A client was recently interested in a particular brand of serial port to Ethernet converter. I’ve done my own with socat, and worked professionally on pen-testing an (IMO) excellent secure serial to Ethernet front-end that adds a lot of security and management features. Intrigued, I wanted to get one that the client was interested in to tear it apart.
Instead, I settled with grabbing a firmware update. This was a lot cheaper, and let me know quickly that the product isn’t very good. The Korenix Jetport 5600 series is supposed to do configuration via secure https and ssh. The device then lets you make its various serial ports accessible via IP. I say ‘supposed to’ because it doesn’t do a very good job. Note that ORing makes a device that is either OEM’d by Korenix or uses a stolen firmware image…the backdoor here is identical for ORing, and the firmwares are eerily similar, but neither company makes a claim of OEM relationships. I discovered the firmware relationship while digging around for Shodan banners.
The firmware was simple enough to analyze. It’s just a Linux firmware image with a zlib compressed filesystem. I did nothing special to analyze it…the filesystem extracted is ext2. I opted to not even mount the filesystem for exploration…instead I just used my trusty friend ‘strings,’ to look for the passwd and shadow files.