what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EntryPass N5200 Credential Disclosure

EntryPass N5200 Credential Disclosure
Posted Dec 1, 2014
Site redteam-pentesting.de

EntryPass N5200 Active Network Control Panels allow the unauthenticated downloading of information that includes the current administrative username and password.

tags | exploit
advisories | CVE-2014-8868
SHA-256 | 95972964bbc742ac4c38212126c9f75123187a80142bc0be775e001524803d2e

EntryPass N5200 Credential Disclosure

Change Mirror Download
Advisory: EntryPass N5200 Credentials Disclosure

EntryPass N5200 Active Network Control Panels allow the unauthenticated
downloading of information that includes the current administrative
username and password.


Product: EntryPass N5200 Active Network Control Panel
Affected Versions: unknown
Fixed Versions: not available
Vulnerability Type: Information Disclosure, Credentials Disclosure
Security Risk: high
Vendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011
Advisory Status: published
CVE: CVE-2014-8868
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868


"EntryPass Active Networks are designed to enhance highly customized and
rapid 'real-time' changes to the underlying network operation.
Brilliantly engineered with all the power you need to enable
code-sending, minus unnecessary buffer time with its distributed
architecture capable of processing access demand at the edge level
without leveraging at the server end."

(From the vendor's home page)

More Details

EntryPass N5200 Active Network Control Panels offer an HTTP service on
TCP port 80. It appears that only the first character of a requested
URL's path is relevant to the web server. For example, requesting the


yields the same CSS file as requesting the following URL:


By enumerating all one-character long URLs on a device, it was
determined that URLs starting with a numeric character are used by the
web interface, as listed in the following table:

http://example.com/0 Index
http://example.com/1 Stylesheet
http://example.com/2 Authentication with Username/Password
http://example.com/3 Session Management
http://example.com/4 Device Status
http://example.com/5 Progressbar Image
http://example.com/6 Reset Status
http://example.com/7 Login Form
http://example.com/8 HTTP 404 Error Page
http://example.com/9 JavaScript

For URLs starting with non-numeric characters, an HTTP 404 - Not Found
error page is normally returned. Exceptions to this rule are URLs
starting with the lower case letters o to z and the upper case letters A
to D. When requesting these URLs, memory contents from the device appear
to be returned in the server's HTTP response.

As highlighted in the following listing, both the currently set username
ADMIN and the corresponding password 123456 are disclosed in the memory
contents when requesting the URL http://example.com/o:

$ curl -s http://example.com/o | hexdump -C | head
0010 XX XX XX XX XX XX XX XX XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|
0020 6e 74 72 79 70 61 73 73 2e 6e 65 74 00 00 00 00 |ntrypass.net....|
0060 XX XX XX XX XX XX XX XX XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|
0070 20 20 31 32 33 34 35 36 26 20 XX XX XX XX XX XX | 123456& XXXXXX|

These credentials grant access to the administrative web interface of
the device when using them in the regular login form.

Similarly, it is possible to get the status output of the device without
prior authentication by simply requesting the following URL


The server responds to the request with the following XML data, which
contains information about various different settings of the device.

<title>Device Server Manager</title>
<firmware_version>HCB.CC.S1. -N5200[64Mb]</firmware_version>

Proof of Concept

$ curl -s http://example.com/o | hexdump -C | head


Access to the web interface should be blocked at the network layer.


Not available.

Security Risk

Attackers with network access to an EntryPass N5200 Active Network
Control Panel can retrieve memory contents from the device. These memory
contents disclose the currently set username and password needed to
access the administrative interface of the device. Using these
credentials, it is possible to read the device's current status and
configuration, as well as modify settings and install firmware updates.

With regards to the device itself, this vulnerability poses a high risk,
as it allows attackers to gain full control. The actual operational risk
depends on how the device is used in practice.


2014-05-19 Vulnerability identified
2014-08-25 Customer approved disclosure to vendor
2014-08-27 Vendor contacted, security contact requested
2014-09-03 Vendor contacted, security contact requested
2014-09-15 Vendor contacted, vulnerability reported
2014-09-17 Update requested from vendor, no response
2014-10-15 No response from vendor. Customer discontinued use of the
product and approved public disclosure
2014-10-20 Contacted vendor again since no fix or roadmap was provided.
2014-10-28 CVE number requested
2014-11-14 CVE number assigned
2014-12-01 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By