what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Softing FG-100 PB Hardcoded Backdoor

Softing FG-100 PB Hardcoded Backdoor
Posted Nov 5, 2014
Authored by Daniel Marzin, Johannes Klick, Ingmar Rosenhagen

Softing FG-100 PB comes with a hardcoded root account with a static password that cannot be changed by the administrator.

tags | exploit, root
advisories | CVE-2014-6617
SHA-256 | 22e4763533c7a20fc4e6a7977f464c067e829cdfcf045f51124db5c9ecfc01fd

Softing FG-100 PB Hardcoded Backdoor

Change Mirror Download
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Softing FG-100 PB
# Vendor: Softing AG (www.softing.com)
# CVD ID: CVE-2014-6617
# Subject: Backdoor Account
# Risk: High
# Effect: Remotely exploitable
# Author: Ingmar Rosenhagen
# Daniel Marzin
# Johannes Klick
# Date: 05.11.2014
#
#############################################################

Introduction:
-------------
Softing FG PROFIBUS [1] is a family of interfaces for remote access to
one, two or three PROFIBUS segments via Ethernet for device
parameterization, controller programming and data acquisition. Compass
Security Deutschland GmbH [2] discovered a security flaw in the firmware
of the device allowing unauthorized acces to the device. The FG-100
allows access via the telnet protocol by default. The password for the
root-account is hard-coded in the device and cannot be changed by
the administrator. This allows an remote attacker
to login as root, which enables him to copy and/or alter configuration
data or other parameters of the device.


Affected:
---------
Firmware: FG-x00-PB_V2.02.0.00

Technical Description:
----------------------
The firmware for the device is delivered as a zip file containing a
uboot-image:

irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % mkimage -l
fw_FG-100-PB_V2.02.0.00.release
Image Name: FG-100-PB_V2.02.0.00.release
Created: Mon Aug 4 16:26:49 2008
Image Type: PowerPC Linux Script (gzip compressed)
Data Size: 2396096 Bytes = 2339.94 kB = 2.29 MB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 249 Bytes = 0.24 kB = 0.00 MB
Image 1: 3764 Bytes = 3.68 kB = 0.00 MB
Offset = 0x7f6aa083d14c
Image 2: 2392064 Bytes = 2336.00 kB = 2.28 MB
Offset = 0x7f6aa083e000

Splitting and extracting several layers of uboot-images leaves a
CramFS-Image:

irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % file cramfs3.fs
cramfs3.fs: Linux Compressed ROM File System data, big endian size 65536 CRC
0x330b1a39, edition 634273566, 1331373096 blocks, 2944606610 files

Since this is big endian a matching VM was used to mount the image and
access it's contents. It contains a default linux filesystem with a
passwd file that holds password hashes (DES) created by mkpasswd:

irosenha@kali /tmp/media % cat etc/passwd.orig
root:fEHd4eY5[CUT BY COMPASS]:0:0:root:/root:/bin/sh
config:lGajGWwkK4[CUT BY COMPASS]:4671:100:PROFIgate
Configuration:/fw_upload:/usr/local/config/DeviceConfig
FG-100-PB:DOPnAyLPjz[CUT BY COMPASS]:4672:100:PROFIgate Dialin:/:/bin/false
nobody:x:65534:65534:nobody:/tmp:/bin/sh

Using hashcat the hash of the user root with uid 0 could be cracked and
the device accessed by this account with telnet:

root@kali /home/irosenha # telnet 192.168.2.3
Trying 192.168.2.3...
Connected to 192.168.2.3.
Escape character is '^]'.

ps login: root
Password:


BusyBox v1.00 (2008.06.06-06:20+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # cat /etc/profile
PATH=/bin:/sbin:/usr/local/bin
TZ=CET-1CEST,M3.5.0/2,M10.5.0/3
export TZ
~ # uname -a
Linux ps 2.4.4-rthal5 #1 Fri Jun 6 08:02:49 CEST 2008 ppc unknown


Workaround / Fix:
-----------------
no patch is available

Timeline:
---------
Vendor Notified: 2014-09-15
Vendor Response: 2014-10-24
Vendor Status: Wont Fix

References:
-----------
[1]:
http://industrial.softing.com/de/produkte/profibus-master-or-slave-configura
ble-single-channel-remote-interface.html
[2]: http://www.csnc.de



Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close