********************** Netragard, L.L.C Advisory* ********************** Penetration Testing - Vulnerability Assessments - Web Application Security SNOsoft Research Team ------------------------------------------------ http://www.netragard.com -- "The Specialist in Anti-Hacking" [POSTING NOTICE] -------------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] -------------------------------------------------------------------------- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20081010 Product Name : CitectSCADA / Vijeo Citect / CitectFacilities Product Version : < 7.1 CitectSCADA (Q4 2008) Vendor Name : Citect Type of Vulnerability : Input Validation and Hardcoded Credentials [Product Description] -------------------------------------------------------------------------- CitectSCADA currently ships with an FTP server, which is installed, but not activated by default. It is used to configure and correctly utilise Internet Display Client (IDC) functionality. If you are using the CitectSCADA IDC functionality you will have to have enabled your server as an 'Internet Server', which will activate the FTP server. If you are unsure as to whether a server is an Internet Server, please use the Computer Setup Wizard to check the Internet Server setting or see your citect.ini file. (paramater will be: [Internet] Server=1). -- http://knowledgebase.citect.com/SafetyandSecurity/article.aspx?id=1001 -- [Technical Summary] -------------------------------------------------------------------------- Netragard's SNOsoft Research Team discovered that the FtpSvr.exe binary contained a hardcoded, password based 'backdoor'. Specifically a username of 'citect' and a password of '&slk#1qd' can be used to access any IDC ftp server. Because these credentials are hard coded into the application system administrators can not remove the hidden account. Additionally Netragard discovered that the IDC ftp server was missing a format specifier in the function used to echo the username back to the ftp client during login. This particular vulnerability when exploited can result in a Denial of Service condition or information disclosure of data stored in the affected systems memory. [Proof Of Concept] -------------------------------------------------------------------------- $ nc 192.168.1.1 21 200 Citect Ftp Server ready user %x.%x.%x.%x.%x 331 Password required for ae0000.332570.401c64.332570 user %n%n%n%n%n%n [Vendor Status] -------------------------------------------------------------------------- Vendor Notification: August 21, 2008 Ask SCADASEC mailing list for Citect contacts August 21, 2008 I mailed Citect (based on some contacts that were given to me by Walt Boyes and Ron Southworth via SCADASEC) about an issue I had found. August 21, 2008 Majella Nollan responded and started the process... Vendor Patched: September 23, 2008 Citect update posted on SecurityCenter Vendor has stated the following: "Our thanks goes to Netragard for their help in identifying the above issues and working with us on recommended actions." [Disclaimer] ------------------------http://www.netragard.com-------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business.