Backdoor (Image by admlcrunch)

A client was recently interested in a particular brand of serial port to Ethernet converter.  I’ve done my own with socat, and worked professionally on pen-testing an (IMO) excellent secure serial to Ethernet front-end that adds a lot of security and management features.  Intrigued, I wanted to get one that the client was interested in to tear it apart.

Instead, I settled with grabbing a firmware update.  This was a lot cheaper, and let me know quickly that the product isn’t very good.  The Korenix Jetport 5600 series is supposed to do configuration via secure https and ssh.  The device then lets you make its various serial ports accessible via IP.  I say ‘supposed to’ because it doesn’t do a very good job. Note that ORing makes a device that is either OEM’d by Korenix or uses a stolen firmware image…the backdoor here is identical for ORing, and the firmwares are eerily similar, but neither company makes a claim of OEM relationships.  I discovered the firmware relationship while digging around for Shodan banners.

The firmware was simple enough to analyze.  It’s just a Linux firmware image with a zlib compressed filesystem.  I did nothing special to analyze it…the filesystem extracted is ext2.  I opted to not even mount the filesystem for exploration…instead I just used my trusty friend ‘strings,’ to look for the passwd and shadow files.

The Korenix documentation indicates that you should log in with an account ‘admin’ with a default password (this password can be changed).

There are three accounts for the embedded Linux operating system: root, guest, and admin.  The encrypted versions of the passwords shown above.  Curiously ‘guest’ and ‘root’ are not mentioned anywhere in the documentation.  The ‘guest’ account at least is disabled by pointing the login shell to /dev/null.  The ‘root’ account however is enabled — the device uses dropbear ssh server but the startup script (also found via ‘strings’) does not disable remote root login using the ‘-g’ flag.

It took John the Ripper 0.022 seconds to crack the root password.  I have been told by someone with access to an ORING model that, indeed, the root backdoor account is legitimate, and that the account logs in to a configuration shell which allows complete reconfiguration of the serial converter.  It uses the password, ‘password’, which is the number one worst password (amusingly, this was also a backdoor password on the Schneider Modicon PLC).

There are other issues with these devices, too, including very old (circa 2005) version of OpenSSL.

Total analysis time was about 30 minutes, from firmware download to locating the backdoor.  This definitely fits in the ‘not rocket science,’ category, as I didn’t have to fire up a disassembler.  Their use of secure login protocols is entirely nullified by the existence of the backdoor.

Image by admlcrunch