Archive for January, 2014

Trimble SPS Receiver Web Interface Default Admin Credentials

January 31, 2014

Trimble Navigation Limited SPS Receiver (Shodan search) contains default admin credentials for the web interface. This family of receivers comprise the SPS Modular receiver (SPS852/SPS552H/SPSx51/SPSx50), the SPSx61 Modular GPS Heading receivers, and the SPS882 Smart GPS antenna. According to manual the defaults are admin / password. I confirmed this on firmware version 4.41.

trimble

OpenVox VoxStack Wireless Gateway Multiple Vulnerabilities

January 30, 2014

OpenVox VoxStack Wireless Gateway (Shodan search) has several vulnerabilities. I tested the VS-GGU-E2M0400 with software versions 1.0.7, 1.1.4 and 1.1.7.

#1 Web Interface Default Admin Credentials

There is a blog about this system that mentions the default credentials of admin / admin.

#2 /cgi-bin/php/system-login.php Cleartext SSH Credential Disclosure

The /cgi-bin/php/system-login.php script will return the current SSH credentials in cleartext. By default the web interface operates over HTTP too.

voxstack-01

#3 /cgi-bin/php/network-ddns.php Cleartext DDNS Credential Disclosure

Like the previous this gives up the DDNS credentials cleartext.

voxstack-02

#4 /cgi-bin/php/system-tools.php Cleartext System Information Disclosure

The /cgi-bin/php/system-tools.php script has a “Backup Configuration” feature that sends config-1.1.7.tar.gz (where 1.1.7 is the software version) and includes /etc/passwd among others.

Polycom KIRK Wireless Server 6000 Multiple Vulnerabilities

January 29, 2014

Polycom KIRK Wireless Server 6000 (Shodan search) contains a couple of flaws. I tested the following firmware – PCS13A_ Build 40450 and PCS05B_ 25258

#1 Default Admin Credentials

According to the manual the web interface has default credentials.

The default user name of the system is admin and the default password of the system is ip6000. It is strongly recommeded to change the password, refer to “Changing System User Name and Password” on page 15-2.

#2 Default HTTP Transport

By default the device uses HTTP so all traffic including the admin credentials are transmitted in cleartext:

kirk-01

Audemat FMB80 RDS Encoder Default root Credentials

January 28, 2014

“…The Audemat FMB80 RDS encoder is considered by many to be the industry standard. With over 10,000 encoders in use by broadcasters all over the world, Audemat has a wealth of experience and a well-deserved reputation for innovation and excellence. The heart of the FMB80 is the IP2 system, an Audemat innovation that puts the power of an entire computer inside the encoder. The IP2 system allows for great flexibility in configuration and communication, including the ability to ‘tunnel’ through the FMB80s’ Ethernet ports and establish serial communication with other devices. IP2 also allows the FMB80 to communicate via a serial port or over a TCP/IP connection, and in various data protocols such as EBU -UER SPB490, UECP and ASCII…”

The Audemat FMB80 RDS Encoder (Shodan search) contains default root credentials for the telnet service according to the manual.

By default, the FMB 80 is delivered with one user defined, login “root” password “root” with a userlevel of Root.

Audemat-Aztec FMB80 RDS Encoding

AZTEC Radiomedia ‘FMB80’ Telnet server
You are Client No. 1 out of 5
User:root
Password:****
Type HELP for list of commands
🙂
help
*** FMB80 : HELP COMMANDS ***

HELP.APPLI : Application specific help commands
HELP.BASIC : BASIC Interpreter commands help
HELP.DNS : DNS client commands help
HELP.EVENTS : Events commands help
HELP.FILE : File system commands help
HELP.FTP : FTP server commands help
HELP.FTP_CLIENT : FTP client commands help
HELP.HTTP_CLIENT : HTTP client commands help
HELP.HISTO : Log file commands help
HELP.MAIL : E-mail client commands help
HELP.MULTICAST : Multicast group commands help
HELP.NETCOM : NETCOM help commands
HELP.NETWORK : Network commands help
HELP.PPP : PPP commands help
HELP.SCHEDULER : SCHEDULER rules and commands help
HELP.SNMP : SNMP agent commands help
HELP.SYSTEM : System commands help
HELP.TIMERS : Timers commands help
HELP.TELNET_CLIENT : Telnet client commands help
HELP.UDP : UDP client/server commands help
HELP.USERS : Login and password table commands help
HELP.WEB : Web server commands help
HELP.SNTP : SNTP commands help
HELP.APPLI
*** FMB80 : OTHER HELP COMMANDS ***

HELP.RDS.SYSTEM Help on RDS System Commands
HELP.RDS.ENCODER Help on RDS Encoder Commands
HELP.RDS.SCROLL Help on RDS RT & PS scroll Commands
HELP.DSN Help on RDS Data Set related Commands
HELP.PSN Help on RDS Programme Service related Commands
HELP.STATUS Help on Supervision Related Commands
HELP.REL Help on Relay Output related Commands
HELP.DIG Help on Digital Input related Commands
HELP.TEMP Help on Temperature Sensor related Commands
HELP.RDS.ENCODER
*** FMB80 : RDS ENCODER CONFIGURATION COMMANDS HELP ***

