Posts Tagged ‘ICS’

LOYTEC Electronics Multiple Devices Web Interface Default Admin Credentials

February 1, 2016

LOYTEC electronics GmbH has a manuals download section on their site (requires authentication) showing the following devices have a default admin account:

  • L-DALI DALI Light Controller
  • L-INX Automation Server
  • L-GATE Universal Gateway
  • L-IP CEA-709/IP Router
  • L-VIS
  • LIOB-10x I/O Module
  • LIOB-x5x I/O Module
  • LIP-ME20X L-IP BACnet Router
  • LWEB-802
  • LWEB-803
  • LWEB-900 Building Management System

loytec

The L-Proxy CEA-709 Gateway has a different default:

loytec2

Growatt Shine WebBox Default Admin Credentials

January 25, 2016

shine-webbox

Shine WebBox installs with a default admin account according to the manual (admin / 123456). This allows remote attacker to do everything from gain internal IP to fully control the device.

shinewebbox1

shinewebbox2

MODBUS Application Protocol 1.1b System Information Remote Disclosure

May 7, 2015

According to Wikipedia:

Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). Simple and robust, it has since become a de facto standard communication protocol, and it is now a commonly available means of connecting industrial electronic devices.

This protocol is used by a lot of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. Version 1.1b of the MODBUS Application Protocol, maintained by the Modbus Organization, outlines “Read Device Identification” functionality. This lets a remote client query a system for information and does not require authentication.

6.21 43 / 14 (0x2B / 0x0E) Read Device Identification

This function code allows reading the identification and additional information relative to the physical and functional description of a remote device, only.

Some systems may not give up much information but others give up the vendor, device, version, project information (which can include full path disclosure), and more. Shodan already uses this method to fingerprint systems:

modbus0

modbus1

modbus2

Sunny WebBox Default Password and Denial of Service

May 2, 2015

sunnywebbox

Sunny WebBox (Shodan search) is an ICS device for data logging. According to the vendor page:

The Sunny WebBox is the ideal monitoring solution for medium-sized PV plants. It receives and stores current measured values and transmits data via RS485. This means you can stay updated on the status of your plant around the clock. In the event of a problem, you can react quickly and secure your yields. Parameters can be changed and a variety of measured values can be depicted, analyzed and downloaded via a web browser. All data from the connected devices is stored and automatically transmitted to Sunny Portal, if desired. The Sunny WebBox allows central access to your plant data on the Internet via Sunny Portal.

The user manual shows that it has a default password and a denial of service condition:

Logging in to the Sunny WebBox
Log in as “Installer”. The default password for the installer is: “sma”.

Many deployed devices just require a password not a username.

6.5 Logging in to the Sunny WebBox for the First Time
The Sunny WebBox distinguishes between 2 user groups: user and installer.
The two user groups are distinguished by two different passwords. If the password is the same for both user groups, you will be logged in as the installer.
In order to prevent two users making changes at the same time, only one user can ever be logged on to the Sunny WebBox at a time.

For a device deployed with Internet access this means that you can authenticate to the system and just keep your session active. That will keep any other user from logging on to use the device.

Honeywell Alerton BCM-WEB Default Admin Credentials

May 1, 2015

Alerton has a building management system called Ascent that uses BACtalk and the Tridium Niagara framework for management control. According to the manual the web interface (called BCM-WEB) has default administrative credentials:

Admin user profile
You can log on to a BCM-WEB with a pre-defined admin user profile. It serves the same purpose as the local admin user profile in Envision for BACtalk – allowing the admin user to perform User Setup and General System Setup functions. The initial password for the admin user profile is “pass” and can be changed by anyone with sufficient privileges, so be sure you know the password
before saving user data from BCM-WEB to Envision for BACtalk. This password should be changed as soon as possible after installation.

Niagara AX Tridium Fox Protocol Remote Information Disclosure

April 29, 2015

The NiagaraAX platform supports the Tridium Fox tunneling protocol to communicate between two stations. By default the Fox tunneling protocol will be found on TCP port 1911 for NiagaraAX (version 3.3 and likely most others) which is the proxy server component. While using Shodan I saw that the port gives up system information without authenticating. When searching for information on how the protocol works I found that Digital Bond already wrote a NMAP NSE script to interface with the port and enumerate information! This saved a lot of time! This port will give up the protocol version, internal IP address (sometimes), Niagara-AX application name and version, Java client and version, OS, a host ID and VM UUID. Some systems can also give up time zone, brand ID, and other system information.

df:/tmp/ # nmap -p 1911 –script fox-info.nse 87.195.99.249

Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-17 15:37 MDT
Nmap scan report for 1.2.3.4 (1.2.3.4)
Host is up (0.22s latency).
PORT STATE SERVICE
1911/tcp open Niagara Fox
| fox-info:
| Fox Version: 1.0.1
| Host Name: 192.168.1.222
| Host Address: 192.168.1.222
| Application Name: Station
| Application Version: 3.7.106.8
| VM Name: Java HotSpot(TM) Client VM
| VM Version: 1.5.0_34-b28
| OS Name: QNX
| Host ID: Qnx-NPM6E-0000-15F8-5632
| VM UUID: 11d4ee1b-e043-31a8-0000-000000008605
|_ Brand ID: webeasy.products

