COMMAND

    IPC@Chip

SYSTEMS AFFECTED

    IPC@Chip

PROBLEM

    'Siberian'   (Sentry   Research   Labs)   found   following.   The
    demonstration tool and a german version (there is also an  english
    download version) of this report is available form Sentry website.

    Hedid a security audit on the IPC@Chip (vendor is Beck GmbH)
    using a DK40 Evaluation Board.  During this tests we tested the
    system for common security flaws, used common attack strategies
    and analysed behaivior of the IPC.

    The IPC  is using  a TelnetD  with factory  set DEFAULT  Passwords
    ("tel").  Because the TelnetD  isn't using a random delay  on it's
    login attemps and it isn't counting or logging any bad  passwords,
    it's  possible  to  brute  force  the  password  in  no  time.   A
    demonstration tool is available on Sentry website.

    Only one  user may  use the  TelnetD at  once and  there isn't any
    timout set by default.   So it's possible to  lock access fot  the
    real admin.   Just connect to  the IPC and  leave a telnet  window
    open and untouched.

    By analysing the return value  given by the TelnetD on  login it's
    possible to find existing user accounts.  A demonstration tool  is
    available on Sentry webpage.

        "User unknow" = non existing user
        "Password:" = existing account

    The webserver root directory is set  to / by default.  A  attacker
    may download the chip.ini file, containing all logins and paswords
    by typing i.e

        http://ipcchipip/chip.ini

    If a real  long request is  send the server  stops responsing, but
    the a few  moments later everything  is well again.   All requests
    send during the downtime are lost.

    The  IPC  is  using  a  FTPD  with  factory  set DEFAULT Passwords
    ("anonymous" or "ftp"), both a full access accounts.

    By SYN flooding or mass request HTTP files the IPC may be  blocked
    for some time.  There is a max. of  only 64 sockets,so a lame  DoS
    aatck is really esay.

    ChipCfg CGI Scipt  is installed by  deafult and can't  be removed.
    It revals network data to  anyone, also possible attackers.   Type
    i.e

        http://ipcchipip/ChipCfg

SOLUTION

    Password can be configured.   Timeout can be configured.   The API
    allows removal  of this  CGI with  the CGI_REMOVE  function.  Both
    users most be configured as listed in the documentation.

    Vendor issued a fix.