-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password
Title: Seagate GoFlex Satellite Remote Telnet Default Password
Advisory ID: KL-001-2015-007
Publication Date: 2015.12.18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-007.txt
1. Vulnerability Details
Affected Vendor: Seagate
Affected Product: GoFlex Satellite
Affected Version: 1.3.7
Platform: Embedded Linux
CWE Classification: CWE-288: Authentication Bypass Using an
Alternate Path or Channel; CWE-798: Use of Hard-coded Credentials
Impact: Remote Administration
Attack vector: Telnet
CVE-ID: CVE-2015-2874
2. Vulnerability Description
Seagate GoFlex Satellite Mobile Wireless Storage devices
contain a hardcoded backdoor account. An attacker could use
this account to remotely tamper with the underlying operating
system when Telnet is enabled.
3. Technical Description
root@wpad:/tmp/jfroot# ls
bin boot dev etc home include lib linuxrc media mnt proc
satellite_app sbin share srv static sys tmp usr var
root@wpad:/tmp/jfroot# cd etc
root@wpad:/tmp/jfroot/etc# ls
angstrom-version default fstab init.d
iproute2 motd org_passwd protocols
rc4.d rS.d terminfo udhcpc.d
autoUpdURL device_table group inittab
issue mtab passwd rc0.d
rc5.d scsi_id.config timestamp udhcpd.conf
avahi device_table-opkg host.conf inputrc
issue.net network passwd- rc1.d
rc6.d services tinylogin.links udhcpd_factory.conf
busybox.links fb.modes hostname internal_if.conf
localtime nsswitch.conf profile rc2.d
rcS.d skel ts.conf version
dbus-1 filesystems hosts ipkg
mke2fs.conf opkg profile.d rc3.d
rpc syslog.conf udev
root@wpad:/tmp/jfroot/etc# cat passwd
root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh
The xoFaeS user cracked to etagknil.
4. Mitigation and Remediation Recommendation
The vendor has released a patch that can be
obtained using the Download Finder located at
https://apps1.seagate.com/downloads/request.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2015.09.11 - Vulnerability details and PoC sent to Seagate.
2015.09.15 - Seagate confirms receipt.
2015.09.28 - Seagate indicates a patch is ready but not yet available to
the public.
2015.09.28 - KoreLogic asks Seagate if they have obtained a CVE-ID for
the vulnerability.
2015.10.27 - Seagate notifies KoreLogic that the patch is publicly
available. Seagate indicates they are waiting for a CVE
before releasing a security advisory.
2015.12.08 - KoreLogic requests an update on the CVE-ID and associated
Seagate advisory.
2015.12.08 - Seagate responds with a link to
http://www.kb.cert.org/vuls/id/903500
2015.12.18 - Public disclosure.
7. Proof of Concept
N/A
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWdHjEAAoJEE1lmiwOGYkM++wH/1h7kz+0f1Ptwczn7nkoAj+H
ggoR+6mbSDBTw1gj58oYjIo2HEvnryoclqGZiwsDe5G4g9dYV8PV0qHTuNDf/lRV
F6EcUTZ4z5YFLMf6bOXazaeVJPsbzjw1JvdMyejyX7Tyhi3hFAY3k8r20W+Ry4pi
Fgb3lJ9mjtso+EjKqhdrhiv19wR7s6bOnMsKsasdFTrNbTl/BOWgu5ORCZryK7pu
oP59eniJQSidnYcUOeY6SXpKesNow4JPjQOlYTr5uPKO42FLR48W6csoAlju6eZq
l4yNdOECOy83VWJaQm6f1yEllVqUkGoDHOfcQDPQpfWAxsc4mSYWqnn+IxmIkgc=
=4Ju5
-----END PGP SIGNATURE-----