Tuesday, August 4, 2020

[Siemens] OZW672: Undocumented user ("Back door"), with weak password (CVE-2017-6872)

Affected device (Tested): OZW672.06
 

OZW devices are used for the remote monitoring of building control equipment. For example, for monitoring heating or air conditioning systems.


Downloading the firmware
The device's firmware has been downloaded and decompiled.

Source: https://support.industry.siemens.com/cs/document/62567396/ozw672-factory-firmware-update-and-system-definition?dti=0&lc=en-WW





Readings of key resources are performed. Such as: "/etc/shadow"


Immediately, credentials are sent for cracking:



It was only possible to break the hash that corresponds to the user "ACS"



 


Exposure
The "Shodan" platform (https://shodan.io) is then used to provide a representative sample of the degree of exposure of the device under analysis.

The search criteria used (Dork) was: "ProFTPD 1.3.1 Server (Siemens Switzerland Ltd.)"



Validation
 We then validate by crosschecking the credentials with the results obtained. As shown in the screenshot below, the credentials are valid.





Report:

This vulnerability was duly reported to Siemens. However, the problem was already known.
A CVE was assigned to it: CVE-2017-6872.


ANNEXES

Device manual: