(This image was created with the assistance of DALL·E 2)
Welcome to our new blog series: Vulnerability of the Month! With this series we would like to give you insights into our and our hackers’ daily work and talk about vulnerabilities. By doing so, we hope to help spread important security knowledge about specific vulnerabilities, how to find them, techniques used and by doing that, raising awareness for all the vulnerabilities that may still be out there.
How it works
We talk about current vulnerabilities we are working on, coming directly from our work with our programs and customers. This means, the vulnerabilities are not necessarily fixed at the time of the blog post and brings some implications with it:
- The customer and owner of the system will never be disclosed
- The product affected or the specific system will never be disclosed
- If both can’t be guaranteed, we won’t talk about the vulnerability
- Later disclosure is possible, in the context of CVD (Coordinated Vulnerability Disclosure)
Why do it this way?
We can talk about what is on our mind currently and still fresh with all details. We can spread knowledge and insights of what is currently going on, not about something that happened in the past. We strongly believe shared knowledge about techniques or technical details of vulnerabilities will advance security – history has shown that holding back such information never helped in the long term. Customer names, products affected, or specific systems are not needed for talking about the technical stuff, there are other, well-established procedures for addressing those areas (CVD with advisories, CVE id’s, …).
Vulnerability of January 2023
Credits: this vulnerability was reported by Raphaël Arrouas (“Xel”)
Context of the Bug Bounty program
- A time limited, budget limited private program (Reality Check)
- Almost the entire Internet exposed footprint of the customer in scope (wide scope with IP ranges and the main 2nd level domains)
- Time between launch of the program and submission of the report: 4 days
- Multiple appliances to stream video content (e.g., live streaming of events, webcasts)
- Exposed to the Internet, reachable by IP
The vulnerability as described by the Hacker
The first step was to identify the appliances in the IP range. This included the type of system, the specific version, the vendor, …. Next step was to register on the website of the vendor to get more detailed information and access to the firmware of the appliances itself. It turned out that the firmware can be downloaded with the registration in the exact version used by the customer.
With the firmware at hand, it can be extracted and decompressed (the firmware itself is a Linux filesystem). Analyzed – and exposed an undocumented user, identical to the admin user and having the vendors name in the username.
While the admin user can have its password changed using documented methods, the other, undocumented user cannot be changed or disabled. Changing the user is explicitly excluded, as can be seen in the source code (coming from a decompiled DLL).
Available in the htpasswd file is the hash of the password only – and it seems not easy crackable. This wasn’t necessary as it turned out, the user is used in a startup script with the password in cleartext included…
In short, the appliances have an undocumented, unchangeable vendor-admin user which cannot be deactivated.
A quick Censys search with the certificate issuer (which is identical across the appliances) gave us around 8’850 such appliances exposed to the internet.
The relevant question with this backdoor user is – what can be done with it? Well, quite a lot:
- The appliances expose many webservices (not all of them are documented, but the full list can be found by decompiling the firmware)
- The verification shows, that those webservices can indeed be invoked and used using the backdoor user
- Some possibilities with the webservices:
- get the device logs (which contain challenge and response details of some auth procedures – but that is another story…)
- configure the streaming (setting and getting stream details)
Ongoing steps (either by us, the customer or in combination):
- Coordinating with vendor to fix the vulnerability
- Issue a CVE advisory
Interested in the topic and working with our customers and hackers on such vulnerabilities? We’re hiring – please get in touch: bugbounty.ch/en/jobs!
Interested in finding vulnerabilities? We’re always looking for new hacking talents – please register yourself here: bugbounty.ch/hacker!