-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password Title: Seagate GoFlex Satellite Remote Telnet Default Password Advisory ID: KL-001-2015-007 Publication Date: 2015.12.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-007.txt 1. Vulnerability Details Affected Vendor: Seagate Affected Product: GoFlex Satellite Affected Version: 1.3.7 Platform: Embedded Linux CWE Classification: CWE-288: Authentication Bypass Using an Alternate Path or Channel; CWE-798: Use of Hard-coded Credentials Impact: Remote Administration Attack vector: Telnet CVE-ID: CVE-2015-2874 2. Vulnerability Description Seagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled. 3. Technical Description root@wpad:/tmp/jfroot# ls bin boot dev etc home include lib linuxrc media mnt proc satellite_app sbin share srv static sys tmp usr var root@wpad:/tmp/jfroot# cd etc root@wpad:/tmp/jfroot/etc# ls angstrom-version default fstab init.d iproute2 motd org_passwd protocols rc4.d rS.d terminfo udhcpc.d autoUpdURL device_table group inittab issue mtab passwd rc0.d rc5.d scsi_id.config timestamp udhcpd.conf avahi device_table-opkg host.conf inputrc issue.net network passwd- rc1.d rc6.d services tinylogin.links udhcpd_factory.conf busybox.links fb.modes hostname internal_if.conf localtime nsswitch.conf profile rc2.d rcS.d skel ts.conf version dbus-1 filesystems hosts ipkg mke2fs.conf opkg profile.d rc3.d rpc syslog.conf udev root@wpad:/tmp/jfroot/etc# cat passwd root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh daemon:*:1:1:daemon:/usr/sbin:/bin/sh bin:*:2:2:bin:/bin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh sync:*:4:65534:sync:/bin:/bin/sync games:*:5:60:games:/usr/games:/bin/sh man:*:6:12:man:/var/cache/man:/bin/sh lp:*:7:7:lp:/var/spool/lpd:/bin/sh mail:*:8:8:mail:/var/mail:/bin/sh news:*:9:9:news:/var/spool/news:/bin/sh uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh proxy:*:13:13:proxy:/bin:/bin/sh www-data:*:33:33:www-data:/var/www:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh list:*:38:38:Mailing List Manager:/var/list:/bin/sh irc:*:39:39:ircd:/var/run/ircd:/bin/sh gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:*:65534:65534:nobody:/nonexistent:/bin/sh xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh The xoFaeS user cracked to etagknil. 4. Mitigation and Remediation Recommendation The vendor has released a patch that can be obtained using the Download Finder located at https://apps1.seagate.com/downloads/request.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2015.09.11 - Vulnerability details and PoC sent to Seagate. 2015.09.15 - Seagate confirms receipt. 2015.09.28 - Seagate indicates a patch is ready but not yet available to the public. 2015.09.28 - KoreLogic asks Seagate if they have obtained a CVE-ID for the vulnerability. 2015.10.27 - Seagate notifies KoreLogic that the patch is publicly available. Seagate indicates they are waiting for a CVE before releasing a security advisory. 2015.12.08 - KoreLogic requests an update on the CVE-ID and associated Seagate advisory. 2015.12.08 - Seagate responds with a link to http://www.kb.cert.org/vuls/id/903500 2015.12.18 - Public disclosure. 7. Proof of Concept N/A The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWdHjEAAoJEE1lmiwOGYkM++wH/1h7kz+0f1Ptwczn7nkoAj+H ggoR+6mbSDBTw1gj58oYjIo2HEvnryoclqGZiwsDe5G4g9dYV8PV0qHTuNDf/lRV F6EcUTZ4z5YFLMf6bOXazaeVJPsbzjw1JvdMyejyX7Tyhi3hFAY3k8r20W+Ry4pi Fgb3lJ9mjtso+EjKqhdrhiv19wR7s6bOnMsKsasdFTrNbTl/BOWgu5ORCZryK7pu oP59eniJQSidnYcUOeY6SXpKesNow4JPjQOlYTr5uPKO42FLR48W6csoAlju6eZq l4yNdOECOy83VWJaQm6f1yEllVqUkGoDHOfcQDPQpfWAxsc4mSYWqnn+IxmIkgc= =4Ju5 -----END PGP SIGNATURE-----