what you don't know can hurt you

Techboard/Syac Backdoor Access

Techboard/Syac Backdoor Access
Posted Jul 7, 2014
Authored by Roberto Paleari, Luca Giancane

Techboard/Syac DigiEye 3G devices suffer from a backdoor access vulnerability.

tags | advisory
MD5 | f45510cb98d7b54ec52f0117d29f6fc1

Techboard/Syac Backdoor Access

Change Mirror Download
Title: Backdoor access to Techboard/Syac devices
Discovery date: 02/04/2014
Release date: 07/07/2014
Advisory URL: http://blog.emaze.net/2014/07/backdoor-techboardsyac.html
Credits: Roberto Paleari (@rpaleari),
Luca Giancane (luca.giancane@emaze.net)

Class: Command execution, Authentication bypass

We confirm the presence of the security vulnerability on the following
products/firmware versions:
* Techboard/Syac DigiEye 3G (software version 3.19.30004)

Other device models and firmware versions are probably also vulnerable, but
they were not checked.

During a security assessment on one of our customers, we had the opportunity to
analyze a Techboard/Syac DigiEye. The assessment led to the identification of a
critical security vulnerability, described in the next paragraphs.

More in detail, affected devices include a backdoor service listening on TCP
port 7339. This service implements a challenge-response protocol to
"authenticate" clients. After this step, clients are allowed to execute
arbitrary commands on the device, with administrative (root) privileges. We
would like to stress out that, to the best of our knowledge, end-users are not
allowed to disable the backdoor service, nor to control the "authentication"

As vulnerable devices are still widely deployed on the Internet, we won't
release the full details on the backdoor communication protocol. Instead, we
just document the initial "protocol handshake", in order to allow
Techboard/Syac customers to identify vulnerable devices on their networks.

Strictly speaking, the protocol handshake works as follows:

1. The client connects to port tcp/7339 of the vulnerable device and sends the
string "KNOCK-KNOCK-ANYONETHERE?", terminated with a NULL byte.

2. The server replies with a 12-byte response. First 8 bytes are a timestamp,
while last 4 bytes are a "magic number" equal to 0x000aae60.

3. The timestamp provided by the server is then used to feed the
challenge/response procedure.

Together with this security advisory, we provide a Nmap NSE script to identify
vulnerable devices.

We contacted Techboard/Syac on April 2nd, 2014 and provided them with the
technical details of the vulnerability we found. The device vendor promptly
replied back to our e-mails and, on April 9th, they confirmed a patched
firmware version was going to be released to their customers. However, the
patched firmware was not checked by Emaze.

Copyright(c) Emaze Networks S.p.A 2014, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.

Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2016 Packet Storm. All rights reserved.

Security Services
Hosting By