Archive for April, 2013

Java headaches!!

April 18, 2013

A popup says Java has a new version, I click to install. Windows dialog says I have the latest version. Since Oracle just upgraded to fix a ton of vulnerabilities that seemed wrong. When I checked, I was on Java 7 Update 17, and Update 21 is the current! How can Oracle miss that?? And its weird that avast! has been warning me when Flash, Air, and Opera are out of date, but didn’t warn me once that my Java version was that old. No wonder desktops get owned so often!

Lastly, quit asking me to install this dang toolbar Oracle! No one likes it and many consider it malware!!

asktoolbar

Several Huawei Defaults

April 11, 2013

Huawei SmartAX MT880/MT880i/MT800u-T
Product LinkManual
Shodan: WWW-Authenticate: Basic realm=”Huawei SmartAX MT880″

By default, both the user name and the password are admin.

#####

Huawei EchoLife HG532 Home Gateway
Manual

You can log in to the Web-based configuration utility by entering the default user name and password that are admin.

User name used for logging in to the Web-based configuration utility – admin
Password used for logging in to the Web-based configuration utility – admin

#####

Huawei Aolynk BR104 / Huawei-3COM BR104 / H3C Aolynk BR104
Manual
Shodan: HUAWEI-3COM BR104

The default is admin / admin.

Electro Industries GaugeTech Multiple Vulnerabilities

April 11, 2013

Vendor: Electro Industries GaugeTech (also marketed under ‘GE Power Leader Web Solutions’ it appears)
Products:
Nexus 1250
Nexus 1262
Nexus 1272
Nexus 1500
Product link: http://www.electroind.com/dl_page_nexus-meters.html
Shodan: EIG Embedded Web Server

By default, unauthenticated access, can get information on the power meter as well as:

http://host/meter_information.htm
Reveals internal IP and gateway
gaugtech-ip

According to the Nexus 1500 manual:

NOTE: If password protection is not enabled for the meter, the default username and password are both “anonymous”.

With that default, you can access http://host/update1.htm and upload custom/malicious firmware.

Discovered: 2013-04-10
ICS-CERT notified: 2013-04-11

LaCie 2big Network 2 Unauthenticated Remote Information Disclosure

April 10, 2013

Vendor: LaCie
Product: 2big Network 2

On Shodan, you can search these devices via the following string:

Server: lighttpd/1.4.28-devel-7925

Note that the device has a default “admin” account, and the default password is “admin”. But that isn’t needed to exploit this issue!

By loading the web interface of the device, the login page will appear. In the background, it causes your browser to make several API requests against the server as well. These requests are not over SSL, and can return sensitive information.

POST /api/v2/system/info HTTP/1.1

<product_id>
2bignetwork2
</product_id>
<software_version>
2.2.9.1
</software_version>
[..]
<product_name>
2big Network 2
</product_name>

POST /api/v2/system/general HTTP/1.1

<workgroup>
DARIUS
<ntpServer>
pool.ntp.org
<hostname>
Darius-Backup
<timezone>
Europe/Amsterdam
<system_version>
2.2.8.3

POST /api/v2/system/smtp HTTP/1.1

<smtp_auth_user>
darius.freamon@gmail.com
<smtp_auth_pwd>
mYpassw0rdn0treally
<smtp_server>
mail.google.com

Discovered: 2013-04-07