Archive for December, 2013

Comrex Audiocodes MP-114 Gateway Default Credentials

December 31, 2013

The Comrex Audiocodes MP-114 gateway (Shodan search) contains default administrative credentials according to the manual.

Once this is accomplished, open a browser and key in the default MP-114 address of 10.1.10.11 to open
the main config page. The username and password are Admin / Admin (upper case “A” required).

Advertisements

AXESS TMC X1 / X2 Multiple VUlnerabilities

December 30, 2013

AXESS TMC makes a set of terminals that manage Time & Attendance as well as Access Control. For example the X1 and X2 perform a lot of functions in a compact unit and still offer remote management capability (Shodan search and look for “X1/X2 Configuration”).

These devices have default administrator credentials for the web and FTP interface: admin / admin

As an admin you can gain access to other passwords due to them being stored in plaintext. For the web interface they are shown on the different screens. For FTP (or HTTP browse file menu) they are available in the PARAMETERS.TXT file:

OperatorPassword=00000
RemotePassword=admin

[GPRS]
[..]
User=””
Password=””

[FtpClient]
ServerURL=
User=””
Password=””

[USB]
Enabled=1
PasswordUSB=00000

There is an XSS vulnerability in /file_manager.cgi (CVE-2013-78000) via file upload as demonstrated here:

x1-xss1

x1-xss2

x1-xss3

For red teamers access to this device could allow for remote disabling of physical security features. The /biometric.cgi page lets you manipulate the biometric sensors or disable them completely if they are already enabled. It isn’t as good as popping the door locks but sure makes it easier for physical access!

x1-biometrics

The /access.cgi page can also let you manipulate access controls or disable them completely:

x1-accesscontrol

Juniper Web Device Manager (J-Web) Default Admin Credentials

December 29, 2013

Juniper Web Device Manager (Shodan search) installs with several of their routers. This interface is also known as J-Web. Depending on the model it will have different default passwords:

100 Series Manual

Specify the default username as root. Do not enter any value in the Password field.

Models:
SRX100-LM
SRX100B
SRX100H
SRX110H-VA

210/240 Series Manual

Specify the default username as root. Do not enter any value in the Password field.

Models:
SRX210B
SRX210BE
SRX210HE
SRX240-HM
SRX240H

EX2200 Series Manual

On the J-Web login page, type root as the username, leave the password field blank, and click Login.

Models:
EX2200-48T-4G

Note: It sounds like it will force you to change the password from these instructions where the others don’t say that.

EX2500 Series Manual

Enter the account name and password for the switch’s administrator or user account. The default account name is admin, and the default password is admin.

Visual UpTime Select ASE Default Admin Credentials

December 28, 2013

The Fluke Networks Visual UpTime Select Analysis Service Element (ASE) (Shodan search) contains default administrator credentials for telnet access according to the manual.

Bring up the login: prompt by pressing Enter one or more times. At the login: prompt, type admin in lowercase and press Enter. At the Password: prompt, type the ASE password (visual in all lowercase is the default password) and press Enter 10 ASE Installation Instructions to bring up the Admin> prompt. For more information about password settings, see “Changing the ASE password.”

Output from a session:

login: admin
Password: ******

Admin> sh

APPFILTER

App Filters are DISABLED.

Application FLOWS and SERVERS will be
collected for all hosts in all subnets.

Local Subnets
==================

CIRCUIT
Circuits In Use = 3 of 155

COMMUNITY

Read-Write Community : private
Public read-only : Yes
Read-Only Community : public

ETHERNET

MAC Address: 00A00E1EAAC5

Interface Eth 1 (SPAN):

Speed: Auto
Actual: 100 Mbps
Duplex: Full

Interface Eth 2 (LAN):

