Title: Hard-coded ftp and shell user account password in certain Xerox ColorQube and WorkCenter devices Timeline: 20 August 2013 - Discovery 24 August 2013 - Vendor notified 26 August 2013 - Vendor responds and starts confirmation process 30 August 2013 - Vendor acknowledges existance of issue in several product families 21 October 2013 - Vendor issues patches and XRX13_008 Xerox Security Bulletin 03 November 2013 - CVE@Mitre assigns CVE-2013-6362 Author: Andrei Costin of "FIRMWARE.RE" project firstname.lastname@example.org email@example.com Vulnerability discovered using "FIRMWARE.RE" platform/service Security advisory numbering: ACSA-2013-005 XRX13_008 SA55306 CVE-2013-6362 Vendor: Xerox http://www.xerox.com/ Product(s): Xerox ColorCube 9201/9202/9203 Xerox WorkCenter 6400/7525/7530/7535/7545/7556/7755/7765/7775 Please see XRX13_008 Product version(s) affected: Please see XRX13_008 CWE categories: CWE-798: Use of Hard-coded Credentials CWE-259: Use of Hard-coded Password Vulnerability details: The affected products/firmware versions contain an "internal FTP account" whose username is "intFTP". It appears to apply at least to ColorQube 92xx series. One particular firmware file example is "Xerox_ColorQube_upgrade_file_30823.zip/ColorQube_9201-9203_system-sw#06005000930823#.DLM". It is intended to upgrade "ColorQube from versions 060.050.009.03614,,060.050.009.13415 or 060.050.009.24419 to version 060.050.009.30823" The corresponding "/etc/passwd" entry of "intFTP" account is as folows: intFTP:x:51:51:Internal FTP (cc<->nc):/:/bin/bash The corresponding "/etc/shadow" entry of "intFTP" account is as folows: intFTP:$1$BbR.S$t22VMWcrVUOoTPoZwMlza.:13976:::::: The account is active (it's shell is "/bin/bash" and not "/bin/false" nor "/bin/login") The account password hash "$1$BbR.S$t22VMWcrVUOoTPoZwMlza." could not be cracked via bruteforce or known-dictionaries using tools such as "John the Ripper". This shows that the password used is not necessarily a weak one. A security-check verifying password strength would pass this test. However, FIRMWARE.RE automated platform could find the corresponding password hardcoded in the firmware as "t2ZG95En" FIRMWARE.RE platform traced back the password "t2ZG95En" appearing in the files "/upgrade/upgrade_funcs" and "/upgrade/ftpHelper.sh" As far as post-discovery manual analysis was done, the files "/upgrade/upgrade_funcs" and "/upgrade/ftpHelper.sh" are used to transfer upgrade/boot images between CC (copy-controller?) and NC (network-controller?) components/domains of the affected devices. FIRMWARE.RE platform suggests, inline with NIST and CWE-798 and CWE-259, not to hardcode any credentials within the devices/firmware, as well as allowing easy change/update of such credentials in case it is really necessary by design to store them in the device/firmware. Vendor details: http://www.xerox.com/download/security/security-bulletin/14981-4e97ec6ba2f2e/cert_XRX13-008_v1.01.pdf ColorQube 92xx CBC: http://www.xerox.com/downloads/usa/en/c/cert_061.050.223.04800.zip (broken!) ColorQube 92xx SBC: http://www.xerox.com/downloads/usa/en/c/cert_061.080.223.05100.zip (broken!) WorkCentre 6400: http://www.xerox.com/downloads/usa/en/c/cert_061.070.100.24201.zip (broken!) WorkCentre 75xx: http://www.xerox.com/downloads/usa/en/c/cert_061.121.222.06508.zip (broken!) WorkCentre 77xx: http://www.xerox.com/downloads/usa/en/c/cert_061.090.223.21400.zip (broken!) About the author/project: Firmware.RE is part of the Firmware Genome Project. Firmware.RE is a free online service that: - unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware. - facilitates firmware mounting, modification, loading and emulation. - facilitates firmware vulnerability and backdoor discovery. - helps secure your embedded and internet-of-things devices.