RoomWizard Default Password and Sync Connector Credential Leak

2011-01-14 / 2011-01-15
Credit: Sean Lam
Risk: High
Local: No
Remote: Yes

******************************************************************************* % Advisory Name: RoomWizard Default Password and Sync Connector Credential Leak % Date: 2010-08-16 % Appliance/SW: RoomWizard Web-based room scheduling system % Versions: Tested on Firmware 3.2.3 (Model RW10) % Author: Sean Lam < seansec (at) live (d0t) com > % Vendor Status: Vendor Contacted % CVE Candidate: CVE-2010-0214 % Reference: n/a ******************************************************************************* % Vulnerability Overview ************************ The RoomWizard Web based scheduling system with touch screen display uses a default password: "roomwizard" which would allow remote attackers to obtain console access at http://DeviceIP:80 Various configuration items can be tampered with once authenticated. Additionally, a GET request on http://DeviceIP:80/admin/sign/DeviceSynch will result in a leakage of the Sync Connector username and password on two input boxes (password masked via type = password): .....type="text" name="connectorusername" value="DOMAIN/DOMAINID"></td> .....type="password" name="connectorpassword" value="DOMAINIDPASS"></td> % Vendor Response & Timeline **************************** 2010-08-17 CERT/CC contacted for CVE Identifier Resvn (CVE-2010-0214) CERT/CC Vuln Tracking number VU#870601 2010-08-18 Vulnerability reported to CERT/CC and escalated to vendor 2010-12-21 CERT/CC informs vendor has fixed issue with latest patch % Recommendations ************************ Apply latest patch released by vendor

References:

http://www.kb.cert.org/vuls/id/870601
http://xforce.iss.net/xforce/xfdb/64543
http://www.vupen.com/english/advisories/2011/0059
http://www.securityfocus.com/bid/45699
http://seclists.org/fulldisclosure/2011/Jan/58
http://packetstormsecurity.org/files/view/97291/roomwizard-disclose.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top