Papouch Backdoor Account / CSRF / Missing Authentication

2016.06.17
Credit: Karn Ganeshen
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-352

+++++ *Vulnerable Products* 1. Papouch TME Ethernet thermometer 2. Papouch TME multi: Temperature and humidity via Ethernet *All versions affected* *TME - Ethernet Thermometer* http://www.papouch.com/en/shop/product/tme-ip-ethernet-thermometer/ *TME multi: Temperature and humidity via Ethernet* http://www.papouch.com/en/shop/product/tme-multi-temperature-humidity-via-ethernet/ *Vulnerability Details* *1. Weak Credentials Management* Device have three security levels ? user (temperature viewing) and administrator (configuration), superadmin (sensor calibration). Each level has own password. *Issue* According to device manual, Superadmin password cannot be cleared. The default password is 1234. This level allows you to access all settings including sensor calibration. -> The application does not allow/enforce a mandatory, password change from default to strong password values. *2. Authentication Issues & Sensitive Information Leakage* By default, password authentication is not enabled on Telnet access. Telnet service runs on TCP 9999. Telnet to 9999t drops in setup mode and gives access to device configuration. Configuration reveals administrative password in clear-text without any authentication. Anyone can then use this password to gain administrative access to the device. -> Telnet access must have authentication enabled by default, a mandatory password change must be enforced, and any login passwords and SNMP community strings must be hidden/masked/censured. *3. Vulnerable to Cross-Site Request Forgery* In Device Management portal, there is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. *Overall Impact* AFAIK, these products are typically used for monitoring temperatures in Data Center, Fuel Tanks, Heating system monitoring, AC failure monitoring, or performing Food / grain storage temperature monitoring etc. Therefore, impact due to device compromise can be severe depending upon the utility & environment where they are deployed. +++++ -- Best Regards, Karn Ganeshen


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top