KZ Broadband iSurf 1004 / 1008 Multiple Vulnerabilities

January 26, 2016

KZ Broadband Technologies, LTD. iSurfTM 1004 and 1008 Integrated Access Devices install with a default admin account for the web interface according to the manual.


I confirmed this works on iSurf 1004 V2.10 B02D09 Pack 02, iSurf 1004 IAD V2.10 B02D09 Pack 03 and iSurf 1008+ V2.10 B02D09 Pack 23.

The router allows multiple accounts and offers different access levels making cross-site scripting a concern. There is a very basic XSS bug (CVE-2016-78001):

GET /en/cgi/SysSetContact.cgi?sys_contact=DF”><scr1pt>alert(‘DF’)</scr1pt> HTTP/1.1

The script will render on /en/sys_info.htm:

<td><textarea cols=”60″rows=”5″id=”contact”class=”select”></textarea>
<input type=”hidden”name=”sys_contact”value=”DF”><scr1pt>alert(‘DF’)</scr1pt>”>

Screenshot PoC:



Growatt Shine WebBox Default Admin Credentials

January 25, 2016


Shine WebBox installs with a default admin account according to the manual (admin / 123456). This allows remote attacker to do everything from gain internal IP to fully control the device.



IQeye Cameras Multiple Default Credentials

January 6, 2016

Vicon makes a series of cameras under the brand IQeye. Depending on the model they ship with different defaults. For example the V9360 Hemispheric Camera with Advanced WDR has default admin credentials for the Web Configurator:

When the login window displays, input default user and password:
Default User: Admin Password: 123456

The CE202D-N Series comes with a different set of defaults for the admin user:

Note: The default administrator username is “ADMIN” and password is “1234”.

Most of their models allow Telnet access to TCP port 21 for advanced configuration. These models include the IQeye101, IQvav, IQeye3, IQeye301, IQeye302, IQeye303, IQeye501,
IQeye510, IQeye511, IQeye601, IQeye602, IQeye603, IQeye701, IQeye702, IQeye703, IQeye705, IQeye711, IQeye751, IQeye752, IQeye753, IQeye755, IQeye811, IQeye802, IQeye803, IQeye805,
IQeye852, IQeye853, and IQeye855. According to the reference manual released 2007-11-06 they have defaults:

% telnet

At the resulting Password> prompt, enter SYSTEM, the default privileged password.

Local> set privileged
Password> system (not echoed)

Login control enables a general password protection for your entire camera. When login control is active, no one can gain access to your camera or view images without entering the appropriate username and password. Login control applies to all incoming connection attempts (FTP, HTTP, telnet, etc.). The default login control username and password are:
username = login
password = access

Privileged mode also controls password protection during telnet and connections. During such connections, users must enter the appropriate password to change any of the camera’s settings. When a user becomes the privileged user, the privileged prompt (usually Local>>) will appear. The default privileged mode username and password are:
username = root
password = system

EnvisaLink 3 Alarm System Multiple Vulnerabilities

January 4, 2016

The EnvisaLink 3 alarm system from Envisacor Technologies Inc. allows you to monitor your home alarm system via the Internet if configured. As noted on a discussion forum the default account is user/user. Testing one of these with firmware version 01.12.158 i verified the default and found it is also vulnerable to a simple cross-site request forgery vulnerability (CVE-2016-78000) that can lead to a victim changing the password. The password change is done with a GET request and has no nonce or token mechanism to stop it.


The device interface:



Hitron CGN3 Residential D3 WiFi Gateway Web Interface Default Credentials

November 1, 2015

The Hitron CGN3 Residential D3 WiFi Gateway installs with default administrator credentials according to the manual. But it isn’t clear if there are two different logins:

The CGN3’s default IP address and login credentials are as follows. For more information, see Login to the CGN3 on page 23.
IP Address
Username cusadmin
Password password

Enter the CGN3’s IP address (default in the URL bar. The Login screen displays.
Enter the Username and Password. The default login username is admin, and the default password is password


Palo Alto Networks Panorama VM Appliance Web Console Default Admin Credentials

October 31, 2015

According to the manual for the Palo Alto Networks Panorama VM Appliance 6.0:

Panorama provides centralized management and visibility of multiple Palo Alto Networks next-generation firewalls. It allows you to oversee all applications, users, and content traversing the network from one location, and then use this knowledge to create application enablement policies that protect and control the entire network. Using Panorama for centralized policy and device management increases operational efficiency in managing and maintaining a distributed network of firewalls.

