Archive for May, 2013

Sunday Shodan defaults

May 12, 2013

Messing around with Shodan again, its addictive! Found some issues via the recent searches. I didn’t find these, just saw the searches already performed and verified the defaults using vendor web sites:

3com-officeconnect-vpn-firewall-default_pass
3com OfficeConnect VPN Firewall has a default password and is nice enough to tell you when you connect! Kind a defeats the purpose of a security device….

vmax-default
The VMAX Web Viewer (identify via “Server: Boa/0.94.13”) by Digital Watchdog has the manual online showing the default account of ‘admin’ has no password.

cudatel
The CudaTel Communications Server has a default account of ‘admin’ and a default password of ‘admin’.

zywall5-1
zywall5-2
ZyWall Firewalls have a default password of ‘1234’ for the Web Configurator. Even if the password is changed, the system sends the default in the first login connection.

While verifying that default i saw the MultiTech RouteFinder Internet Security Appliance (model RF850 and RF860 and probably more) have a default account of ‘admin’ and default password of ‘admin’.

The SonicWall TZ Series firewalls have a default account of ‘admin’ and a default password of ‘password’.

Advertisements

Echelon i.LON Defaults

May 10, 2013

Vendor: Echelon Corporation

Many of their products come with a default login and password. From one of the manuals:

If a login dialog appears, enter ilon for both the User Name and the Password and then click OK.

I confirmed this works for the following products:

i.LON 600 LonWorks/IP Server
i.LON 100e4 Internet Server
i.LON SmartServer 2.0
i.LON SmartServer – Echelon Building Energy Management Solution

Not sure but that last one sounds like it is SCADA. Since ICS-CERT took the disclosure case and did not dismiss it, I guess it is considered SCADA.

Discovered: 2013-04-07
Reported to ICS-CERT: 2013-04-10
ICS-CERT ICS-VU-138910 Assigned: 2013-04-10
ICS-CERT closes issue, vendor says password is changeable: 2013-0-10

Followup – I understand a password is changeable, but the fact is the people using these systems aren’t doing it! Vendors need to make the install process force a password change, so that a default password is NOT possible!

Phasefale Controls JouleTemp Three Vulnerabilities

May 6, 2013

Vendor: Phasefale Controls Pty. Ltd.
Product: JouleTemp

According to the documentation, by default the web interface has a default admin password:

“Programming links to settings page ( username [admin] and password [pass] are required.)”

Without authenticating, the splash page will also reveal the internal IP address of the device.

jouletemp-internal_ip

Finally, the /set/comment.html page contains a stored XSS (CVE-2013-78009). You get to this page by clicking “Add HACCP Note” and then insert a standard XSS string in the “Comment” field (newhaccpcomment parameter). It doesn’t seem to scrub any user input.

POST /set/comment.html HTTP/1.1
[..]
newhaccpnote=1&newhaccpcomment=%22%3E%3Cscript%3Ealert%28%27document.cookie%27%29%3C%2Fscript%3E++&eventlogid=1

Discovered: 2013-02-13
Reported to ICS-CERT: 2013-04-10
ICS-CERT passed to CERT/CC: 2013-04-19
CERT/CC assigns VU#647752: 2013-04-25
CERT/CC says issues too low risk to coordinate disclosure: 2013-05-06