[Siemens] OZW672: Undocumented user ("Back door"), with weak password (CVE-2017-6872)

Affected device (Tested): OZW672.06

OZW devices are used for the remote monitoring of building control equipment. For example, for monitoring heating or air conditioning systems.

Downloading the firmware

The device's firmware has been downloaded and decompiled.

Source: https://support.industry.siemens.com/cs/document/62567396/ozw672-factory-firmware-update-and-system-definition?dti=0&lc=en-WW

Readings of key resources are performed. Such as: "/etc/shadow"

Immediately, credentials are sent for cracking:

It was only possible to break the hash that corresponds to the user "ACS"



The "Shodan" platform (https://shodan.io) is then used to provide a representative sample of the degree of exposure of the device under analysis.

The search criteria used (Dork) was: "ProFTPD 1.3.1 Server (Siemens Switzerland Ltd.)"



We then validate by crosschecking the credentials with the results obtained. As shown in the screenshot below, the credentials are valid.


Report: This vulnerability was duly reported to Siemens. However, the problem was already known. A CVE was assigned to it: CVE-2017-6872.


Device manual: https://www.downloads.siemens.com/download-center/Download.aspx?pos=download&fct=getasset&id1=A6V10744843

https://cert-portal.siemens.com/productcert/pdf/ssa-563539.pdf https://www.us-cert.gov/ics/advisories/ICSA-17-187-01

[Siemens] OZW672: Undocumented user ("Back door"), with weak password (CVE-2017-6872)

All blog posts