IPC@Chip - Fixes

["Siberian" <i.am.a () x-men com>]

Sentry Research Labs
www.sentry-labs.de.vu

Last week, we published bugs and flaws in BECK GmbH's IPC@Chip. Today an
offical analysis was published by Beck which cobntains information on fixes
and classification. We are happy to see that there is someone really trying
to do their best to fix their product. The comunication during the first
contact and today was really good and we want to thank BECK GmbH for being
so nice.

Ok, here is the offical statement, please add it to the bugtray
vulnerabilities databases, to inform customers about updates and fixes.

regards,
Siberian

---cut---

This week, some alleged security risks with the BECK IPC@CHIP were
published.
In this text we would like to comment to these possible security risks.
We would like to classify each item in a category:
1. Security risks that we confirmed and we have to handle in future BIOS
versions.
2. Security risks that are caused by a default setting that makes the first
use of the product easy. The system offers configuration settings to avoid
these possible risks. We will create a 'security manual' that addresses
these items.
3. Items that we do not regard as a misbehaviour/risk or that we could not
reproduce.


TelnetD

DEFAULT passwords
Claim: The IPC is using a TelnetD with factory set DEFAULT Passwords
("tel").
Analysis: Category 2. Password can be configured.

Brute Force
Claim: Because the TelnetD isn't using a random delay on it's login attemps
and it isn't counting or logging any bad passwords, it's possible to brute
force the password in no time. A demonstration tool is available on our
website.
Analysis: Category 1. Already fixed. Test version is available upon request.

Lock up
Claim: Only one user may use the TelnetD at once and there isn't any timout
set by default. So it's possible to lock access fot the real admin. Just
connect to the IPC and leave a telnet window open and untouched.
Analysis: Category 2. Timeout can be configured.

User Guess Attack
Claim: By analysing the return value given by the TelnetD on login it's
possible to find existing user accounts. A demonstration tool is available
on our webpage.
Analysis: Category 1. Already fixed. Test version is available upon request.


Webserver

CHIP.INI
Claim: The webserver root directory is set to / by default. A attacker may
download the chip.ini file, containing all logins and passwords by typing
i.e http://ipcchipip/chip.ini.
Analysis: Category 2. Can be configured.

Long Requests
Claim: If a real long request is send the server stops responding, but the a
few moments later everything is well again. All requests send during the
downtime are lost.
Analysis: Category 3. Downtime is not longer as it takes to process the
request. No misbehaviour could be reproduced.

FTPD
Claim: The IPC is using a FTPD with factory set DEFAULT Passwords
("anonymous" or "ftp"), both a full access accounts.
Analysis: Category 2. Can be configured.

SYN flooding
Claim: By SYN flooding or mass request HTTP files the IPC may be blocked for
some time. There is a max. of  only 64 sockets, so a lame DoS attack is
really easy.
Analysis: Category 3. Tests have shown that our system is not sensitive to
SYN flooding. The webserver itself is limiting the number of simultaneous
connections, thus the 64 sockets are not 'consumed'.

ChipCfg
Claim: This CGI Scipt is installed by default and can't be removed. It
reveals network data to anyone, also possible attackers.
Analysis: Category 2. The API allows removal of this CGI with the CGI_REMOVE
function.

FTPD
Claim: By adding just one user to the system, the DEFAULT accounts are not
disabled completly, "anonymous" still works and grands full access.
Analysis: Category 2. Both users most be configured as listed in the
documentation.

TelnetD
Claim: By adding just one user to the system, the DEFAULT accounts are not
disabled, "tel" still works and grands full access.
Analysis: Category 2. Both users most be configured as listed in the
documentation.


Ernest Schloesser
Beck IPC GmbH