Archive for March, 2013

Advanced Media Technologies (AMT) Multiple Vulnerabilities

March 30, 2013

Advanced Media Technologies (AMT) makes all kinds of products. While playing with Shodan, I ran across a couple of their devices by way of their web interfaces. The two I found use “Z-World Rabbit” for a server, so they are fairly easy to find:

HTTP/1.1 200 OK
Date: Wed, 12 Mar 1980 23:24:37 GMT
Server: Z-World Rabbit
Connection: close
Content-Type: text/html

Both devices I found have the same basic web interface and the same vulnerabilities. The first device was a PBN CPON-100 (product, data sheet) described as a “Customer Premises Optical Node for Fast Ethernet and CATV”. The second device is the PBN OSLAM-8G (product, data sheet) described as a “Optical Subscriber Line Access Multiplexer 8-Port Module”. By default neither have any kind of authentication to access them!

Vulnerability #1

The main page, / or /index.zhtml shows the Internal IP of the gateway giving you the private IP space being used. It also shows application version, MAC address, serial number, BIOS version and uptime:

oslam-index

Vulnerability #2

Without authenticating anyone can access /advanced.zhtml which lets you reboot the device or restore factory default settings:

oslam-advanced

oslam-reboot

oslam-reset

Advertisements

Powerhawk 6320 Smart Meter Information Disclosure

March 24, 2013

Poking around Shodan more, found a few Powerhawk 6320 smart meters that have a web page. No authentication required and it gives up some good information on the device!

Vendor: Triacta (www.triacta.com)
Product: Powerhawk 6320 Smart Meter

URL: http://host/configpage.zhtml

It discloses a phone number, alternate phone number, username (email address), FTP username, internal IP address and detailed information about the device.

powerhawk6320

I don’t know if smart meters are considered SCADA but I found it under related searches in Shodan.

Two minor vulnerabilities in Clorius Controls ICS SCADA

March 11, 2013

Spent some time playing with Shodan over the weekend, neat tool!! Since SCADA is popular, I searched for those devices and poked around a bit, but nothing intrusive. Found out Clorius Controls A/S makes a product called ICS SCADA it looks like. Noticed a couple minor vulnerabilities:

1. The Server HTTP header makes the devices easy to fingerprint:

HTTP/1.1 200 OK
Server: ISC SCADA Service HTTPserv:00001
Date: Sun, 03 Feb 2013 00:41:51 GMT
Cache-Control: no-cache, max-age=0, must-revalidate
Content-Type: text/html
Content-Length: 879
Last-Modified: Wed, 24 Jun 2009 02:07:04 GMT

2. /html/info.html reveals the firmware version, internal IP, and MAC address of the device without authenticating. Output from two live examples:

Firmware Version 00.00.0110
Script Version 01.01.00
IP-adresse 172.64.1.100
AI 0
AO 0
DI 0
DO 0
MAC-adresse 0026B980A7C1

Firmware Version 00.00.0095
Script Version 01.01.00
IP-adresse 192.168.1.100
AI 0
AO 0
DI 0
DO 0
MAC-adresse 00215E95D34E