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds
df:/tmp/ #

CAREL pCOWeb Multiple Default Accounts

April 25, 2015

On May 23, 2013 xistence posted an advisory to Packetstorm warning of two shell accounts on CAREL pCOWeb devices that had blank passwords. In addition to that, there are four accounts for different services with default passwords as well. According to the manual for pCOWeb:

ACCESSING THE USER MEMORY VIA FTP PROCEDURE
Figure 4.c – SmartFTP™: creating a new “Remote Browser”
1. Download, install and run SmartFTP™ on the PC.
2. Create a new “Remote Browser” and enter the data as shown in the Figure 4.c below.
NOTE The IP address should be replaced with the address of the pCOWeb; the default Username and Password are: httpadmin / fhttpadmin; paragraph 9.7.2 on page 50 describes how to change this
information, and paragraph 9.3 on page 43 shows how to read the current information.
The following examples assume that the current data being used are httpadmin / fhttpadmin and the IP address is 10.0.0.145.

Whenever the configuration of the Logger is changed during the day, pCOWeb retains the values saved until that moment but updates the first three lines of the header (see Figure 5.f – left); if the selection of the logged variables is changed and the records saved until that moment need to be retained, proceed as follows:
1. before changing the configuration, save the data to the PC by first selecting Update cvs file and graph, then Download all the cvs and graphs;
2. disable all the variables currently selected for logging;
3. manually delete the file “history_diskbuffer” in the /usr/local/root/flash/http/cache directory by accessing the pCOWeb via FTP, with the “root” Username / Password (default “froot”); make sure not to modify other files / directories in this phase, as the “root” Username, in opposition to the case of “httpadmin”, has no restrictions;
4. reboot pCOWeb;
5. then restart the Logger, selecting the new variables for logging.

9.2.1 Authentication dialogue box for accessing the Administrator area
Following the previous points, an authentication dialogue box is displayed on the PC screen (Figure 9.a on page 40); complete the fields with the access information,
then select OK.
The default settings are:
Username: admin Password: fadmin

View factory bootswitch parameters: shows a summary of the factory settings that pCOWeb will use if rebooted with the button pressed (see 3.1.2 on page 12);
– DEFIP / DEFNETM: IP address / subnet mask;
– PROOT / PHTTP / PCAREL / PGUEST: password respectively for the “root” / “httpadmin” / “carel” / “guest” Usernames in the operating system running on pCOWeb (see 9.7.2 on page 50).

Rockwell Automation 176x PLC Controllers Remote Information Disclosure

April 24, 2015

Allen-Bradley is a division of Rockwell Automation who makes a line of programmable logic controllers (PLC) under the MicroLogix and CompactLogix brands. Several models have a web interface that doesn’t require authentication. These include:

This allows a remote attacker get a lot of information including:

  • Internal IP address (/index.html?redirect=/home.asp and /diagnetwork.asp)
  • List of remote IP connections (/rokform/advancedDiags?pageReq=tcpconn)
  • Network settings
  • Application connections
  • Bridge connections
  • Ethernet statistics
  • Ring statistics
  • Network diagnostics
  • System data
  • Event log
  • Assert log
  • .. and more

Novus Temperature Controllers Default Passwords

April 18, 2015

The Novus N1040, N480D, N960, N1020, N1040i, N1540, N2000, N3000 and N120 Temperature Controller contains a default access password and default master password (trivially generated based on serial number) according to the manual:

ACESS PASSWORD
The protected levels, when accessed, request the user to provide the Access Password for granting permission to change the configuration of the parameters on these levels. The prompt PASS precedes the parameters on the protected levels. If no password is entered, the parameters of the protected levels can only be visualized. The Access Password is defined by the user in the parameter Password Change (PAS.(), present in the Calibration Level. The factory default for the password code is 1111.

MASTER PASSWORD
The Master Password is intended for allowing the user to define a new password in the event of it being forgotten. The Master Password doesn’t grant access to all parameters, only to the Password Change parameter (PAS(). After defining the new password, the protected parameters may be accessed (and modified) using this new password. The master password is made up by the last three digits of the serial number of the controller added to the number 9000. As an example, for the equipment with serial number 07154321, the master password is 9 3 2 1.

Mitsubishi Energy Saving Data Collecting Server (EcoWebServer III) MES3-255C-EN Default Credentials

February 28, 2014

The Mitsubishi Energy Saving Data Collecting Server (EcoWebServer III) MES3-255C-EN uses several default credentials according to the manual. These require local access for the software and do not appear to work for the web server.

Enter the maintenance password (factory setting: ecopass) in the Password field, and click the [Change] button.

Writing the project via LAN
Select the [Write in this product via LAN.] radio button, and input the login ID and password for system administration in the [Login ID] and [Password] text boxes respectively.
(The default login ID and password are “ecoV” and “ecopass“.)

Reading the project via LAN
Select the [Read from this product via LAN.] radio button, and input the login ID and password for system administration in the [Login ID] and [Password] text boxes respectively.
(The default login ID and password are “ecoV” and “ecopass“.)

Checking the project via LAN
Select the [ Via Ethernet.] radio button, and input the login ID and passwordfor system administration in the [Login ID] and[Password] text boxes respectively.
(The default login ID and password are “ecoV” and “ecopass“.)

Changing the data acquisition login ID and password
The following describes the steps for changing the data acquisition login ID and password.
* The default data acquisition login ID and password are “guest” and “user“, respectively.
(The default system administration login ID and password are “ecoV” and “ecopass“, respectively.)