BugTraq
CVE-2014-6617 Softing FG-100 Backdoor Account Nov 05 2014 07:52AM
Ingmar Rosenhagen (ingmar rosenhagen csnc de)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Softing FG-100 PB
# Vendor: Softing AG (www.softing.com)
# CVD ID: CVE-2014-6617
# Subject: Backdoor Account
# Risk: High
# Effect: Remotely exploitable
# Author: Ingmar Rosenhagen
# Daniel Marzin
# Johannes Klick
# Date: 05.11.2014
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. Compass
Security Deutschland GmbH [2] discovered a security flaw in the firmware
of the device allowing unauthorized acces to the device. The FG-100
allows access via the telnet protocol by default. The password for the
root-account is hard-coded in the device and cannot be changed by
the administrator. This allows an remote attacker
to login as root, which enables him to copy and/or alter configuration
data or other parameters of the device.

Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The firmware for the device is delivered as a zip file containing a
uboot-image:

irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % mkimage -l
fw_FG-100-PB_V2.02.0.00.release
Image Name: FG-100-PB_V2.02.0.00.release
Created: Mon Aug 4 16:26:49 2008
Image Type: PowerPC Linux Script (gzip compressed)
Data Size: 2396096 Bytes = 2339.94 kB = 2.29 MB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 249 Bytes = 0.24 kB = 0.00 MB
Image 1: 3764 Bytes = 3.68 kB = 0.00 MB
Offset = 0x7f6aa083d14c
Image 2: 2392064 Bytes = 2336.00 kB = 2.28 MB
Offset = 0x7f6aa083e000

Splitting and extracting several layers of uboot-images leaves a
CramFS-Image:

irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % file cramfs3.fs
cramfs3.fs: Linux Compressed ROM File System data, big endian size 65536 CRC
0x330b1a39, edition 634273566, 1331373096 blocks, 2944606610 files

Since this is big endian a matching VM was used to mount the image and
access it's contents. It contains a default linux filesystem with a
passwd file that holds password hashes (DES) created by mkpasswd:

irosenha@kali /tmp/media % cat etc/passwd.orig
root:fEHd4eY5[CUT BY COMPASS]:0:0:root:/root:/bin/sh
config:lGajGWwkK4[CUT BY COMPASS]:4671:100:PROFIgate
Configuration:/fw_upload:/usr/local/config/DeviceConfig
FG-100-PB:DOPnAyLPjz[CUT BY COMPASS]:4672:100:PROFIgate Dialin:/:/bin/false
nobody:x:65534:65534:nobody:/tmp:/bin/sh

Using hashcat the hash of the user root with uid 0 could be cracked and
the device accessed by this account with telnet:

root@kali /home/irosenha # telnet 192.168.2.3
Trying 192.168.2.3...
Connected to 192.168.2.3.
Escape character is '^]'.

ps login: root
Password:

BusyBox v1.00 (2008.06.06-06:20+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cat /etc/profile
PATH=/bin:/sbin:/usr/local/bin
TZ=CET-1CEST,M3.5.0/2,M10.5.0/3
export TZ
~ # uname -a
Linux ps 2.4.4-rthal5 #1 Fri Jun 6 08:02:49 CEST 2008 ppc unknown

Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified: 2014-09-15
Vendor Response: 2014-10-24
Vendor Status: Wont Fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-confi
gura
ble-single-channel-remote-interface.html
[2]: http://www.csnc.de

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?-0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n0?ý0?å .ôU¹kÆÂ?B|#vË0
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
130205120250Z
160205120250Z0J10U Email Validated Only1)0'U Email: ingmar.rosenhagen (at) csnc (dot) de0 [email concealed]?"0
 *?H?÷
?0?
?¬³?ÂáÑ*9NÊo#É¥Û?ÙØ? br)ó²ðî/¤Êqý ²^lØ?}6t¥»Êº?.§ãæ\:-1sFe?¶?I?rÈ@Óu÷Aß????=¤PìøÄßO$?%òðíøä? ë$æ¾
³ÆQôÞí-?qKÂd,þßÅ ~ü¾n/þÜ/û½?p?è¹ý«ÏDÂÌÿ2FiÆð)÷UüjtAîð?ïã á>$Ú?íò
S¼Ð_æÐ{º;ç; ?cË$i¯.´iºw?éuÝ«®±?8s­Lº4?|W³zs?ª£±47V¿?.Yi£?Ó0?Ï0
Uÿ°0U% 0
+0UÓË
AWòD²?Ǻô?ÕÓ'|ï0U#0?ë5±Vm`Xôá"ÍF®Ðe0ÿU÷0ô0G E C?Ah
ttp://crl.swisssign.net/EB35B1566D156058F4E122CD1C461CAED00400650¨ ¥ 
¢??ldap://directory.swisssign.net/CN=EB35B1566D156058F4E122CD1C461CAED0
040065%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=c
RLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650$U0ingmar.rosenhagen (at) csnc (dot) de0 [email concealed]
 *?H?÷
?zØÊ°?/¬Æ]ïÀó.¯)s?ÈÑ¥ôÒÍ?ύþH^#?Fs>åd­Øæ°´öwd¦??¼o
´©2À?Üà^
(é?Ê?w¾m1·-:ï ={x=½CkA@º?۝À°£¶h<ÖÖ(é?˽ýA¹jq<c¦u³#??nS²·?ôGL.^æ?*ïˍ§±8HÒö¾?f
i¹?s!òtì?w ½2æH?ùÎ?ªÿu98#C÷Ø?éT2l?¹%?À©? Ï6ÔoہAS?X_c±{?nðßÆ?ë?¡O®2¶Jywó
F)üÎ?ùZ?#¹Ò[{ÊA.Í=oPÈ0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?1??0??0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2.ôU¹kÆÂ?B|#vË0 + ?ÿ0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
141105075234Z0# *?H?÷
 1O Á¦ñ8Ò+??ä?ù'
Ú^VÚ0w +?71j0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2.ôU¹kÆÂ?B|#vË0y *?H?÷
  1j h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2.ôU¹kÆÂ?B|#vË0« *?H?÷
 10?0  `?He*0  `?He0
*?H?÷
0  `?He0*?H?÷
?0+0
*?H?÷
@0
*?H?÷
(0+0  `?He0  `?He0  `?He0
 *?H?÷
?1÷O=Õ{^ÏzâTz ø¼DÆ\ÎAi.DÝ;D?íDæc¡D[äÌ7?rÝ?õÛêE\bÎZ¬'Ê¿sWoæJ
ýÐÒleqàMCªî$ ?¦Â?_?¨F&ô¸?o ?¬YµoÙJæ!{¶z«v?
1]j?_$«Ü? ³TÔ
êm9§
'vpØ££¨Ó?Eʪû???³(@ËðK?íY71©8??àØÕ#7p6È.m?XnðÞ>)¿h{ Ê>x«±ÍþëSÏÔè)!?U¯¥^Û2¡¶?Ò¤hbò²¬??aZ?Ë?Bla?þ ?fÄx

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus