Global InterSec LLC http://www.globalintersec.com GIS Advisory ID: 2002101601 Changed: 12/27/2002 Author: research@globalintersec.com Reference: http://www.globalintersec.com/adv/skystream-2002101601.txt Summary: SkyStream's Edge Media Router-5000 (EMR5000) a DVB to multicast router suffers from a vulnerability in its configuration shell. Impact: A remote user may be able to gain access to the configuration shell of the device via the telnet protocol and escalate user privileges to those of the root user. Versions Tested: 1.16 1.17 1.18 Description: The Edge Media Router client shell is designed to allow a remote or local (via serial) user to change system settings and view network statistics, critical to the operation of the device, without giving up a root shell. A buffer overflow exists in the routines for reading and validating user input into the shell. This may be exploited through either the heap or the stack. Rather than using the GNU readline library, SkyStream has implemented their own proprietary shell control routines, which has contributed to this problem. Scope for attack: Although the EMR5000's configuration shell is password protected over both telnet and the serial console, as with many router products, systems administrators neglect to change the default password setting. Assuming this is the case - a remote attacker would be able to gain root access over the telnet protocol. Work around: - Use the EMR5000's administrative web interface to disable the telnet server daemon. - Only permit telnet access to the device from trusted subnets. Credit: The vulnerabilities disclosed in this advisory were discovered during routine penetration tests. They were further researched at Global InterSec's facility. The research division can be reached at research@globalintersec.com Vendor Status: SkyStream Inc. was notified of this problem on Oct 28th 2002. Although SkyStream informed us that they were looking into" these issues; no follow up information has been provided to Global InterSec. Proof of concept: This vulnerability has been successfully exploited in controlled conditions. As you can see from the below example where we overwrite the %lr and %pc registers (equivalent of %eip and %ebp on X86), SkyStream has left us plenty of room for our shellcode on the stack. SkyStream Networks Edge Media Router Please login as 'emradmin' for Command-Line Interface emr5000 login: emradmin Password: [emradmin@emr5000] [1052 bytes][%lr] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 17118)] 0xdeadbeec in ?? () (gdb) i r r0 r12 r27 r28 r29 r30 r31 pc lr r0 0xdeadbeec -559038735 r12 0x41414141 1094795585 r27 0x41414141 1094795585 r28 0x41414141 1094795585 r29 0x41414141 1094795585 r30 0x41414141 1094795585 r31 0x41414141 1094795585 pc 0xdeadbeec -559038736 lr 0xdeadbeec -559038735 (gdb) Legal: This advisory is the intellectual property of Global InterSec LLC but may be freely distributed with the conditions that: a) No fee is charged. b) Appropriate credit is given. c) Distribution of the advisory does not break NDA' s issued by GIS. (c) Global InterSec LLC 2002
