Sentry Research Labs www.sentry-labs.de.vu product: IPC@Chip (Beck GmbH) vendor informed: 21th of May status: unanswered Note: The demonstration tool and a german version (there is also an english download version) of this report is available form our website. Siberian ---------------------------------------------------------------------------- ----- IPC@CHIP Security Report v0.2 2001 by Sentry Research Labs www.sentry-labs.de.vu Vendor informed: Monday, 21th of May Pre We did a security audit on the IPC@Chip (vendor is Beck GmbH) using a DK40 Evaluation Board. During this tests we tested the system for common security flaws, used common attack strategies and analysed behaivior of the IPC. Hopefully all bugs will be removed in further verisons of the BIOS software. We will keep on monitoring this product in the futur. SDL Warnings: 8 Flaws: 3 Warnings TelnetD DEFAULT passwords The IPC is using a TelnetD with factory set DEFAULT Passwords ("tel"). Brute Force Because the TelnetD isn't using a random delay on it's login attemps and it isn't counting or logging any bad passwords, it's possible to brute force the password in no time. A demonstration tool is available on our website. Lock up Only one user may use the TelnetD at once and there isn't any timout set by default. So it's possible to lock access fot the real admin. Just connect to the IPC and leave a telnet window open and untouched. User Guess Attack By analysing the return value given by the TelnetD on login it's possible to find existing user accounts. A demonstration tool is available on our webpage. "User unknow" = non existing user "Password:" = existing account Webserver CHIP.INI The webserver root directory is set to / by default. A attacker may download the chip.ini file, containing all logins and paswords by typing i.e http://ipcchipip/chip.ini. Long Requests If a real long request is send the server stops responsing, but the a few moments later everything is well again. All requests send during the downtime are lost. FTPD DEFAULT passwords The IPC is using a FTPD with factory set DEFAULT Passwords ("anonymous" or "ftp"), both a full access accounts. TCP/IP Sockets By SYN flooding or mass request HTTP files the IPC may be blocked for some time. There is a max. of only 64 sockets,so a lame DoS aatck is really esay. Flaws ChipCfg This CGI Scipt is installed by deafult and can't be removed. It revals network data to anyone, also possible attackers. Typ i.e http://ipcchipip/ChipCfg. Workaround: - FTPD By adding just one user to the system, the DEFAULT accounts are not disabled completly, "anonymous" still works and grands full access. Workaround: Add a second user. TelnetD By adding just one user to the system, the DEFAULT accounts are not disabled, "tel" still works and grands full access. Workaround: Add a second user.
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 10:08:27 PDT