The manual also shows that the appliance has a default admin password for the web console to manage the VM:

Access the console of the Panorama virtual appliance.
1. Select the Console tab on the ESX(i) server for the virtual Panorama. Press enter to access the login screen.
2. Enter the default username/password (admin/admin) to log in.
3. Enter configure to switch to configuration mode.

EFF identified dozens of license plate readers with insufficient security

October 30, 2015

The EFF identified dozens of license plate readers with insufficient security (and many with no protection at all). You can read the full article which mentions one of my blog posts with my research on the devices!

Independently, a researcher named Darius Freamon found that you could access the control panels via Telnet and generate statistics about plate captures. Building off Freamon’s work, a team of computer scientists at the University of Arizona dug further into the data and found vulnerable cameras in Washington, California, Texas, Oklahoma, Louisiana, Mississippi, Alabama, Florida, Virginia, Ohio, and Pennsylvania. The largest cluster was in southeastern Louisiana.

Monroe Electronics Model R189 One-Net Digital Emergency Alert System Encoder/Decoder Default Credentials

September 12, 2015

Monroe Electronics Model R189 One-Net Digital Emergency Alert System Encoder/Decoder aka DASDEC uses a web interface for device management. According to the manual it contains several default credentials:

4.1.1. Using a VGA monitor, keyboard, and mouse with a One-Net To configure the One-Net:
• Connect the VGA monitor, keyboard and mouse connected to the correct ports on the back of the One-Net.
• Then power up and wait for the One-Net to boot and become fully operational. Make sure the VGA monitor is powered on.
• You will be presented with a login prompt on the VGA monitor. Type in the user name of “root” (without parenthesis). The default password is “dasdec1“.

Wait for the desktop to fully launch. Once the desktop is ready, run the provided One-Net browser app by clicking the icon labeled One-Net Web Interface. This launches a browser, which will automatically access the One-Net web server Login page. Follow the instructions for Section 4.2 below for logging into the One-Net using the Web login page. Everything you will need to do to setup the One-Net for operation and remote network access will be available from within the Web interface. There is a built in administrative user (Admin) for the One-Net Web Interface. The default password for Admin is “dasdec

Web Server Login
When the One-Net successfully connects for a Web session, it will present the following page in the Web browser.
Type “Admin” (no quotes) as the default user name, and “dasdec” (again, without quotes) as the password. Press the left mouse button over the Login button. With the correct user name and password, the One-Net will login. If the user or password is incorrect, the One-Net will display a message indicating the problem. If the One-Net is left unattended for 10 minutes, it will automatically logout. A message indicating session timeout will be displayed on the login screen.


Sony Network Camera SNC-RH124 Web Interface Default Admin Credentials

September 11, 2015

The Sony Network Camera SNC-RH124 uses a web interface to access the camera feed and configure it. According to the manual and tested against a camera running firmware 1.34.00 it comes with default credentials:


Barix Streaming Client Multiple Vulnerabilities

September 10, 2015

The Barix Streaming Client is a product that “can deliver high quality branded audio in real time via the internet or a local network to an unlimited number of locations and gives the option for localized and targeted ad insertion too, all via live streaming.

It uses a web interface for device management. By default it does not require authentication and does not appear to allow you to set a user account just a password. Version B3.14 was tested and found to have additional problems!

Unauthenticated access –


You can manipulate streaming settings and change the audio the person hears –


Under Configuration -> Advanced Settings, the ‘User Agent’ field is not sanitized. Inserting script code triggers a POST request to /setup.cgi and updates the ‘S517’ parameter allowing for cross site scripting (CVE-2015-78000) that renders on uifadvanced.html –



It also renders on /ixstatus.html –


The security settings that allow for a password –


You can also manually reboot the device or create a script that will continually reboot it –