Persistent Remote Access on JCI NAE’s

So this was a fun little project that was born from some security research I was doing on the Johnson Controls NAE product (more on that here) and wanting to try out my latest toy, the Hak5 Bash Bunny. As far as I know, this vulnerability effects NAE’s from version 9 and below.

First, a bit of housekeeping. This research was conducted by me alone and is not in anyway associated with my employer. The conclusions, opinions and views expressed here are mine and do not reflect those of my employer or any other group. All research was conducted on equipment I had authorization to access. At no time were any systems or cloud services I did not have authorization to access involved in this research.

Second, some history. I discovered this vulnerability in June while conducting research for another project, linked above. I informed the Johnson Controls Product Security team of the vulnerability and potential exploitation. They responded that the vulnerability had been removed in newer version of the NAE and would not issue a public disclosure, which I suppose is fair.

Automatic Login Vulnerability

The NAE prior to version 9 is essentially a Windows XP Embedded computer in a fancy enclosure. Underneath that fancy enclosure is a VGA monitor port and if you plug in a monitor you can see the boot process. During that boot process after Windows XP starts, the NAE automatically logs in under the MetasysSysAgent account with a cmd window open. There’s a delay of 10 or 12 seconds before the account locks itself and you’re left with a standard Windows XP lock window.

I’m not sure what purpose this auto-login and lock process has but it provides an interesting opportunity to exploit. During that 10 second window armed with a monitor and a USB keyboard, you can do pretty much whatever you want. This can include changing the MetasysSysAgent password or creating a new admin account on the box. I started thinking of an attack scenario around this where an attacker would use this 10 second delay to plant some sort of RAT (Remote Administration Tool) or other program to gain control of the box. It would be pretty difficult for even a really great Social Engineer to talk his or her way into access to these boxes while carrying a keyboard and monitor. Enter the Bash Bunny

BashBunny
Bash Bunny by Hak5. Please don’t sue 🙂

Exploitation

Now the Windows XP installation itself is pretty stripped down. There’s no Telnet, no FTP and the IE installation seems restricted to not be able to download any external files. My Windows XP knowledge is admittedly limited so I couldn’t think of a way around this restriction. Having recently received my shiny new Bash Bunny I started experimenting with its various attack modes, such as functioning as a USB thumb drive and a keyboard.

I set up the Bash Bunny to copy netcat and reg.exe (a command line registry editor) to the windows box, and then add a registry entry to automatically start netcat on reboot. The netcat session would reach out to my Command&Control server on the web with a shell session. So, by monitoring the netcat port on the C&C server, I would get a cmd.exe session from the NAE under the MetasysSysAgent user account.

I have a video showing this attack below. I apologize for the quality of the video, it was shot last minute. Also, I used the term RCE (remote command execution) in the video to describe this attack. In hindsight, I’m not sure sure if that’s accurate but you get the idea

Scenario

From the video, you can see how quick this is to execute. So a plausible scenario for this attack would be to social engineer your way into accessing the box for a quick 90 seconds, plug in the Bunny and reset the device. From then on, you would have remote persistent access to the BAS network, which is pretty valuable. There’s all sorts of other options here also.

Conclusion

Protecting physical access to resources is obviously very important to infrastructure security. The problem in the BAS industry I think is that these devices are typically installed with other building infrastructure that regularly requires inspection. In most office buildings or commercial properties, people trust a man in a button up shirt and a clip board. I know from first hand experience how easy it is to move around a building by looking like a contractor. Getting quick access to an electrical closet or comm room isn’t all that difficult in these facilities. 90 seconds later, you have a persistent presence on the network.