Archive for April, 2015

Fortinet FortiGate 50B Default Admin Credentials

April 30, 2015

The Fortinet FortiGate 50B firewall appliance doesn’t use good password security! By default the admin account comes with a blank password instead of forcing the admin to set a secure password during installation. From the quick start guide:

fortinet-50b

The full admin guide shows it as well:

Set a strong password for the admin administrator account, and change the password regularly. By default, this administrator account has no password. Failure to maintain the password of the admin administrator account could compromise the security of your FortiGate unit.

Advertisements

Niagara AX Tridium Fox Protocol Remote Information Disclosure

April 29, 2015

The NiagaraAX platform supports the Tridium Fox tunneling protocol to communicate between two stations. By default the Fox tunneling protocol will be found on TCP port 1911 for NiagaraAX (version 3.3 and likely most others) which is the proxy server component. While using Shodan I saw that the port gives up system information without authenticating. When searching for information on how the protocol works I found that Digital Bond already wrote a NMAP NSE script to interface with the port and enumerate information! This saved a lot of time! This port will give up the protocol version, internal IP address (sometimes), Niagara-AX application name and version, Java client and version, OS, a host ID and VM UUID. Some systems can also give up time zone, brand ID, and other system information.

df:/tmp/ # nmap -p 1911 –script fox-info.nse 87.195.99.249

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-17 15:37 MDT
Nmap scan report for 1.2.3.4 (1.2.3.4)
Host is up (0.22s latency).
PORT STATE SERVICE
1911/tcp open Niagara Fox
| fox-info:
| Fox Version: 1.0.1
| Host Name: 192.168.1.222
| Host Address: 192.168.1.222
| Application Name: Station
| Application Version: 3.7.106.8
| VM Name: Java HotSpot(TM) Client VM
| VM Version: 1.5.0_34-b28
| OS Name: QNX
| Host ID: Qnx-NPM6E-0000-15F8-5632
| VM UUID: 11d4ee1b-e043-31a8-0000-000000008605
|_ Brand ID: webeasy.products

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
df:/tmp/ #

Cybertec Series 2000 3G Modem / Router Default Admin Credentials

April 28, 2015

The Cybertec Series 2000 3G Modem / Router has a web interface with default administrator credentials according to the manual.

Connecting to the Series 2000 Web Server
• Open a web browser on the PC and browse to 10.10.10.10 (the default Series 2000, IP address) .
• A login box similar to Figure 20 will pop up. If the box fails to display, re-check the cable connections to the unit and the IP address settings of the PC.
• Enter the following login details:
• User Name: admin
• Password: admin

LogicalDoc Community Edition Default Admin Password

April 27, 2015

LogicalDoc comes with default admin credentials according to their wiki:

Setup
Perform the LogicalDOC Setup procedure using admin/admin as username/password in order to acces the protected setup section

First Login
Log in to LogicalDOC using user “admin” with password “admin”.

Advantech WebAccess Default Credentials

April 26, 2015

advantech

Advantech WebAccess is a “browser-based HMI and SCADA software” that controls many of their products. According to the manual, it has default administrative credentials:

3.1.1 Default Login – Name and Password
1. In the Login Name field type: admin
2. Leave Password field blank (i.e. no password).

CAREL pCOWeb Multiple Default Accounts

April 25, 2015

On May 23, 2013 xistence posted an advisory to Packetstorm warning of two shell accounts on CAREL pCOWeb devices that had blank passwords. In addition to that, there are four accounts for different services with default passwords as well. According to the manual for pCOWeb:

ACCESSING THE USER MEMORY VIA FTP PROCEDURE
Figure 4.c – SmartFTP™: creating a new “Remote Browser”
1. Download, install and run SmartFTP™ on the PC.
2. Create a new “Remote Browser” and enter the data as shown in the Figure 4.c below.
NOTE The IP address should be replaced with the address of the pCOWeb; the default Username and Password are: httpadmin / fhttpadmin; paragraph 9.7.2 on page 50 describes how to change this
information, and paragraph 9.3 on page 43 shows how to read the current information.
The following examples assume that the current data being used are httpadmin / fhttpadmin and the IP address is 10.0.0.145.

Whenever the configuration of the Logger is changed during the day, pCOWeb retains the values saved until that moment but updates the first three lines of the header (see Figure 5.f – left); if the selection of the logged variables is changed and the records saved until that moment need to be retained, proceed as follows:
1. before changing the configuration, save the data to the PC by first selecting Update cvs file and graph, then Download all the cvs and graphs;
2. disable all the variables currently selected for logging;
3. manually delete the file “history_diskbuffer” in the /usr/local/root/flash/http/cache directory by accessing the pCOWeb via FTP, with the “root” Username / Password (default “froot”); make sure not to modify other files / directories in this phase, as the “root” Username, in opposition to the case of “httpadmin”, has no restrictions;
4. reboot pCOWeb;
5. then restart the Logger, selecting the new variables for logging.

9.2.1 Authentication dialogue box for accessing the Administrator area
Following the previous points, an authentication dialogue box is displayed on the PC screen (Figure 9.a on page 40); complete the fields with the access information,
then select OK.
The default settings are:
Username: admin Password: fadmin

View factory bootswitch parameters: shows a summary of the factory settings that pCOWeb will use if rebooted with the button pressed (see 3.1.2 on page 12);
– DEFIP / DEFNETM: IP address / subnet mask;
– PROOT / PHTTP / PCAREL / PGUEST: password respectively for the “root” / “httpadmin” / “carel” / “guest” Usernames in the operating system running on pCOWeb (see 9.7.2 on page 50).

Rockwell Automation 176x PLC Controllers Remote Information Disclosure

April 24, 2015

Allen-Bradley is a division of Rockwell Automation who makes a line of programmable logic controllers (PLC) under the MicroLogix and CompactLogix brands. Several models have a web interface that doesn’t require authentication. These include:

This allows a remote attacker get a lot of information including:

  • Internal IP address (/index.html?redirect=/home.asp and /diagnetwork.asp)
  • List of remote IP connections (/rokform/advancedDiags?pageReq=tcpconn)
  • Network settings
  • Application connections
  • Bridge connections
  • Ethernet statistics
  • Ring statistics
  • Network diagnostics
  • System data
  • Event log
  • Assert log
  • .. and more

Mitsubishi Programmable Controller, High Speed Data Logger Module Internal IP Disclosure

April 23, 2015

The Mitsubishi Programmable Controller, High Speed Data Logger Module has a web interface that does not require authentication. However the Internet facing service still discloses an internal IP address for the link to the FTP server even if it is not Internet facing.

mitsubishi-qd81dl96-ip_disclosure

Shinsei URoad-Home WiMAX Wi-Fi Router Web Interface Default Admin Credentials

April 22, 2015

The Shinsei URoad-Home WiMAX Wi-Fi Router has a web management interface that has default administrator credentials according to the manual.

Type in the login dialog box as follows, and then click the “OK” button.
Username: admin
Password: admin

Omron NS-Series Programmable Terminals Web Interface Default Credentials

April 21, 2015

Omron NS-Series Programmable Terminals which include NS12-TS01-V2, NS10-TV01-V2, NS8-TV01-V2, NS5-SQ11-V2, NS5-TQ11-V2 and NS5-MQ11-V2, have default credentials for web access according to the manual.

Enter the user name and password.
The factory settings for the user name and password are as follows.
User name default
Password default