Archive for January, 2016

BEC Technologies Multiple Devices Web Interface Default Admin Credentials

January 29, 2016

Basically every BEC Technologies device uses a web interface for device management and each one has the same default admin credentials:

Web Interface: (Username and Password)
Username: admin
Password: admin

The BiPAC 7800NL 802.11n ADSL2+ Firewall Router ships with multiple accounts:

Administrator
Username: admin
Password: admin
Local
Username: user
Password: user
Remote
Username: support
Password: support

Falcon USHA UPS SNMP HTTP Agent Default Admin Credentials

January 28, 2016

Falcon UPS devices use a SNMP HTTP agent for remote administration. According to the manual it comes with default admin credentials.

Click the Become Administrator button at the bottom of the screen. Enter USHA as the login name and admin as the password. (Case sensitive)

usha-config

TerraMaster Storage Devices Web Interface Default Admin Credentials

January 27, 2016

TerraMaster storage devices come with default admin credentials according to the online installation guide. These include the WORM-Storage, F4-NAS, F2-NAS 2 and F2-C2O.

terramaster-default1

terramaster-default2

KZ Broadband iSurf 1004 / 1008 Multiple Vulnerabilities

January 26, 2016

KZ Broadband Technologies, LTD. iSurfTM 1004 and 1008 Integrated Access Devices install with a default admin account for the web interface according to the manual.

isurf-defaults

I confirmed this works on iSurf 1004 V2.10 B02D09 Pack 02, iSurf 1004 IAD V2.10 B02D09 Pack 03 and iSurf 1008+ V2.10 B02D09 Pack 23.

The router allows multiple accounts and offers different access levels making cross-site scripting a concern. There is a very basic XSS bug (CVE-2016-78001):

GET /en/cgi/SysSetContact.cgi?sys_contact=DF”><scr1pt>alert(‘DF’)</scr1pt> HTTP/1.1

The script will render on /en/sys_info.htm:

<td><textarea cols=”60″rows=”5″id=”contact”class=”select”></textarea>
<input type=”hidden”name=”sys_contact”value=”DF”><scr1pt>alert(‘DF’)</scr1pt>”>

Screenshot PoC:

isurf-xss1

Growatt Shine WebBox Default Admin Credentials

January 25, 2016

shine-webbox

Shine WebBox installs with a default admin account according to the manual (admin / 123456). This allows remote attacker to do everything from gain internal IP to fully control the device.

shinewebbox1

shinewebbox2

IQeye Cameras Multiple Default Credentials

January 6, 2016

Vicon makes a series of cameras under the brand IQeye. Depending on the model they ship with different defaults. For example the V9360 Hemispheric Camera with Advanced WDR has default admin credentials for the Web Configurator:

When the login window displays, input default user and password:
Default User: Admin Password: 123456

The CE202D-N Series comes with a different set of defaults for the admin user:

Note: The default administrator username is “ADMIN” and password is “1234”.

Most of their models allow Telnet access to TCP port 21 for advanced configuration. These models include the IQeye101, IQvav, IQeye3, IQeye301, IQeye302, IQeye303, IQeye501,
IQeye510, IQeye511, IQeye601, IQeye602, IQeye603, IQeye701, IQeye702, IQeye703, IQeye705, IQeye711, IQeye751, IQeye752, IQeye753, IQeye755, IQeye811, IQeye802, IQeye803, IQeye805,
IQeye852, IQeye853, and IQeye855. According to the reference manual released 2007-11-06 they have defaults:

% telnet 192.168.1.100

At the resulting Password> prompt, enter SYSTEM, the default privileged password.

Local> set privileged
Password> system (not echoed)
Local>>

Login control enables a general password protection for your entire camera. When login control is active, no one can gain access to your camera or view images without entering the appropriate username and password. Login control applies to all incoming connection attempts (FTP, HTTP, telnet, etc.). The default login control username and password are:
username = login
password = access

Privileged mode also controls password protection during telnet and connections. During such connections, users must enter the appropriate password to change any of the camera’s settings. When a user becomes the privileged user, the privileged prompt (usually Local>>) will appear. The default privileged mode username and password are:
username = root
password = system

EnvisaLink 3 Alarm System Multiple Vulnerabilities

January 4, 2016

The EnvisaLink 3 alarm system from Envisacor Technologies Inc. allows you to monitor your home alarm system via the Internet if configured. As noted on a discussion forum the default account is user/user. Testing one of these with firmware version 01.12.158 i verified the default and found it is also vulnerable to a simple cross-site request forgery vulnerability (CVE-2016-78000) that can lead to a victim changing the password. The password change is done with a GET request and has no nonce or token mechanism to stop it.

http://%5Btarget%5D/3?A=3&X=mypassword

The device interface:

envisalink3a

envisalink3b