[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Backdoor access to Techboard/Syac devices



[ADVISORY INFORMATION]
Title:		Backdoor access to Techboard/Syac devices
Discovery date: 02/04/2014
Release date:   07/07/2014
Advisory URL:   http://blog.emaze.net/2014/07/backdoor-techboardsyac.html
Credits: 	Roberto Paleari (@rpaleari),
		Luca Giancane (luca.giancane@xxxxxxxxx)

[VULNERABILITY INFORMATION]
Class: 	        Command execution, Authentication bypass

[AFFECTED PRODUCTS]
We confirm the presence of the security vulnerability on the following
products/firmware versions:
   * Techboard/Syac DigiEye 3G (software version 3.19.30004)

Other device models and firmware versions are probably also vulnerable, but
they were not checked.

[VULNERABILITY DETAILS]
During a security assessment on one of our customers, we had the opportunity to
analyze a Techboard/Syac DigiEye. The assessment led to the identification of a
critical security vulnerability, described in the next paragraphs.

More in detail, affected devices include a backdoor service listening on TCP
port 7339. This service implements a challenge-response protocol to
"authenticate" clients. After this step, clients are allowed to execute
arbitrary commands on the device, with administrative (root) privileges. We
would like to stress out that, to the best of our knowledge, end-users are not
allowed to disable the backdoor service, nor to control the "authentication"
mechanism.

As vulnerable devices are still widely deployed on the Internet, we won't
release the full details on the backdoor communication protocol. Instead, we
just document the initial "protocol handshake", in order to allow
Techboard/Syac customers to identify vulnerable devices on their networks.

Strictly speaking, the protocol handshake works as follows:

1. The client connects to port tcp/7339 of the vulnerable device and sends the
   string "KNOCK-KNOCK-ANYONETHERE?", terminated with a NULL byte.

2. The server replies with a 12-byte response. First 8 bytes are a timestamp,
   while last 4 bytes are a "magic number" equal to 0x000aae60.

3. The timestamp provided by the server is then used to feed the
   challenge/response procedure.

Together with this security advisory, we provide a Nmap NSE script to identify
vulnerable devices.

[REMEDIATION]
We contacted Techboard/Syac on April 2nd, 2014 and provided them with the
technical details of the vulnerability we found. The device vendor promptly
replied back to our e-mails and, on April 9th, they confirmed a patched
firmware version was going to be released to their customers. However, the
patched firmware was not checked by Emaze.

[COPYRIGHT]
Copyright(c) Emaze Networks S.p.A 2014, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.

[DISCLAIMER]
Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.