Speed: Auto
Actual: 100 Mbps
Duplex: Full

EVENT

Elapsed Time Event Description
———— —————–
37d-02:39:20 IP Circuit 1030 is Active
37d-02:43:43 IP Circuit 1030 is Inactive
63d-08:34:06 IP Circuit 1030 is Active
63d-21:33:36 IP Circuit 1030 is Inactive
70d-07:29:13 IP Circuit 1030 is Active
70d-07:34:34 Line Status change: LAN interface is UP
70d-07:34:52 Line Status change: WAN interface is UP
70d-07:43:43 IP Circuit 1030 is Inactive
70d-07:44:32 Line Status change: LAN interface is DOWN
70d-07:44:32 Line Status change: WAN interface is DOWN
106d-15:59:13 IP Circuit 1030 is Active
106d-16:03:36 IP Circuit 1030 is Inactive
168d-18:14:14 IP Circuit 1030 is Active
168d-18:18:37 IP Circuit 1030 is Inactive
203d-17:14:14 IP Circuit 1030 is Active
203d-22:03:37 IP Circuit 1030 is Inactive
204d-16:34:06 IP Circuit 1030 is Active
204d-16:43:44 IP Circuit 1030 is Inactive
225d-21:34:06 IP Circuit 1030 is Active
225d-21:36:28 Line Status change: LAN interface is UP
225d-21:36:37 Line Status change: WAN interface is UP
225d-21:44:19 Line Status change: LAN interface is DOWN
225d-21:44:19 Line Status change: WAN interface is DOWN
225d-22:33:36 IP Circuit 1030 is Inactive
229d-18:24:20 IP Circuit 1030 is Active
229d-18:28:43 IP Circuit 1030 is Inactive
235d-18:24:20 IP Circuit 1030 is Active
235d-18:33:36 IP Circuit 1030 is Inactive
236d-17:54:20 IP Circuit 1030 is Active
236d-17:58:43 IP Circuit 1030 is Inactive
241d-16:14:13 IP Circuit 1030 is Active
241d-16:18:36 IP Circuit 1030 is Inactive
241d-20:24:20 IP Circuit 1030 is Active
241d-20:28:43 IP Circuit 1030 is Inactive
260d-03:49:06 IP Circuit 1030 is Active
260d-03:58:44 IP Circuit 1030 is Inactive
334d-23:09:20 IP Circuit 1030 is Active
334d-23:13:43 IP Circuit 1030 is Inactive
420d-10:44:13 IP Circuit 1030 is Active
420d-22:03:36 IP Circuit 1030 is Inactive
438d-15:22:16 Bad SNMP community name from 10.34.43.1
478d-14:24:20 IP Circuit 1030 is Active
478d-14:33:37 IP Circuit 1030 is Inactive
480d-02:34:36 Bad SNMP community name from 10.34.43.1
486d-11:14:13 IP Circuit 1030 is Active
486d-11:18:37 IP Circuit 1030 is Inactive
486d-17:09:19 IP Circuit 1030 is Active
486d-17:18:36 IP Circuit 1030 is Inactive
486d-19:24:19 IP Circuit 1030 is Active

FILTER

Filter Method: MAC

Router
IP Address MAC Dir
—————- —————– —
Filter 1: 10.34.12.253 00:0E:38:EF:E5:08 WAN

ID
Visual UpTime Select IP Transport 10/100 Ethernet Inline ASE

Software version: I 2.5.019 – Feb 20 2007
Serial Number: 0122-0010949
Installed memory: 128M

Protected by U.S. patents: 5,867,483; 5,521,907; 6,058,102;
6,147,998; and 6,564,214.

This product may also be protected by other U.S. or foreign patents.

Copyright (c) 1995-2006 Fluke Corporation(R).
All Rights Reserved.

