Seagate GoFlex Satellite Remote Telnet Default Password

Vulnerability Description

Seagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled.

Technical Description

root@wpad:/tmp/jfroot# ls
bin  boot  dev  etc  home  include  lib  linuxrc  media  mnt  proc
satellite_app  sbin  share  srv  static  sys  tmp  usr  var
root@wpad:/tmp/jfroot# cd etc
root@wpad:/tmp/jfroot/etc# ls
angstrom-version  default              fstab                init.d
iproute2          motd                 org_passwd           protocols
rc4.d             rS.d                 terminfo             udhcpc.d
autoUpdURL        device_table         group                inittab
issue             mtab                 passwd               rc0.d
rc5.d             scsi_id.config       timestamp            udhcpd.conf
avahi             device_table-opkg    host.conf            inputrc
issue.net         network              passwd-              rc1.d
rc6.d             services             tinylogin.links      udhcpd_factory.conf
busybox.links     fb.modes             hostname             internal_if.conf
localtime         nsswitch.conf        profile              rc2.d
rcS.d             skel                 ts.conf              version
dbus-1            filesystems          hosts                ipkg
mke2fs.conf       opkg                 profile.d            rc3.d
rpc               syslog.conf          udev
root@wpad:/tmp/jfroot/etc# cat passwd
root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/bin/sh
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh

The xoFaeS user cracked to etagknil.

Mitigation and Remediation Recommendation

The vendor has released a patch that can be obtained using the Download Finder located at https://apps1.seagate.com/downloads/request.html

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

Proof of Concept

N/A

The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt