Sentry Research Labs www.sentry-labs.de.vu Last week, we published bugs and flaws in BECK GmbH's IPC@Chip. Today an offical analysis was published by Beck which cobntains information on fixes and classification. We are happy to see that there is someone really trying to do their best to fix their product. The comunication during the first contact and today was really good and we want to thank BECK GmbH for being so nice. Ok, here is the offical statement, please add it to the bugtray vulnerabilities databases, to inform customers about updates and fixes. regards, Siberian ---cut--- This week, some alleged security risks with the BECK IPC@CHIP were published. In this text we would like to comment to these possible security risks. We would like to classify each item in a category: 1. Security risks that we confirmed and we have to handle in future BIOS versions. 2. Security risks that are caused by a default setting that makes the first use of the product easy. The system offers configuration settings to avoid these possible risks. We will create a 'security manual' that addresses these items. 3. Items that we do not regard as a misbehaviour/risk or that we could not reproduce. TelnetD DEFAULT passwords Claim: The IPC is using a TelnetD with factory set DEFAULT Passwords ("tel"). Analysis: Category 2. Password can be configured. Brute Force Claim: Because the TelnetD isn't using a random delay on it's login attemps and it isn't counting or logging any bad passwords, it's possible to brute force the password in no time. A demonstration tool is available on our website. Analysis: Category 1. Already fixed. Test version is available upon request. Lock up Claim: Only one user may use the TelnetD at once and there isn't any timout set by default. So it's possible to lock access fot the real admin. Just connect to the IPC and leave a telnet window open and untouched. Analysis: Category 2. Timeout can be configured. User Guess Attack Claim: By analysing the return value given by the TelnetD on login it's possible to find existing user accounts. A demonstration tool is available on our webpage. Analysis: Category 1. Already fixed. Test version is available upon request. Webserver CHIP.INI Claim: The webserver root directory is set to / by default. A attacker may download the chip.ini file, containing all logins and passwords by typing i.e http://ipcchipip/chip.ini. Analysis: Category 2. Can be configured. Long Requests Claim: If a real long request is send the server stops responding, but the a few moments later everything is well again. All requests send during the downtime are lost. Analysis: Category 3. Downtime is not longer as it takes to process the request. No misbehaviour could be reproduced. FTPD Claim: The IPC is using a FTPD with factory set DEFAULT Passwords ("anonymous" or "ftp"), both a full access accounts. Analysis: Category 2. Can be configured. SYN flooding Claim: By SYN flooding or mass request HTTP files the IPC may be blocked for some time. There is a max. of only 64 sockets, so a lame DoS attack is really easy. Analysis: Category 3. Tests have shown that our system is not sensitive to SYN flooding. The webserver itself is limiting the number of simultaneous connections, thus the 64 sockets are not 'consumed'. ChipCfg Claim: This CGI Scipt is installed by default and can't be removed. It reveals network data to anyone, also possible attackers. Analysis: Category 2. The API allows removal of this CGI with the CGI_REMOVE function. FTPD Claim: By adding just one user to the system, the DEFAULT accounts are not disabled completly, "anonymous" still works and grands full access. Analysis: Category 2. Both users most be configured as listed in the documentation. TelnetD Claim: By adding just one user to the system, the DEFAULT accounts are not disabled, "tel" still works and grands full access. Analysis: Category 2. Both users most be configured as listed in the documentation. Ernest Schloesser Beck IPC GmbH
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 21:30:36 PDT