exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Techboard/Syac Backdoor Access

Techboard/Syac Backdoor Access
Posted Jul 7, 2014
Authored by Roberto Paleari, Luca Giancane

Techboard/Syac DigiEye 3G devices suffer from a backdoor access vulnerability.

tags | advisory
SHA-256 | 33cc889ede70ca75a8c0e1208e6650725ce6572d34b522656e3ccc4be7b34240

Techboard/Syac Backdoor Access

Change Mirror Download
[ADVISORY INFORMATION]
Title: Backdoor access to Techboard/Syac devices
Discovery date: 02/04/2014
Release date: 07/07/2014
Advisory URL: http://blog.emaze.net/2014/07/backdoor-techboardsyac.html
Credits: Roberto Paleari (@rpaleari),
Luca Giancane (luca.giancane@emaze.net)

[VULNERABILITY INFORMATION]
Class: Command execution, Authentication bypass

[AFFECTED PRODUCTS]
We confirm the presence of the security vulnerability on the following
products/firmware versions:
* Techboard/Syac DigiEye 3G (software version 3.19.30004)

Other device models and firmware versions are probably also vulnerable, but
they were not checked.

[VULNERABILITY DETAILS]
During a security assessment on one of our customers, we had the opportunity to
analyze a Techboard/Syac DigiEye. The assessment led to the identification of a
critical security vulnerability, described in the next paragraphs.

More in detail, affected devices include a backdoor service listening on TCP
port 7339. This service implements a challenge-response protocol to
"authenticate" clients. After this step, clients are allowed to execute
arbitrary commands on the device, with administrative (root) privileges. We
would like to stress out that, to the best of our knowledge, end-users are not
allowed to disable the backdoor service, nor to control the "authentication"
mechanism.

As vulnerable devices are still widely deployed on the Internet, we won't
release the full details on the backdoor communication protocol. Instead, we
just document the initial "protocol handshake", in order to allow
Techboard/Syac customers to identify vulnerable devices on their networks.

Strictly speaking, the protocol handshake works as follows:

1. The client connects to port tcp/7339 of the vulnerable device and sends the
string "KNOCK-KNOCK-ANYONETHERE?", terminated with a NULL byte.

2. The server replies with a 12-byte response. First 8 bytes are a timestamp,
while last 4 bytes are a "magic number" equal to 0x000aae60.

3. The timestamp provided by the server is then used to feed the
challenge/response procedure.

Together with this security advisory, we provide a Nmap NSE script to identify
vulnerable devices.

[REMEDIATION]
We contacted Techboard/Syac on April 2nd, 2014 and provided them with the
technical details of the vulnerability we found. The device vendor promptly
replied back to our e-mails and, on April 9th, they confirmed a patched
firmware version was going to be released to their customers. However, the
patched firmware was not checked by Emaze.

[COPYRIGHT]
Copyright(c) Emaze Networks S.p.A 2014, All rights reserved worldwide.
Permission is hereby granted to redistribute this advisory, providing that no
changes are made and that the copyright notices and disclaimers remain intact.

[DISCLAIMER]
Emaze Networks S.p.A is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service to the
professional security community. There are NO WARRANTIES with regard to this
information. Any application or distribution of this information constitutes
acceptance AS IS, at the user's own risk. This information is subject to change
without notice.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close