Reverse Engineering / Vulnerabilities in Dreamcatcher 3.05 / Skylark 5.8 Firmware
Background: This device is a Free Content Satellite Receiver that was created by the Othernet.is organization. Since the device / firmware has reached its END OF LIFE CYCLE, I decided to do a reverse engineering school project to see if I could locate and identify any vulnerabilities on the Dreamcatcher device and especially on the Skylark Firmware version 5.8.
Summarization of Vulnerabilities of Interest
There were 1268 vulnerabilities and 458 exploits spread across 20 common and not so common software applications. Some critical vulnerabilities as well as possible exploits. Below are some examples.
CVE-2017-16544 BusyBox RelatedIn the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes or other attacks.
CVE-2019-133351 alsa Related
posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as distributed with alsa-plugins 1.1.7 and later) has a "double file descriptor close" issue during a failed connection attempt when jackd2 is not running. Exploitation success depends on the multithreaded timing of that double close, which can result in unintended information disclosure, crashes, or file corruption due to having the wrong file associated with the file descriptor.
CVE-2019-12900 bzip2 Related
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
CVE-2016-3189 bzip2 Related
Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file related to block ends set to before the start of the block.
CWE-319 Cleartext Transmission of Sensitive Information
CWE-319 explains that the software transmits sensitive or security-critical data in cleartext in a communications channel that can be sniffed by unauthorized actors (Mitre, 2022). This could include Port 80 traffic: Skylark was noted utilizing port 80 to transfer data back and forth from the Dreamcatcher to the user's laptop, computer or personal mobile device. I would recommend for the vendor to utilize 443 encrypt data that be being transferred from the Dreamcatcher to any personal devices and prevent the data from being eavesdropped on.
CWE-521 Weak Password Requirements
CWE-521 Explains that othernet does not require that the customer should have a strong password, which makes it easier for attackers to compromise the Skylark user account (Mitre, 2022). I would recommend that the default Passwords: Recommend that vendor give the customer the ability to modify login user names and passwords.
CAPEC-613 wifi SSID Tracking
CAPEC-613 describes that in a hacker scenario, the hacker passively eavesdrops on wifi management frame messages containing the Service Set Identifier (SSID) for the wifi network. It would be too easy for a hacker to associate the SSID to Othernet device and user the default passwords to access (CAPEC, 2022). Visible Wifi Service Set Identifiers (SSID)s: This allows for neighbors, wardrivers or law enforcement to identify possible othernet nodes and either take advantage of them or confiscate them. When additional vulnerabilities are identified and exploited. This would make it easier for attackers to identify possible "othernet" nodes to attack for access. Additionally, this would make the Dreamcatcher more vulnerable to confiscation due to nation-state censorship laws. The wifi SSID can be tracked/identified outside my home up to approximately 75 feet from the Dreamcatcher device. This distance would make it easy for neighbors to pick it up with their wifi routers.
CWE-220: Storage of File With Sensitive Data Under FTP Root
CWE-220 Explains that the application stores sensitive data under the FTP Server root with insufficient access control, which might make it accessible to untrusted parties (Mitre, 2022). I ran NMAP and determined that port 21 was open. I successfully logged in via the Anonymous login with no credentials. I remoted into the application via FTP. Information transfer could be seen via Wireshark. Recommend utilizing a more secure protocol and do not use default passwords.
CWE-552: Files and Directories Accessible to External Parties
CWE-552, explains that FTP Server may
store files underneath the "root" directory that is accessible to the
server's users. Recommend to make corrections as directed the above corrections
to negate additional security risks.
Comments
Post a Comment