[ADVISORY INFORMATION] Title: Backdoor access to Techboard/Syac devices Discovery date: 02/04/2014 Release date: 07/07/2014 Advisory URL: http://blog.emaze.net/2014/07/backdoor-techboardsyac.html Credits: Roberto Paleari (@rpaleari), Luca Giancane (luca.giancane@emaze.net) [VULNERABILITY INFORMATION] Class: Command execution, Authentication bypass [AFFECTED PRODUCTS] We confirm the presence of the security vulnerability on the following products/firmware versions: * Techboard/Syac DigiEye 3G (software version 3.19.30004) Other device models and firmware versions are probably also vulnerable, but they were not checked. [VULNERABILITY DETAILS] During a security assessment on one of our customers, we had the opportunity to analyze a Techboard/Syac DigiEye. The assessment led to the identification of a critical security vulnerability, described in the next paragraphs. More in detail, affected devices include a backdoor service listening on TCP port 7339. This service implements a challenge-response protocol to "authenticate" clients. After this step, clients are allowed to execute arbitrary commands on the device, with administrative (root) privileges. We would like to stress out that, to the best of our knowledge, end-users are not allowed to disable the backdoor service, nor to control the "authentication" mechanism. As vulnerable devices are still widely deployed on the Internet, we won't release the full details on the backdoor communication protocol. Instead, we just document the initial "protocol handshake", in order to allow Techboard/Syac customers to identify vulnerable devices on their networks. Strictly speaking, the protocol handshake works as follows: 1. The client connects to port tcp/7339 of the vulnerable device and sends the string "KNOCK-KNOCK-ANYONETHERE?", terminated with a NULL byte. 2. The server replies with a 12-byte response. First 8 bytes are a timestamp, while last 4 bytes are a "magic number" equal to 0x000aae60. 3. The timestamp provided by the server is then used to feed the challenge/response procedure. Together with this security advisory, we provide a Nmap NSE script to identify vulnerable devices. [REMEDIATION] We contacted Techboard/Syac on April 2nd, 2014 and provided them with the technical details of the vulnerability we found. The device vendor promptly replied back to our e-mails and, on April 9th, they confirmed a patched firmware version was going to be released to their customers. However, the patched firmware was not checked by Emaze. [COPYRIGHT] Copyright(c) Emaze Networks S.p.A 2014, All rights reserved worldwide. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. [DISCLAIMER] Emaze Networks S.p.A is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.