Softing FG-100 PB Hardcoded Backdoor

`#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# http://www.csnc.ch/en/downloads/advisories.html  
#  
#############################################################  
#  
# Product: Softing FG-100 PB  
# Vendor: Softing AG (www.softing.com)  
# CVD ID: CVE-2014-6617  
# Subject: Backdoor Account  
# Risk: High   
# Effect: Remotely exploitable  
# Author: Ingmar Rosenhagen  
# Daniel Marzin  
# Johannes Klick  
# Date: 05.11.2014   
#  
#############################################################  
  
Introduction:  
-------------  
Softing FG PROFIBUS [1] is a family of interfaces for remote access to  
one, two or three PROFIBUS segments via Ethernet for device  
parameterization, controller programming and data acquisition. Compass  
Security Deutschland GmbH [2] discovered a security flaw in the firmware  
of the device allowing unauthorized acces to the device. The FG-100  
allows access via the telnet protocol by default. The password for the  
root-account is hard-coded in the device and cannot be changed by  
the administrator. This allows an remote attacker  
to login as root, which enables him to copy and/or alter configuration  
data or other parameters of the device.  
  
  
Affected:  
---------  
Firmware: FG-x00-PB_V2.02.0.00  
  
Technical Description:  
----------------------  
The firmware for the device is delivered as a zip file containing a  
uboot-image:  
  
irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % mkimage -l  
fw_FG-100-PB_V2.02.0.00.release  
Image Name: FG-100-PB_V2.02.0.00.release  
Created: Mon Aug 4 16:26:49 2008  
Image Type: PowerPC Linux Script (gzip compressed)  
Data Size: 2396096 Bytes = 2339.94 kB = 2.29 MB  
Load Address: 00000000  
Entry Point: 00000000  
Contents:  
Image 0: 249 Bytes = 0.24 kB = 0.00 MB  
Image 1: 3764 Bytes = 3.68 kB = 0.00 MB  
Offset = 0x7f6aa083d14c  
Image 2: 2392064 Bytes = 2336.00 kB = 2.28 MB  
Offset = 0x7f6aa083e000  
  
Splitting and extracting several layers of uboot-images leaves a  
CramFS-Image:  
  
irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % file cramfs3.fs  
cramfs3.fs: Linux Compressed ROM File System data, big endian size 65536 CRC  
0x330b1a39, edition 634273566, 1331373096 blocks, 2944606610 files  
  
Since this is big endian a matching VM was used to mount the image and  
access it's contents. It contains a default linux filesystem with a  
passwd file that holds password hashes (DES) created by mkpasswd:  
  
irosenha@kali /tmp/media % cat etc/passwd.orig  
root:fEHd4eY5[CUT BY COMPASS]:0:0:root:/root:/bin/sh  
config:lGajGWwkK4[CUT BY COMPASS]:4671:100:PROFIgate  
Configuration:/fw_upload:/usr/local/config/DeviceConfig  
FG-100-PB:DOPnAyLPjz[CUT BY COMPASS]:4672:100:PROFIgate Dialin:/:/bin/false  
nobody:x:65534:65534:nobody:/tmp:/bin/sh  
  
Using hashcat the hash of the user root with uid 0 could be cracked and  
the device accessed by this account with telnet:  
  
root@kali /home/irosenha # telnet 192.168.2.3   
Trying 192.168.2.3...  
Connected to 192.168.2.3.  
Escape character is '^]'.  
  
ps login: root  
Password:   
  
  
BusyBox v1.00 (2008.06.06-06:20+0000) Built-in shell (ash)  
Enter 'help' for a list of built-in commands.  
  
~ # cat /etc/profile   
PATH=/bin:/sbin:/usr/local/bin  
TZ=CET-1CEST,M3.5.0/2,M10.5.0/3  
export TZ  
~ # uname -a  
Linux ps 2.4.4-rthal5 #1 Fri Jun 6 08:02:49 CEST 2008 ppc unknown  
  
  
Workaround / Fix:  
-----------------  
no patch is available  
  
Timeline:  
---------  
Vendor Notified: 2014-09-15   
Vendor Response: 2014-10-24   
Vendor Status: Wont Fix  
  
References:  
-----------  
[1]:  
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura  
ble-single-channel-remote-interface.html  
[2]: http://www.csnc.de  
  
  
  
`