LAN interface IP Address: 10.34.12.150
LAN interface Subnet Mask: 255.255.255.0
Default Router IP Address: 10.34.12.254

Running for 19 days 21 hours 13 minutes 26 seconds

IP
Management IP address: 10.34.12.150
Management IP subnet mask: 255.255.255.0
SLIP interface address: NONE
SLIP interface subnet mask: NONE
Primary router address: 10.34.12.254

IP Statistics
In Receives: 125806088 Out Requests: 904356
In Delivers: 4243925 Out Discards: 0
In Header Errors: 3 Out No Routes: 0
In Address Errors: 120154348 Reassemble Requests: 8
In Unknown Protocols: 0 Reassemble Oks: 4
In Discards: 0 Reassemble Fails: 0
Datagrams Fragmented: 0 Forwarded Datagrams: 0
Fragments Created: 0
Fragment Fails: 0

LINK

Interface type: Ethernet

PASSWD

SECURITY
The security table is empty

Host address security is DISABLED

SERIAL
Console/SLIP speed : 19200

SITE
NAME:
LOCATION:
CONTACT:

SLA
Inter-ASE messaging: ON
Fixed Local SLA IP Address: 10.34.12.150

SLIP
Connection Type : Dial

SPAN

Span Mode: ON

STATUS
This ASE has been running for 19d-21:13:27.
Ethernet Eth 1 (WAN) link state is up
Ethernet Eth 2 (LAN) link state is up

VLAN

Management VLAN: None (Auto)
SLA VLAN: None

Admin>

Mediatrix 4102 Default Administrator Credentials

December 27, 2013

Mediatrix 4102/4102S devices (Shodan search) contain default administrator credentials according to the manual.

Version #1 is their native web interface:

Enter the user name public and no password.
You can also use the following values:
User Name: admin
Password: administrator

Version #2 is basic authentication:

Enter the user name root and the password 5678.

mediatrix

Dedicated Micros Digital Sprite 2 Default Credentials

December 26, 2013

The Dedicated Micros Digital Sprite 2 camera system (discontinued) has a default user account according to the manual.

It will be necessary to enter a username and password at this point, the default username and password is user and password.

digitalsprite

Solwise C1060 IP Camera Default Admin Credentials

December 25, 2013

The Solwise Ltd C1060 IP Camera contains a default administrator credentials according to the manual.

By default, administrator’s username is: admin, password is: 123456

Eminent EM4482 IP Camera Default Admin Credentials

December 24, 2013

The Eminent EM4482 IP Camera contains default administrator credentials according to the manual.

You are now asked to enter the username and password of the camera. Enter “admin” in the “Username” field, enter “123456” in the “Password” field

Alvarion Networking Gateway Default Credentials

December 23, 2013

The Alvarion Network Gateway has default credentials for the web interface according to the manual.

The default passwords for the two access levels are:
„ For Administrators: private
„ For Users: public

Vilar Multiple IP Camera Multiple Vulnerabilities

December 22, 2013

The Vilar IP Camera model IP-001A is probably the Monacor VWC-300PT camera under different branding. Even the manual uses the VWC-300PT header but refers to as the Vilar elsewhere! The Vilar IP-001A running firmware 1.1.0.32 has default administrative credentials:

After that click [ok] and then enter the administrator’s username as “admin” and the administrator password as “123456”.

There is also a stored cross-site scripting vulnerability in the /setup/user_account.html page. If you create a user (even with guest privileges) and use an XSS payload for the name, it will save ti and render it on subsequent loads (after it reboots the camera). The URL of this page is http://%5Btarget%5D/cgi-bin/action?action=loadpage&page=/setup/user_account.html&lang=eng but once you input the information it actually gets updated using the http://%5Btarget%5D/cgi-bin/action script. Example payload:

action=write&cfg_content=useraccount&lang=eng&Account_Name1=admin&Account_passwd1=**********&Account_access1=4&Account_Name2=user&Account_passwd2=**********&Account_access2=2&Account_Name3=roger&Account_passwd3=**********&Account_access3=2&Account_Name4=guest&Account_passwd4=**********&Account_access4=1&Account_Name5=df”><script>alert(‘DF’)</script>&Account_passwd5=df&Account_access5=1&Account_access6=0&Account_access7=0&Account_access8=0&Account_allowVisit=0&submit=Apply

vilar-xss1