############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: Softing FG-100 PB # Vendor: Softing AG (www.softing.com) # CVD ID: CVE-2014-6617 # Subject: Backdoor Account # Risk: High # Effect: Remotely exploitable # Author: Ingmar Rosenhagen # Daniel Marzin # Johannes Klick # Date: 05.11.2014 # ############################################################# Introduction: ------------- Softing FG PROFIBUS [1] is a family of interfaces for remote access to one, two or three PROFIBUS segments via Ethernet for device parameterization, controller programming and data acquisition. Compass Security Deutschland GmbH [2] discovered a security flaw in the firmware of the device allowing unauthorized acces to the device. The FG-100 allows access via the telnet protocol by default. The password for the root-account is hard-coded in the device and cannot be changed by th administrator. This allows an remote attacker to login as root, which enables him to copy and/or alter configuration data or other parameters of the device. Affected: --------- Firmware: FG-x00-PB_V2.02.0.00 Technical Description: ---------------------- The firmware for the device is delivered as a zip file containing a uboot-image: irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % mkimage -l fw_FG-100-PB_V2.02.0.00.release Image Name: FG-100-PB_V2.02.0.00.release Created: Mon Aug 4 16:26:49 2008 Image Type: PowerPC Linux Script (gzip compressed) Data Size: 2396096 Bytes = 2339.94 kB = 2.29 MB Load Address: 00000000 Entry Point: 00000000 Contents: Image 0: 249 Bytes = 0.24 kB = 0.00 MB Image 1: 3764 Bytes = 3.68 kB = 0.00 MB Offset = 0x7f6aa083d14c Image 2: 2392064 Bytes = 2336.00 kB = 2.28 MB Offset = 0x7f6aa083e000 Splitting and extracting several layers of uboot-images leaves a CramFS-Image: irosenha@kali ..100 - Firmware/fw_FG-x00-PB_V2.02.0.00 % file cramfs3.fs cramfs3.fs: Linux Compressed ROM File System data, big endian size 65536 CRC 0x330b1a39, edition 634273566, 1331373096 blocks, 2944606610 files Since this is big endian a matching VM was used to mount the image and access it's contents. It contains a default linux filesystem with a passwd file that holds password hashes (DES) created by mkpasswd: irosenha@kali /tmp/media % cat etc/passwd.orig root:fEHd4eY5[CUT BY COMPASS]:0:0:root:/root:/bin/sh config:lGajGWwkK4[CUT BY COMPASS]:4671:100:PROFIgate Configuration:/fw_upload:/usr/local/config/DeviceConfig FG-100-PB:DOPnAyLPjz[CUT BY COMPASS]:4672:100:PROFIgate Dialin:/:/bin/false nobody:x:65534:65534:nobody:/tmp:/bin/sh Using hashcat the hash of the user root with uid 0 could be cracked and the device accessed by this account with telnet: root@kali /home/irosenha # telnet 192.168.2.3 Trying 192.168.2.3... Connected to 192.168.2.3. Escape character is '^]'. ps login: root Password: BusyBox v1.00 (2008.06.06-06:20+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. ~ # cat /etc/profile PATH=/bin:/sbin:/usr/local/bin TZ=CET-1CEST,M3.5.0/2,M10.5.0/3 export TZ ~ # uname -a Linux ps 2.4.4-rthal5 #1 Fri Jun 6 08:02:49 CEST 2008 ppc unknown Workaround / Fix: ----------------- no patch is available Timeline: --------- Vendor Notified: 2014-09-15 Vendor Response: 2014-10-24 Vendor Status: Wont Fix References: ----------- [1]: http://industrial.softing.com/de/produkte/profibus-master-or-slave-configurable-single-channel-remote-interface.html [2]: http://www.csnc.de