Comments on: Holes in Embedded Devices: Authentication bypass (pt 1)

By: spenser

spenser — Sun, 06 Jul 2008 07:45:54 +0000

Never mind a ups.

There is a $30K+ “enterprise unified threat management” appliance that seems to have a hard coded backdoor super admin account that is not documented to purchasers. It certainly is not mentioned in the documentation. But, it can be seen plain as day to anyone looking at the firmware.

As a matter of fact, in recent years, the newsgroups are rife with complaints from admins that the first thing support wants when called is to be granted admin access from outside the perimeter. Naturally, due to the fact that firewall admins are likely to be somewhat aware of security, this tendency has raised a great deal of derision. The existence of a secret “super admin” account would certainly explain the desire of first level support techs to gain permission to logon.

By: joephantom

joephantom — Sun, 02 Mar 2008 22:47:50 +0000

nice photo. differential equations and gauss’s divergence are your best friends.

By: NurBo

NurBo — Sat, 23 Feb 2008 01:23:41 +0000

good shez Adrian Pastor keep it up I like all 3 parts!

By: Holes in Embedded Devices: Authentication bypass (pt 3) » Inking’s Security Blog

Sat, 16 Feb 2008 11:30:53 +0000

[...] of authentication bypass bug. You may want to familiarize yourself with the previous two entries here and here, before you [...]

By: Holes in Embedded Devices: Authentication bypass (pt 3) | GNUCITIZEN

Holes in Embedded Devices: Authentication bypass (pt 3) | GNUCITIZEN — Sat, 16 Feb 2008 08:08:20 +0000

[...] of authentication bypass bug. You may want to familiarize yourself with the previous two entries here and here, before you [...]

By: ap

ap — Fri, 15 Feb 2008 00:17:01 +0000

correction: “that we shouldn’t just rely” -> “we shouldn’t just rely”

By: Adrian Pastor

Adrian Pastor — Fri, 15 Feb 2008 00:13:35 +0000

hey nexact, thanks for your feedback! just for the record the BT Home Hub auth bypass mentioned as an example was published in Oct 2007 (http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub) and found a month before that.

Needless to say, URL fuzzying is nothing new. The point of this post series is to show that embedded devices can be susceptible to *very* trivial auth bypass bugs.

You’re so right, that we shouldn’t just rely on documented default accounts when trying to find a valid username/password combination. Reverse-engineering the firmware is definitely the way forward!

By: Analyzing Web Interfaces of Embedded Devices « Cyberphobia

Analyzing Web Interfaces of Embedded Devices « Cyberphobia — Thu, 14 Feb 2008 20:06:40 +0000

[...] I’m referencing GnuCitizen again. This time their article is about analyzing web interfaces in embedded [...]

By: nexact

nexact — Thu, 14 Feb 2008 17:10:44 +0000

s/pdp/ap/ in the last comments

By: nexact

nexact — Thu, 14 Feb 2008 15:38:22 +0000

hey pdp!

did I gave you some idea with my auth bypass for airspan prost antenna ? heheh ;)

good posts. ;-)

btw.. if your able to put your hand on a device with port 23 open and you have the firmware.. disassemble it, check if you can’t find a default login/passwd account in it.. i made a found during a pentest, apc battery had a backdoor account.. I’ve been able to go in debug mode and dump the eeprom then gain access to web interface. gg. :)

i know theres a couple of websites around there that giving out default password but you can be *really* surprised if u take a look by yourself.