[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2014-6617 Softing FG-100 Backdoor Account



#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product:   Softing FG-100 PB
# Vendor:    Softing AG (www.softing.com)
# CVD ID:    CVE-2014-6617
# Subject:   Backdoor Account
# Risk:      High 
# Effect:    Remotely exploitable
# Author:    Ingmar Rosenhagen
#            	       Daniel Marzin
#	       Johannes Klick
# Date:      05.11.2014 
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. Compass
Security Deutschland GmbH [2] discovered a security flaw in the firmware
of the device allowing unauthorized acces to the device. The FG-100
allows access via the telnet protocol by default. The password for the
root-account is hard-coded in the device and cannot be changed by
the administrator. This allows an remote attacker
to login as root, which enables him to copy and/or alter configuration
data or other parameters of the device.


Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The firmware for the device is delivered as a zip file containing a
uboot-image:

irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % mkimage -l
fw_FG-100-PB_V2.02.0.00.release
Image Name:   FG-100-PB_V2.02.0.00.release
Created:      Mon Aug  4 16:26:49 2008
Image Type:   PowerPC Linux Script (gzip compressed)
Data Size:    2396096 Bytes = 2339.94 kB = 2.29 MB
Load Address: 00000000
Entry Point:  00000000
Contents:
   Image 0: 249 Bytes = 0.24 kB = 0.00 MB
   Image 1: 3764 Bytes = 3.68 kB = 0.00 MB
    Offset = 0x7f6aa083d14c
   Image 2: 2392064 Bytes = 2336.00 kB = 2.28 MB
    Offset = 0x7f6aa083e000

Splitting and extracting several layers of uboot-images leaves a
CramFS-Image:

irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % file cramfs3.fs
cramfs3.fs: Linux Compressed ROM File System data, big endian size 65536 CRC
0x330b1a39, edition 634273566, 1331373096 blocks, 2944606610 files

Since this is big endian a matching VM was used to mount the image and
access it's contents. It contains a default linux filesystem with a
passwd file that holds password hashes (DES) created by mkpasswd:

irosenha@kali /tmp/media % cat etc/passwd.orig
root:fEHd4eY5[CUT BY COMPASS]:0:0:root:/root:/bin/sh
config:lGajGWwkK4[CUT BY COMPASS]:4671:100:PROFIgate
Configuration:/fw_upload:/usr/local/config/DeviceConfig
FG-100-PB:DOPnAyLPjz[CUT BY COMPASS]:4672:100:PROFIgate Dialin:/:/bin/false
nobody:x:65534:65534:nobody:/tmp:/bin/sh

Using hashcat the hash of the user root with uid 0 could be cracked and
the device accessed by this account with telnet:

root@kali /home/irosenha # telnet 192.168.2.3         
Trying 192.168.2.3...
Connected to 192.168.2.3.
Escape character is '^]'.

ps login: root
Password: 


BusyBox v1.00 (2008.06.06-06:20+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cat /etc/profile 
PATH=/bin:/sbin:/usr/local/bin
TZ=CET-1CEST,M3.5.0/2,M10.5.0/3
export TZ
~ # uname -a
Linux ps 2.4.4-rthal5 #1 Fri Jun 6 08:02:49 CEST 2008 ppc unknown
 

Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified:    2014-09-15 
Vendor Response:    2014-10-24 
Vendor Status:	    Wont Fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura
ble-single-channel-remote-interface.html
[2]:   http://www.csnc.de



Attachment: smime.p7s
Description: S/MIME cryptographic signature