Title:
Hard-coded ftp and shell user account password in certain Xerox ColorQube and WorkCenter devices
Timeline:
20 August 2013 - Discovery
24 August 2013 - Vendor notified
26 August 2013 - Vendor responds and starts confirmation process
30 August 2013 - Vendor acknowledges existance of issue in several product families
21 October 2013 - Vendor issues patches and XRX13_008 Xerox Security Bulletin
03 November 2013 - CVE@Mitre assigns CVE-2013-6362
Author:
Andrei Costin of "FIRMWARE.RE" project
andrei@firmware.re
andrei@andreicostin.com
Vulnerability discovered using "FIRMWARE.RE" platform/service
Security advisory numbering:
ACSA-2013-005
XRX13_008
SA55306
CVE-2013-6362
Vendor:
Xerox
http://www.xerox.com/
Product(s):
Xerox ColorCube 9201/9202/9203
Xerox WorkCenter 6400/7525/7530/7535/7545/7556/7755/7765/7775
Please see XRX13_008
Product version(s) affected:
Please see XRX13_008
CWE categories:
CWE-798: Use of Hard-coded Credentials
CWE-259: Use of Hard-coded Password
Vulnerability details:
The affected products/firmware versions contain an "internal FTP account" whose username is "intFTP".
It appears to apply at least to ColorQube 92xx series.
One particular firmware file example is "Xerox_ColorQube_upgrade_file_30823.zip/ColorQube_9201-9203_system-sw#06005000930823#.DLM".
It is intended to upgrade "ColorQube from versions 060.050.009.03614,,060.050.009.13415 or 060.050.009.24419 to version 060.050.009.30823"
The corresponding "/etc/passwd" entry of "intFTP" account is as folows:
intFTP:x:51:51:Internal FTP (cc<->nc):/:/bin/bash
The corresponding "/etc/shadow" entry of "intFTP" account is as folows:
intFTP:$1$BbR.S$t22VMWcrVUOoTPoZwMlza.:13976::::::
The account is active (it's shell is "/bin/bash" and not "/bin/false" nor "/bin/login")
The account password hash "$1$BbR.S$t22VMWcrVUOoTPoZwMlza." could not be cracked via bruteforce or known-dictionaries using tools such as "John the Ripper".
This shows that the password used is not necessarily a weak one. A security-check verifying password strength would pass this test.
However, FIRMWARE.RE automated platform could find the corresponding password hardcoded in the firmware as "t2ZG95En"
FIRMWARE.RE platform traced back the password "t2ZG95En" appearing in the files "/upgrade/upgrade_funcs" and "/upgrade/ftpHelper.sh"
As far as post-discovery manual analysis was done, the files "/upgrade/upgrade_funcs" and "/upgrade/ftpHelper.sh" are used to transfer upgrade/boot images
between CC (copy-controller?) and NC (network-controller?) components/domains of the affected devices.
FIRMWARE.RE platform suggests, inline with NIST and CWE-798 and CWE-259, not to hardcode any credentials within the devices/firmware, as well as allowing
easy change/update of such credentials in case it is really necessary by design to store them in the device/firmware.
Vendor details:
http://www.xerox.com/download/security/security-bulletin/14981-4e97ec6ba2f2e/cert_XRX13-008_v1.01.pdf
ColorQube 92xx CBC: http://www.xerox.com/downloads/usa/en/c/cert_061.050.223.04800.zip (broken!)
ColorQube 92xx SBC: http://www.xerox.com/downloads/usa/en/c/cert_061.080.223.05100.zip (broken!)
WorkCentre 6400: http://www.xerox.com/downloads/usa/en/c/cert_061.070.100.24201.zip (broken!)
WorkCentre 75xx: http://www.xerox.com/downloads/usa/en/c/cert_061.121.222.06508.zip (broken!)
WorkCentre 77xx: http://www.xerox.com/downloads/usa/en/c/cert_061.090.223.21400.zip (broken!)
About the author/project:
Firmware.RE is part of the Firmware Genome Project.
Firmware.RE is a free online service that:
- unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
- facilitates firmware mounting, modification, loading and emulation.
- facilitates firmware vulnerability and backdoor discovery.
- helps secure your embedded and internet-of-things devices.
