S. military) from the evil super villain hackers. At least that is what we assume, because the expert spy and top S.H.I.E.L.D. agent Black Widow has her own personalized account on the device.

"Natasha Romanova, known by many aliases, is an expert spy, athlete, and assassin. Trained at a young age by the KGB's infamous Red Room Academy, the Black Widow was formerly an enemy to the Avengers. She later became their ally after breaking out of the U.S.S.R.'s grasp, and also serves as a top S.H.I.E.L.D. agent"

Like most superheroes, Black Widow prefers to stay under the radar, not requesting any credit for her heroic actions. Because of that, the vendor made an effort in hiding her details from eyes of innocent admins and users alike:

AMX Master Configuration Manager: Black Widow backdoor account is hidden and does not show up anywhere
AMX Master Configuration Manager: Black Widow backdoor account is hidden and does not show up anywhere
As the daily work of a superhero, especially for an IT SECURITY SUPERHERO, is quite challenging, AMX went ahead and implemented some additional tools like a packet-capture/sniffing facility, to aid the expert spy Black Widow in the fight against the super villain hackers. These tools are only available to our superhero as the power they hold should not be available to simple administrators.

Responsible disclosure


As usual, SEC Consult Vulnerability Lab communicated this issue according to our responsible disclosure policy. Initial contact and exchange of the security advisory was performed through the European sales team at AMX. About seven months(!) later AMX provided a fix for the backdoor. A quick review of the new firmware showed that the backdoor was still in place, but Black Widow was gone. Did she decide to step down after being exposed? Did they fire her? Unfortunately we don't have any details on this.

(Image source:  http://3.bp.blogspot.com/-agZtg9paLkA/T8d3FHwizZI/AAAAAAAABkA/VMGdH-Y_Vq4/s1600/black+widow2.png)
(Image source:  http://3.bp.blogspot.com/-agZtg9paLkA/T8d3FHwizZI/AAAAAAAABkA/VMGdH-Y_Vq4/s1600/black+widow2.png)

Whatever the reason may be, the vendor decided to hire somebody from the DC universe this time. Na na na na na na na na ... you guessed it. BATMAN! But not the usual Batman, the leet-hacker-Batman, who uses numbers and special characters to write his own name:

IDA excerpt: New backdoor username 1MB@tMaN
IDA excerpt: New backdoor username 1MB@tMaN
(Image source: http://guides.gamepressure.com/batmanarkhamorigins/gfx/word/170681739.jpg)
This time around, we decided (tried) to get in direct contact with somebody responsible for security at AMX (HARMAN Professional). After numerous emails requesting a security contact to exchange the information about the vulnerability, finally somebody replied. We exchanged the security advisory unencrypted, as requested by AMX. Then they went silent again.

Fast forward another three months to early 2016, we had still not heard back from AMX, despite asking for a status update several times, and even postponing the release of the security advisory in order to give them (even) more time for sorting things out with Batman and Black Widow.

Yesterday (2016-01-20) AMX finally replied, informing SEC Consult that they have released firmware updates for the affected products. These updates are untested and unconfirmed by SEC Consult.
Grab them here while they're hot: http://www.amx.com/techcenter/NXSecurityBrief/ - we were told that some of the updates can only be retrieved through AMX tech support.

Furthermore, our contact stated that AMX will be starting a major security initiative which is a very good thing to do!

For the tech geeks, here is our advisory with additional technical information, a contact timeline detailing the communication attempts and a list of affected devices.

Be aware though, that the backdoor password is only for agents of S.H.I.E.L.D. and hence will not be disclosed.