-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password

Title: Seagate GoFlex Satellite Remote Telnet Default Password
Advisory ID: KL-001-2015-007
Publication Date: 2015.12.18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-007.txt


1. Vulnerability Details

     Affected Vendor: Seagate
     Affected Product: GoFlex Satellite
     Affected Version: 1.3.7
     Platform: Embedded Linux
     CWE Classification: CWE-288: Authentication Bypass Using an
     Alternate Path or Channel; CWE-798: Use of Hard-coded Credentials
     Impact: Remote Administration
     Attack vector: Telnet
     CVE-ID: CVE-2015-2874

2. Vulnerability Description

     Seagate GoFlex Satellite Mobile Wireless Storage devices
     contain a hardcoded backdoor account. An attacker could use
     this account to remotely tamper with the underlying operating
     system when Telnet is enabled.

3. Technical Description

     root@wpad:/tmp/jfroot# ls
     bin  boot  dev  etc  home  include  lib  linuxrc  media  mnt  proc
     satellite_app  sbin  share  srv  static  sys  tmp  usr  var
     root@wpad:/tmp/jfroot# cd etc
     root@wpad:/tmp/jfroot/etc# ls
     angstrom-version  default              fstab                init.d
     iproute2          motd                 org_passwd           protocols
     rc4.d             rS.d                 terminfo             udhcpc.d
     autoUpdURL        device_table         group                inittab
     issue             mtab                 passwd               rc0.d
     rc5.d             scsi_id.config       timestamp            udhcpd.conf
     avahi             device_table-opkg    host.conf            inputrc
     issue.net         network              passwd-              rc1.d
     rc6.d             services             tinylogin.links      udhcpd_factory.conf
     busybox.links     fb.modes             hostname             internal_if.conf
     localtime         nsswitch.conf        profile              rc2.d
     rcS.d             skel                 ts.conf              version
     dbus-1            filesystems          hosts                ipkg
     mke2fs.conf       opkg                 profile.d            rc3.d
     rpc               syslog.conf          udev
     root@wpad:/tmp/jfroot/etc# cat passwd
     root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh
     daemon:*:1:1:daemon:/usr/sbin:/bin/sh
     bin:*:2:2:bin:/bin:/bin/sh
     sys:*:3:3:sys:/dev:/bin/sh
     sync:*:4:65534:sync:/bin:/bin/sync
     games:*:5:60:games:/usr/games:/bin/sh
     man:*:6:12:man:/var/cache/man:/bin/sh
     lp:*:7:7:lp:/var/spool/lpd:/bin/sh
     mail:*:8:8:mail:/var/mail:/bin/sh
     news:*:9:9:news:/var/spool/news:/bin/sh
     uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
     proxy:*:13:13:proxy:/bin:/bin/sh
     www-data:*:33:33:www-data:/var/www:/bin/sh
     backup:*:34:34:backup:/var/backups:/bin/sh
     list:*:38:38:Mailing List Manager:/var/list:/bin/sh
     irc:*:39:39:ircd:/var/run/ircd:/bin/sh
     gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
     nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
     xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh

     The xoFaeS user cracked to etagknil.

4. Mitigation and Remediation Recommendation

     The vendor has released a patch that can be
     obtained using the Download Finder located at
     https://apps1.seagate.com/downloads/request.html

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2015.09.11 - Vulnerability details and PoC sent to Seagate.
     2015.09.15 - Seagate confirms receipt.
     2015.09.28 - Seagate indicates a patch is ready but not yet available to
                  the public.
     2015.09.28 - KoreLogic asks Seagate if they have obtained a CVE-ID for
                  the vulnerability.
     2015.10.27 - Seagate notifies KoreLogic that the patch is publicly
                  available. Seagate indicates they are waiting for a CVE
                  before releasing a security advisory.
     2015.12.08 - KoreLogic requests an update on the CVE-ID and associated
                  Seagate advisory.
     2015.12.08 - Seagate responds with a link to
                  http://www.kb.cert.org/vuls/id/903500
     2015.12.18 - Public disclosure.

7. Proof of Concept

     N/A

The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJWdHZvAAoJEE1lmiwOGYkMyLYIAIUIExCAXwpkz7gV7wENgapS
F5kKOHEJ+Knd9gp9bfKbXaD6IKQ7Qbvamfm/Z0sWKYq2jSQcPTYGQCS4HUckLIbD
jiWjrq2ruf/Ore5yri9Q4kbQ06P8kAcs3ZBo0htpR5Wt3XeYHD/CKB7Ec6QpgOLT
6FwnSg1SuAZzovuA4zVUCx4dCUXXaD1c53gdmh3rcX070SOmrIgElkgpEWkDHHib
ublp8mVA+j+/nMt7+5Q1W+mjEQX2cZyK0b4e4OCVrVYv5RaHgbifT/XXl8OvqdAr
eCVuhlqMqvDizvon2ECFu8yaN49N4F6zf/d923Z+9zIeyl4pgNvIdZMCb1AxDlg=
=qSJi
-----END PGP SIGNATURE-----