ProxyView default undocumented password

2007.10.15
Credit: Michael Brown
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-- Summary -- The Replicom ProxyView remote access unit ships with a default Administrator password for Embedded Windows NT. Any users with access to communicate with the ProxyView over the NetBIOS port (TCP/139) can exploit this fact to take over the ProxyView unit. -- Product details -- From homepage: http://www.replicom.com/ "With ProxyView at the front end of any KVM Switch, multiple servers can be locally or remotely accessed in/out-of-band, providing server control, through a web based client, even when the network is down. Using ProxyView, network administrators can access multiple servers connected to any KVM Switch through a dial-up modem connection, an Internet connection, or across a LAN or WAN. Actions that vary from GUI functionality to BIOS-level troubleshooting, administration, and soft and hard remote rebooting, are available just as if sitting next to the server in the Data-Center." Really, it's a handy remote access tool. It runs Windows NT embedded and actually is usable for GUI administration over a modem connection. I just wish there was an option for a client other than IE under Windows... :) -- Vulnerability -- The software running on the ProxyView maintains a user database for its client connections. This database is completely separate from the Windows NT user database. The ProxyView administrator default password is 'PVremote'. The documentation advises you to change this password quickly. This is NOT the problem. The Administrator account for Embedded Windows NT on the ProxyView has the default password of "Administrator". Anybody with access to port 139 (Hmmm... people on the LAN) can login as Administrator and have full control over the box and consequently console access to the machines the ProxyView is a front end for. These details are not mentioned anywhere in the documentation. -- Solution -- 1) Generate a new password. :) 2) Using whatever remote registry tool you like (regedit), connect to the ProxyView and change the contents of the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to the new password you generated in step 1. 3) Using whatever remote user tool you like (usrmgr), connect to the ProxyView and change the Administrator password. WARNING: If the 'autologon' password and the Administrator password are out of sync, the ProxyView will *not* function after a reboot. You can still access the unit via NetBIOS to fix the problem though. Provided you haven't lost the password, so keep it safe! :) -- Vendor contact -- The vendor was contacted on Nov. 19 2002. The vendor failed to realize the scope of the problem, however. M. -- Michael Brown | Quis custodiet Systems Administrator GPG key: | ipsos custodes? michaelb (at) opentext (dot) com [email concealed] 0x527670C0 |


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top