Posts Tagged ‘Shodan’

Calix C7 Integrated Management System (IMS) Multiple Vulnerabilities

February 6, 2014

Calix C7 Integrated Management System (IMS) (Shodan search) has a secure login on port 8196 using a Java client. The default account of ‘rootgod’ with a password of ‘root’ works as well as a sysadmin/sysadmin account.

The telnet banner also gives up the internal IP address:



Netsynt CRD Voice Router Telnet CLI Default Password

February 4, 2014

The Netsynt CRD Voice Router (Shodan search) provides command line access via Telnet (port 23) and has a default password of ‘netsynt’ according to the manual:


BW Broadcast FMB80 RDS Encoder Default root Account

February 3, 2014

The BW Broadcast FMB80 RDS Encoder (Shodan search) comes with a default root account according to the manual.

By default, the FMB 80 is delivered with one user defined, login “root” password “root” with a userlevel of Root.

S3 N5013 / N5071 Multiple Vulnerabilities

February 2, 2014

The S3 N5013, N5013 37X and N5071 Speed Dome cameras (Shodan search) have default admin credentials on the following models and firmware:

N5013 V1.00_STD-1
N5013 37X V1.00_STD-1
N5071 V1.02 STD-1, V1.03_STD-1

user: 3sadmin
password: 27988303

While looking at the information on the cameras I found a changelog for the N5071 1.03 STD-1 release that may indicate a remote denial of service being fixed:

Version: V1.03 STD-1
Release Date: 2012/06/19

Fix bug which system will reboot if streaming reconnect very often.

Trimble SPS Receiver Web Interface Default Admin Credentials

January 31, 2014

Trimble Navigation Limited SPS Receiver (Shodan search) contains default admin credentials for the web interface. This family of receivers comprise the SPS Modular receiver (SPS852/SPS552H/SPSx51/SPSx50), the SPSx61 Modular GPS Heading receivers, and the SPS882 Smart GPS antenna. According to manual the defaults are admin / password. I confirmed this on firmware version 4.41.


OpenVox VoxStack Wireless Gateway Multiple Vulnerabilities

January 30, 2014

OpenVox VoxStack Wireless Gateway (Shodan search) has several vulnerabilities. I tested the VS-GGU-E2M0400 with software versions 1.0.7, 1.1.4 and 1.1.7.

#1 Web Interface Default Admin Credentials

There is a blog about this system that mentions the default credentials of admin / admin.

#2 /cgi-bin/php/system-login.php Cleartext SSH Credential Disclosure

The /cgi-bin/php/system-login.php script will return the current SSH credentials in cleartext. By default the web interface operates over HTTP too.


#3 /cgi-bin/php/network-ddns.php Cleartext DDNS Credential Disclosure

Like the previous this gives up the DDNS credentials cleartext.


#4 /cgi-bin/php/system-tools.php Cleartext System Information Disclosure

The /cgi-bin/php/system-tools.php script has a “Backup Configuration” feature that sends config-1.1.7.tar.gz (where 1.1.7 is the software version) and includes /etc/passwd among others.

Polycom KIRK Wireless Server 6000 Multiple Vulnerabilities

January 29, 2014

Polycom KIRK Wireless Server 6000 (Shodan search) contains a couple of flaws. I tested the following firmware – PCS13A_ Build 40450 and PCS05B_ 25258

#1 Default Admin Credentials

According to the manual the web interface has default credentials.

The default user name of the system is admin and the default password of the system is ip6000. It is strongly recommeded to change the password, refer to “Changing System User Name and Password” on page 15-2.

#2 Default HTTP Transport

By default the device uses HTTP so all traffic including the admin credentials are transmitted in cleartext:


Audemat FMB80 RDS Encoder Default root Credentials

January 28, 2014

“…The Audemat FMB80 RDS encoder is considered by many to be the industry standard. With over 10,000 encoders in use by broadcasters all over the world, Audemat has a wealth of experience and a well-deserved reputation for innovation and excellence. The heart of the FMB80 is the IP2 system, an Audemat innovation that puts the power of an entire computer inside the encoder. The IP2 system allows for great flexibility in configuration and communication, including the ability to ‘tunnel’ through the FMB80s’ Ethernet ports and establish serial communication with other devices. IP2 also allows the FMB80 to communicate via a serial port or over a TCP/IP connection, and in various data protocols such as EBU -UER SPB490, UECP and ASCII…”

The Audemat FMB80 RDS Encoder (Shodan search) contains default root credentials for the telnet service according to the manual.

By default, the FMB 80 is delivered with one user defined, login “root” password “root” with a userlevel of Root.

