Thursday, August 15, 2019

Uh... why does firmware need to send EHLO?

So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.

It also _seems_ to have the capability of starting a TLS connection.

Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.

Also, it is not yet clear if communications are hidden from the OS, but they could easily be.

The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.

Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.

Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.

Watch this space.