[GIS 2002101601] SkyStream Admin Shell Privilege Escalation.

[Global InterSec Research <research () globalintersec com>]

Global InterSec LLC
http://www.globalintersec.com

GIS Advisory ID:        2002101601
Changed:                12/27/2002
Author:         research () globalintersec com
Reference:      http://www.globalintersec.com/adv/skystream-2002101601.txt

Summary:

   SkyStream's Edge Media Router-5000 (EMR5000) a DVB to
   multicast router suffers from a vulnerability in its
   configuration shell.

Impact:

   A remote user may be able to gain access to the configuration
   shell of the device via the telnet protocol and escalate user 
   privileges to those of the root user.

Versions Tested:

   1.16 
   1.17
   1.18

Description:
  
   The Edge Media Router client shell is designed to allow a remote
   or local (via serial) user to change system settings and view
   network statistics, critical to the operation of the device, 
   without giving up a root shell.

   A buffer overflow exists in the routines for reading and validating
   user input into the shell. This may be exploited through either the
   heap or the stack. 

   Rather than using the GNU readline library, SkyStream has implemented
   their own proprietary shell control routines, which has contributed to
   this problem.

Scope for attack:
  
   Although the EMR5000's configuration shell is password protected
   over both telnet and the serial console, as with many router 
   products, systems administrators neglect to change the default
   password setting. Assuming this is the case - a remote attacker
   would be able to gain root access over the telnet protocol.
   
Work around:

   - Use the EMR5000's administrative web interface to disable the
     telnet server daemon.

   - Only permit telnet access to the device from trusted subnets.

Credit:

   The vulnerabilities disclosed in this advisory were discovered
   during routine penetration tests. They were further researched 
   at Global InterSec's facility. 

   The research division can be reached at research () globalintersec com

Vendor Status:

   SkyStream Inc. was notified of this problem on Oct 28th 2002.

   Although SkyStream informed us that they were looking into"
   these issues; no follow up information has been provided to 
   Global InterSec.

Proof of concept:

   This vulnerability has been successfully exploited in controlled conditions.
   As you can see from the below example where we overwrite the %lr and %pc
   registers (equivalent of %eip and %ebp on X86),  SkyStream has left us 
   plenty of room for our shellcode on the stack.

         SkyStream Networks
         Edge Media Router
         Please login as 'emradmin' for Command-Line Interface

         emr5000 login: emradmin
         Password: 
         [emradmin@emr5000] [1052 bytes][%lr] 

         Program received signal SIGSEGV, Segmentation fault.
         [Switching to Thread 1024 (LWP 17118)]
         0xdeadbeec in ?? ()
         (gdb) i r r0 r12 r27 r28 r29 r30 r31 pc lr
         r0             0xdeadbeec       -559038735
         r12            0x41414141       1094795585
         r27            0x41414141       1094795585
         r28            0x41414141       1094795585
         r29            0x41414141       1094795585
         r30            0x41414141       1094795585
         r31            0x41414141       1094795585
         pc             0xdeadbeec       -559038736
         lr             0xdeadbeec       -559038735
         (gdb) 

Legal:

   This advisory is the intellectual property of Global InterSec LLC 
   but may be freely distributed with the conditions that:

         a) No fee is charged.
         b) Appropriate credit is given.
         c) Distribution of the advisory does not break NDA' s issued by GIS.

(c) Global InterSec LLC 2002