A new report has been published recently which claims that a 0-day backdoor giving remote root shell access on Teradek IP video devices.
The Teradek IP video devices are live streaming devices, that generally encode video inputs to different streaming formats that are quite competent in Ethernet transport.
According to the report, there are several IP video devices that have been made by Teradek. However, the experts have studied the device carefully and stated that the device has an Ethernet interface and it also has a Web management interface that is available at HTTP://<device_ip> by default.
And the most important point is that the Web management interface is preserved by a user-defined password.
Reversing The Firmware and Key Calculation
The images for firmware are available for downloads at the site of the manufacturer. But the images that are present are unencrypted, unprotected Squashfs files can be removed easily using squashfs-tools.
However, this firmware for the VidiU Go device is mounted on the ARM64 Linux kernel. And the security analysts have examined version 3.1.12 (in 2020), however, the most advanced 3.1.13 is precisely the same in the appearance of this report.
Apart from all this, the most interesting function is to investigate, and apparently, it is conceivable to find more vulnerabilities. However, it most probably concentrates on the backdoor access function encountered in /home/www/cgi-bin/test.cgi.
On the other side reversing the crypto functions implies that the key calculation that we have given below:-
td_license_create(“tdtest”, 0, 0) = SHA1(SHA512(“0x5f3759df<MAC_ADDRESS_OF_DEVICE>tdtest”))
The calculation implies that everything is needed for the key calculation is generally hardcoded in the generic firmware. While here only the MAC address part is dependent on the device.
However, in the case of root credentials, the Telnet is allowed for connection, and this gives a login prompt. In case of the credentials, lookup /etc/shadow in the firmware image:-
Well, the report claimed that it is a traditional weak Unix crypt() DES hash, and it is 100% crackable in a very short (~3 days) time frame. Not only this but once it gets cracked the password becomes very weak.
The firmware that is being attacked in this 0-day backdoor are mentioned below:-
- Teradek VidiU Go 3.1.12 (released on 08–06-2020)
- Teradek VidiU Go 3.1.13 (released on 05–10–2021, latest at the time of writing)
- Teradek firmware for other devices (saw the same code with the same hardcoded hashes in other firmware, but testing is required).
Till now the security researchers are trying their best to find a proper patch for this attack, however, they have not yet found a proper fix.
But, till now there is no proper way to disable the backdoor and/or change hardcoded keys/passwords, that’s why there is only one way to mitigate is to add an extra layer of protection to the web interface, as it restricts access to the web interface.
Even the security experts also affirmed that they should try out the mitigation, as it will help them to keep themself safe from this kind of backdoor.