IMPINJ SPEEDWAY R420 RFID READER

IMPINJ is an organization which connects billions of everyday items such as apparel, medical supplies and automobile parts to consumer and business applications such as inventory management, patient safety, and assets tracking. The impinj platform uses RFID to deliver timely information about these items to the digital world, thereby enabling the Internet of Things.

ISECURION has found below described vulnerabilities and reported to IMPING, the technical specification of the device used is,

Product Details:-

  • Product Name : IMPINJ SPEEDWAY R420 RFID READER
  • Reader Name : SpeedwayR-11-ED-69
  • Model Name : Speedway R420
  • Software Version : 5.8.1.240 (Build 09ff1abb7c6)
  • Hardware: 270-005-013
  • Application SW Version: 2.2.0.0

Web interface of the device has the vulnerabilities related to OWASP Top 10 and the same is reported which are mentioned below,

  • Stored Cross Site Scripting
  • Clickjacking

Stored Cross Site Scripting
It was observed that the license key parameter of the web application is vulnerable to the Cross Site Scripting. Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application’s responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. Browser cannot know that the script should be trusted or not, so it will lead to executing the script in the user context. Below Figure 1 shows the injection of the payload in the vulnerable license key parameter.

Figure 1. Vulnerable License Key Parameter

Accessing of the configuration page “get_put_config.php” will render the injected code and results the cross site scripting, shown in below figure 2.


Figure 2. Stored Cross Site Scripting inget_put_config.php

The Cross site scripting vulnerability is of type both stored and reflected, executing two times in the same page as shown in below figure.


Figure 3. Stored Cross Site Scripting in get_put_config.php

A malicious user can exploit the Cross-site scripting vulnerability to hijack a logged in user’s session, which will leads to change the logged in user’s password and invalidate the session of the victim while the hacker maintains access and also can run a key loggers to capture the keystrokes entered.

ClickJacking
The web interface is also vulnerable to ClickJacking or UI Readdressing, in ClickJacking attack it is possible to load the web application with in an iframe, by inducing victim users to perform actions such as mouse clicks or keystrokes, and the attacker can perform malicious operation within the application that is being targeted.
Missing X-Frame-Options header in the response leads to possibility of the clickjacking vulnerability in the web interface below figure 4 shows the response from server.


Figure 4. Missing X-Frame-Options Header in response

Created Settings button on iframe to execute the ClickJacking vulnerability which is made to perform the actions related to the application as shown in below figure.

Figure 5. ClickJacking vulnerability with settings as vector

This type of attack, that can be used alone or in combination with other attacks, could potentially send unauthorized commands or reveal confidential information while the victim is interacting with seemingly harmless web pages.

-2017: Vulnerability is reported to vendor
-2017: Vendor confirmed the vulnerability
-2018: Vendor fixed the vulnerability in later version
-2018: CVE assigned for the vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *