During a recent pentest for a client we discovered a number of devices on their network that looked interesting, after 25 years of performing pentests you start to get a gut feeling about these things.
As with every pentest we have to ensure that all standard testing is performed before we start to look into the more interesting things we might want to look at. Thankfully our client provided us the extra time to do so, and my gut feelings were correct. The security issues we found were assigned CVE-2021-43333.
The devices question were handheld Android-based barcode scanners used for inventory purposes across a number of geo-locations. Built by a company called DataLogic, these devices are invaluable to organisations that require fast, reliable and cost effective inventory checkin/checkout systems.
After identifying the issues, we have spent the last few months working hard with Datalogic, who have been a stellar example of how to respond, communicate and remediate issues brought to them by a security company. We are pleased to announce that Datalogic have not only fixed the issues in their current lineup but have also published remediation steps for those with older and even end-of-life products. That Datalogic are willing to support EOL devices to prevent security issues shows a commitment to their clients that other companies could learn a lot from.
At our request, Mitre assigned the two issues a single CVE in early November 2021 and now that Datalogic have released their fixes we are delighted to share the details with you.
Please see the security advisory from Datalogic here.
Please find the CVE details here (this will update when Mitre release to the public)
And for those of you who don't want to click links, please continue to read below.
Details
The Datalogi DL Axist handheld scanner is a full touch PDA with barcode scanner, used in the field for asset management etc. The device runs on Android 4.4.4 and runs several services. One of these is a web server; within the web server it is possible to request unauthenticated settings files for the device. The device uses software provided by Gear42 for locking the device; the passwords for this lock code are stored within the settings files as a SHA512 hash. Another issue is that the device settings also store the current available wifi access points near to the device.
The SHA512 code in a default installation is set to
"c6001d5b2ac3df314204a8f9d7a00e1503c9aba0fd4538645de4bf4cc7e2555cfe9ff9d0236bf327ed3e907849a98df4d330c4bea551017d465b4c1d9b80bcb0"
This is the default passcode of '0000'
Obviously the default passcode can be changed, but as this code is often a small PIN, it would be trivial to identify using online decoders. It should be noted that this unlock code is not one for the device as we first suspected but the passcode for the SureLogic launcher (a KIOSK solution for Android).
The second file that is of interest is the getSettings.xml which leaks a list of configured
wifi access points. Whilst this does not show the configured wifi passwords, this list of wifi access points can obviously be correlated with sites such as wigle.net and
the location of the device narrowed down if unknown. In the case of our client, we were able to pinpoint multiple secure locations that contain highly valuable assets.
Proof of concept/Steps to replicate
Browse to either a non-existent location on the web server and the 404 page will direct you to the settings files, alternatively you can browse directly to /getSettings.xml or /getInfo.xml to obtain the data.
Mitigation and Fixes
To avoid this security vulnerability, the DXU service must be disabled. This can be done on your device by performing the following steps:
Open DXU Agent.
Tap on the more icon in the lower right corner. This will cause a black bar pop-up.
Tap "Settings" on the black bar. This will bring up the settings menu.
Tap "Settings" in the menu. This will bring up general DXU agent settings.
Uncheck the "Enable service" checkbox.
On newer devices, such as the Skorpio X5, the service is off by default. On older devices, such as the DL-Axist, the service is on by default.
Thanks
Cygenta would like to thank the staff at Datalogic for their professionalism, dedication to their clients and speed in mobilising their internal teams to remediate the security issues. In particular I would like to recognise Don and Simone for being key players in handling this issue.
To book your next pentest with us please feel free to get in touch with us to discuss how we can help you achieve your goals.