Holes In Embedded Devices - Desynchronized Service Accting As Backdoor

Embedded devices usually offer different types of services or interfaces so they can be configured by administrators remotely either from the Internet or over the LAN. Some of the most common examples include Telnet, FTP, SSH, HTTP (web console), HTTPS and SNMP.

Provided that such services are allowed to be accessible from the Internet, the embedded device could be configured by an administrator who could be located anywhere on the planet.

These administrative services usually require administrators to authenticate via a username/password pair. However, what if the credentials for one of these services were not synchronized with the credentials on rest of the daemons/services?

In order to illustrate the idea of a desynchronized service acting as a backdoor, let's consider a hypothetical scenario. Let's say for instance that a vulnerable embedded device runs Telnet and HTTP by default. In order to lock down the device, the admin user decides to change the default admin password to a hard-to-guess value via the web console (HTTP). The admin user simply chooses to do so via HTTP rather than Telnet because he finds it easier to configure the device with a web browser rather than a Telnet terminal.

Once the default admin password has been changed, most people would assume that administrative access is not possible using the default password anymore. However, in this case, the vulnerable device uses two different internal administrative accounts for the HTTP and Telnet interfaces. The consequences are fatal: the admin user believes that it's not possible to gain admin privileges to the device using the default password. Nothing could be further from the truth in our hypothetical scenario as the Telnet daemon still allows users/attackers to login using the default admin password!

Archived Comments

entombed

If a specific service such as telnet is needed it's most likely the admin has changed the default password. Otherwise the service will be disabled anyway.

Ghost

I've dealt with routers that have telnet off by default (or at least booted you as soon as you connected) but it was possible to enable them and be accessed by the default username and password. Dunno how many of them are out there that are like that but its interesting though.

Adrian Pastor

@entombed - how about devices that come with telnet running by default? Are *all* admins checking if such services are enabled by default? How about home routers shipped by ISPs with telnet enabled by default on the WAN interface? Think about this for a second. We all remember the BeThere fiasco in which a backdoor account could be used to login to routers from the Internet via telnet: http://blogs.securiteam.com/index.php/archives/826

Adrian Pastor

@Ghost - although this issue is not usually a default setup on embedded devices, I assure you that there are real examples of this vulnerability out there. For instance, I'm currently working towards reporting a very severe issue to a vendor which is based on the same idea: an administrative service different to HTTP which runs by default allows remote access with a different set of credentials. Worst of all, such service is enabled on the WAN interface by default! Most likely I will be able to present this vulnerability among many others on my "Cracking into Embedded Devices and Beyond!" presentation @ HITB Dubai: http://conference.hackinthebox.org/hitbsecconf2008dubai/?page_id=186

DamionKutaeff

Hello everybody, my name is Damion, and I'm glad to join your conmunity, and wish to assit as far as possible.

Adrian 'pagvac' Pastor

Just noticed a very nice example of a desynchronized service acting as a backdoor: http://www.milw0rm.com/exploits/5289 Even if the user changes the default password, there is still another management service which keeps using the original default pass. Simple vulnerability yet it has obvious serious implications.