Twenty Year Anniversary

Trango Systems Backdoor Root Account

Trango Systems Backdoor Root Account
Posted Nov 12, 2016
Authored by Ian Ling

Trango devices all have a built-in, hidden root account, with a default password that is the same across many devices and software revisions. This account is accessible via ssh and grants access to the underlying embedded unix OS on the device, allowing full control over it. Recent software updates for some models have changed this password, but have not removed this backdoor.

tags | exploit, root
systems | unix
MD5 | 5c14cfd9571da77e49d19b910dce3ea2

Trango Systems Backdoor Root Account

Change Mirror Download
[+] Credits: Ian Ling
[+] Website: iancaling.com
[+] Source: http://blog.iancaling.com/post/153011925478/

Vendor:
=================
www.trangosys.com

Products:
======================
All models. Newer versions use a different password.

Vulnerability Type:
===================
Default Root Account

CVE Reference:
==============
N/A

Vulnerability Details:
=====================

Trango devices all have a built-in, hidden root account, with a default
password that is the same across many devices and software revisions.
This account is accessible via ssh and grants access to the underlying
embedded unix OS on the device, allowing full control over it. Recent
software updates for some models have changed this password, but have
not removed this backdoor. See source above for details on how the
password was found.

The particular password I found is 9 characters, all lowercase, no
numbers: "bakergiga"
Their support team informed me that there is a different password on
newer devices.

The password I found works on the following devices:

-Apex <= 2.1.1 (latest)
-ApexLynx < 2.0
-ApexOrion < 2.0
-ApexPlus <= 3.2.0 (latest)
-Giga <= 2.6.1 (latest)
-GigaLynx < 2.0
-GigaOrion < 2.0
-GigaPlus <= 3.2.3 (latest)
-GigaPro <= 1.4.1 (latest)
-StrataLink < 3.0
-StrataPro - all versions?

Impact:
The remote attacker has full control over the device, including shell
access. This can lead to packet sniffing and tampering, bricking the
device, and use in botnets.


Disclosure Timeline:
===================================
Vendor Notification: October 7, 2016
Public Disclosure: November 10, 2016

Exploitation Technique:
=======================
Remote

Severity Level:
================
Critical


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    17 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close