IPC@Chip Security

From: Siberian (i.am.a@x-men.com)
Date: Thu May 24 2001 - 08:10:40 PDT

Next message: Lukasz Luzar: "in.fingerd follows sym-links on Solaris 8"

Previous message: Georgi Guninski: "Elevation of privileges with debug registers on Win2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sentry Research Labs
www.sentry-labs.de.vu

product: IPC@Chip (Beck GmbH)
vendor informed: 21th of May
status: unanswered

Note: The demonstration tool and a german version (there is also an english
download version) of this report is available form our website.

Siberian

----------------------------------------------------------------------------
-----

IPC@CHIP Security Report v0.2
2001 by Sentry Research Labs
www.sentry-labs.de.vu

Vendor informed: Monday, 21th of May

Pre

We did a security audit on the IPC@Chip (vendor is Beck GmbH) using a DK40
Evaluation Board. During this tests we tested the system for common security
flaws, used common attack strategies and analysed behaivior of the IPC.
Hopefully all bugs will be removed in further verisons of the BIOS software.
We will keep on monitoring this product in the futur.

SDL


Warnings: 8
Flaws: 3


Warnings

TelnetD

DEFAULT passwords
The IPC is using a TelnetD with factory set DEFAULT Passwords ("tel").

Brute Force
Because the TelnetD isn't using a random delay on it's login attemps and it
isn't counting or logging any bad passwords, it's possible to brute force
the password in no time. A demonstration tool is available on our website.

Lock up
Only one user may use the TelnetD at once and there isn't any timout set by
default. So it's possible to lock access fot the real admin. Just connect to
the IPC and leave a telnet window open and untouched.

User Guess Attack
By analysing the return value given by the TelnetD on login it's possible to
find existing user accounts. A demonstration tool is available on our
webpage.

 "User unknow" = non existing user
"Password:" = existing account


Webserver

CHIP.INI
The webserver root directory is set to / by default. A attacker may download
the chip.ini file, containing all logins and paswords by typing i.e
http://ipcchipip/chip.ini.

Long Requests
If a real long request is send the server stops responsing, but the a few
moments later everything is well again. All requests send during the
downtime are lost.


FTPD

DEFAULT passwords
The IPC is using a FTPD with factory set DEFAULT Passwords ("anonymous" or
"ftp"), both a full access accounts.

TCP/IP

Sockets
By SYN flooding or mass request HTTP files the IPC may be blocked for some
time. There is a max. of  only 64 sockets,so a lame DoS aatck is really
esay.

Flaws

ChipCfg

This CGI Scipt is installed by deafult and can't be removed. It revals
network data to anyone, also possible attackers.

Typ i.e http://ipcchipip/ChipCfg.

Workaround: -

FTPD

By adding just one user to the system, the DEFAULT accounts are not disabled
completly, "anonymous" still works and grands full access.

Workaround: Add a second user.

TelnetD

By adding just one user to the system, the DEFAULT accounts are not
disabled, "tel" still works and grands full access.

Workaround: Add a second user.

Next message: Lukasz Luzar: "in.fingerd follows sym-links on Solaris 8"
Previous message: Georgi Guninski: "Elevation of privileges with debug registers on Win2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 24 2001 - 10:08:27 PDT