#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Softing FG-100 PB
# Vendor: Softing AG (www.softing.com)
# CVD ID: CVE-2014-6617
# Subject: Backdoor Account
# Risk: High
# Effect: Remotely exploitable
# Author: Ingmar Rosenhagen
# Daniel Marzin
# Johannes Klick
# Date: 05.11.2014
#
#############################################################
Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. Compass
Security Deutschland GmbH [2] discovered a security flaw in the firmware
of the device allowing unauthorized acces to the device. The FG-100
allows access via the telnet protocol by default. The password for the
root-account is hard-coded in the device and cannot be changed by
the administrator. This allows an remote attacker
to login as root, which enables him to copy and/or alter configuration
data or other parameters of the device.
Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00
Technical Description:
----------------------
The firmware for the device is delivered as a zip file containing a
uboot-image:
irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % mkimage -l
fw_FG-100-PB_V2.02.0.00.release
Image Name: FG-100-PB_V2.02.0.00.release
Created: Mon Aug 4 16:26:49 2008
Image Type: PowerPC Linux Script (gzip compressed)
Data Size: 2396096 Bytes = 2339.94 kB = 2.29 MB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 249 Bytes = 0.24 kB = 0.00 MB
Image 1: 3764 Bytes = 3.68 kB = 0.00 MB
Offset = 0x7f6aa083d14c
Image 2: 2392064 Bytes = 2336.00 kB = 2.28 MB
Offset = 0x7f6aa083e000
Splitting and extracting several layers of uboot-images leaves a
CramFS-Image:
irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % file cramfs3.fs
cramfs3.fs: Linux Compressed ROM File System data, big endian size 65536 CRC
0x330b1a39, edition 634273566, 1331373096 blocks, 2944606610 files
Since this is big endian a matching VM was used to mount the image and
access it's contents. It contains a default linux filesystem with a
passwd file that holds password hashes (DES) created by mkpasswd:
irosenha@kali /tmp/media % cat etc/passwd.orig
root:fEHd4eY5[CUT BY COMPASS]:0:0:root:/root:/bin/sh
config:lGajGWwkK4[CUT BY COMPASS]:4671:100:PROFIgate
Configuration:/fw_upload:/usr/local/config/DeviceConfig
FG-100-PB:DOPnAyLPjz[CUT BY COMPASS]:4672:100:PROFIgate Dialin:/:/bin/false
nobody:x:65534:65534:nobody:/tmp:/bin/sh
Using hashcat the hash of the user root with uid 0 could be cracked and
the device accessed by this account with telnet:
root@kali /home/irosenha # telnet 192.168.2.3
Trying 192.168.2.3...
Connected to 192.168.2.3.
Escape character is '^]'.
ps login: root
Password:
BusyBox v1.00 (2008.06.06-06:20+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
~ # cat /etc/profile
PATH=/bin:/sbin:/usr/local/bin
TZ=CET-1CEST,M3.5.0/2,M10.5.0/3
export TZ
~ # uname -a
Linux ps 2.4.4-rthal5 #1 Fri Jun 6 08:02:49 CEST 2008 ppc unknown
Workaround / Fix:
-----------------
no patch is available
Timeline:
---------
Vendor Notified: 2014-09-15
Vendor Response: 2014-10-24
Vendor Status: Wont Fix
References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura
ble-single-channel-remote-interface.html
[2]: http://www.csnc.de