Audemat-Aztec FMB80 RDS Encoding

AZTEC Radiomedia ‘FMB80’ Telnet server
You are Client No. 1 out of 5
Type HELP for list of commands

HELP.APPLI : Application specific help commands
HELP.BASIC : BASIC Interpreter commands help
HELP.DNS : DNS client commands help
HELP.EVENTS : Events commands help
HELP.FILE : File system commands help
HELP.FTP : FTP server commands help
HELP.FTP_CLIENT : FTP client commands help
HELP.HTTP_CLIENT : HTTP client commands help
HELP.HISTO : Log file commands help
HELP.MAIL : E-mail client commands help
HELP.MULTICAST : Multicast group commands help
HELP.NETCOM : NETCOM help commands
HELP.NETWORK : Network commands help
HELP.PPP : PPP commands help
HELP.SCHEDULER : SCHEDULER rules and commands help
HELP.SNMP : SNMP agent commands help
HELP.SYSTEM : System commands help
HELP.TIMERS : Timers commands help
HELP.TELNET_CLIENT : Telnet client commands help
HELP.UDP : UDP client/server commands help
HELP.USERS : Login and password table commands help
HELP.WEB : Web server commands help
HELP.SNTP : SNTP commands help

HELP.RDS.SYSTEM Help on RDS System Commands
HELP.RDS.ENCODER Help on RDS Encoder Commands
HELP.RDS.SCROLL Help on RDS RT & PS scroll Commands
HELP.DSN Help on RDS Data Set related Commands
HELP.PSN Help on RDS Programme Service related Commands
HELP.STATUS Help on Supervision Related Commands
HELP.REL Help on Relay Output related Commands
HELP.DIG Help on Digital Input related Commands
HELP.TEMP Help on Temperature Sensor related Commands

LEVEL=i, LEVEL? Set/Display RDS Output level i=1-3199
PHASE=i, PHASE? Set/Display RDS Output phase i=0-359
SYNCHRO=X, SYNCHRO? Set/Display Sync mode X= AUTO, EXT or INT
PILOT? Display Pilot detection status
CT.OFFSET=i Local Time Offset X 1/2HR -24 to +24
(See CENELEC prEN 50067:1998 page 28)
CT=i Enable(1)/Disable(0) Group 4 Transmission
TA.CONTROL=a,b,c a=Min no. of grps between two 14B/15B grps
EONTA.CONTROL=a,b,c b(,c)=No. of 14B/15B grps at TA=1(,0) transition
PST=i Character code table selection i=0-3
RADIOTEXT=X X=LONG Broadcast 64 chars, X=SHORT Broadcast text only
REP_2A=i Enable(1)/Disable(0) 2A-group repetition
when sending a new radiotext.
GSIZE.CYC=i Maximise Cyclic buffer size for group i=0-15 or all, 16
GSIZE.PRIORITY=g Set Cyclic buffer priority g=0A-15B
DSN.CURR=i Select Data Set for transmission i=1-6
DSN(n).LIST=a,b,c,d,… Create Data Set with Main PSN a, EON PSN,s b,c etc
n=1 to 6 (Current DSN not accepted)
DSN(d).PSN(p).EON={1|0} Enable(1)/Disable(0) EON’s in DSN d and PSN p
GROUPS=i Set groups retransmission i=00000000-FFFFFFFF
RDS.IN=i Set GROUPS mode i=0-4
ALPHA=, Send alphanumeric message (80 char)
NUM10=, Send numeric message (10 digits)
(gv: see prEN 50067:1997, page 19 for valid codes)
ODA.gv.AID=xxxx Set AID (x=0-9, A-F)
ODA.gv.MSG=xxxx Set MSG (x=0-9, A-F)
ODA.gv.MSG2=xxxx Set MSG2 (x=0-9, A-F)
ODA.gv.TO=n Set TO (n=0-255)
ODA.gv.REPEAT=n Set REPEAT (n=0-15)
ODA.gv.SPACE=n Set SPACE (n=0-15)
ODA.gv.NB=n Set NB (n=1-60)
ODA.gv.WINDOW=n Set WINDOW (n=0-60)
ODA.gv.DELAY=n Set DELAY (n=1-59)
ODA.RPGS=g1,g2,… Set relative priority

DSN=D Set Data Set ‘D’ for DSN and PSN configuration, D=0-6
DSN Display DSN config for DSN D

‘DSN(d).’ may go before next DSN commands
LIST=a,b,c,d,… Make PSN list a=0-255

Zyxel Prestige 782R Authentication Bypass

January 26, 2014

The Zyxel Prestige 782R router (Shodan search) suffers from the RomPager /rom-0 bypass mentioned on earlier blogs.

If you request the /rom-0 file it does not require authentication. This can be reversed using available tools like the one at The first string returned is the admin password.

Ultimately this is due to the router using the RomPager server. Can identify from the header:

Server: ZyXEL-RomPager/3.02

S3 9071 Mini Dome IP Camera Web Interface Default Admin Credentials

January 25, 2014

The S3 9071 Mini Dome IP Camera (Shodan search) contains default admin credentials. Tested on firmware versions V1.07_STD-1 and V1.09.1_STD-1:

user: 3sadmin
password: 27988303