BYPASS=i RDS ON i=0, RDS OFF i=1
LEVEL=i, LEVEL? Set/Display RDS Output level i=1-3199
PHASE=i, PHASE? Set/Display RDS Output phase i=0-359
SYNCHRO=X, SYNCHRO? Set/Display Sync mode X= AUTO, EXT or INT
PILOT? Display Pilot detection status
CT.OFFSET=i Local Time Offset X 1/2HR -24 to +24
(See CENELEC prEN 50067:1998 page 28)
CT=i Enable(1)/Disable(0) Group 4 Transmission
TA.CONTROL=a,b,c a=Min no. of grps between two 14B/15B grps
TA.CONTROL.{MIN|ON|OFF}=n n=0-15
EONTA.CONTROL=a,b,c b(,c)=No. of 14B/15B grps at TA=1(,0) transition
EONTA.CONTROL.{MIN|ON|OFF}=n n=0-15
PST=i Character code table selection i=0-3
RADIOTEXT=X X=LONG Broadcast 64 chars, X=SHORT Broadcast text only
REP_2A=i Enable(1)/Disable(0) 2A-group repetition
when sending a new radiotext.
GSIZE.CYC=i Maximise Cyclic buffer size for group i=0-15 or all, 16
GSIZE.PRIORITY=g Set Cyclic buffer priority g=0A-15B
DSN.CURR=i Select Data Set for transmission i=1-6
DSN(n).LIST=a,b,c,d,… Create Data Set with Main PSN a, EON PSN,s b,c etc
n=1 to 6 (Current DSN not accepted)
DSN(d).PSN(p).EON={1|0} Enable(1)/Disable(0) EON’s in DSN d and PSN p
GROUPS=i Set groups retransmission i=00000000-FFFFFFFF
RDS.IN=i Set GROUPS mode i=0-4
ALPHA=, Send alphanumeric message (80 char)
NUM10=, Send numeric message (10 digits)
(gv: see prEN 50067:1997, page 19 for valid codes)
ODA.gv.AID=xxxx Set AID (x=0-9, A-F)
ODA.gv.MSG=xxxx Set MSG (x=0-9, A-F)
ODA.gv.MSG2=xxxx Set MSG2 (x=0-9, A-F)
ODA.gv.TO=n Set TO (n=0-255)
ODA.gv.REPEAT=n Set REPEAT (n=0-15)
ODA.gv.SPACE=n Set SPACE (n=0-15)
ODA.gv.NB=n Set NB (n=1-60)
ODA.gv.WINDOW=n Set WINDOW (n=0-60)
ODA.gv.DELAY=n Set DELAY (n=1-59)
ODA.RPGS=g1,g2,… Set relative priority
PILOT?
1
HELP.DSN
*** FMB80 : DSN CONFIGURATION COMMANDS HELP ***

DSN=D Set Data Set ‘D’ for DSN and PSN configuration, D=0-6
DSN Display DSN config for DSN D

‘DSN(d).’ may go before next DSN commands
LIST=a,b,c,d,… Make PSN list a=0-255

More Routers Vulnerable to RomPager Authentication Bypass

January 27, 2014

As discussed on prior blogs there are more routers that are vulnerable to the RomPager /rom-0 bypass:

D-Link DSL-2520U 1.08 Hardware Version: B1
D-Link DSL-2740R EU_1.13 Hardware Version: A1
AirLive WT-2000ARM 2.11.6.0(RE0.C29)3.7.6.1

While playing around it also seems that the D-Link routers frequently have a password of ‘263297’ making me think it is a default!

Zyxel Prestige 782R Authentication Bypass

January 26, 2014

The Zyxel Prestige 782R router (Shodan search) suffers from the RomPager /rom-0 bypass mentioned on earlier blogs.

If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at http://50.57.229.26/zynos.php. The first string returned is the admin password.

Ultimately this is due to the router using the RomPager server. Can identify from the header:

Server: ZyXEL-RomPager/3.02

S3 9071 Mini Dome IP Camera Web Interface Default Admin Credentials

January 25, 2014

The S3 9071 Mini Dome IP Camera (Shodan search) contains default admin credentials. Tested on firmware versions V1.07_STD-1 and V1.09.1_STD-1:

user: 3sadmin
password: 27988303

Dedicated Micros Pick-a-Point Default User Password

January 24, 2014

The Dedicated Micros Pick-a-Point is a dedicated IP keyboard solution with joystick control and has a default user password according to the manual.

1 On power up the unit will automatically load the software application.
2 Log Off with the User password 9999.
3 Log in to the application using the provided Installer logon.

ZTE Routers Multiple Vulnerabilities

January 23, 2014

The ZTE ZXV10 W300 router (Shodan search) is really a TP-Link router based on the same interface. According to the manual it has default credentials.

Enter the default user name admin and password admin, and then click the OK button to enter the main page for configuration, as shown in Figure 6.

zte1

It also uses RomPager and is vulnerable to the authentication bypass mentioned in previous blogs. Request the /rom-0 binary and reverse it using this tool. The first string is the admin password. Tested on firmware version W300V1.0.0a_ZRD_CO3.


The ZXDSL 831CII from ZTE does not look like a TP-Link router. It’s either their own code or a different vendors. It suffers from the RomPager /rom-0 bypass though.

Software Version = ZXDSL 831CIIV2.2.1a_Z43_MD
ADSL Firmware Version = FwVer:3.12.8.201_TC3086 HwVer:T14.F7_7.0

ZyXEL P-660RU-T1 Router Web Interface Default Credentials

January 22, 2014

The ZyXEL P-660RU-T1 router has a default password of ‘1234’. Further it is sent to you on initial setup:

zyxel01

zyxel02

This can be verified by reading the manual:

zyxel03

Tested V3.40(APU.0) | 09/18/2006