Search...

Papouch Backdoor Account / CSRF / Missing Authentication

2016-06-16T00:00:00

ID PACKETSTORM:137512
Type packetstorm
Reporter Karn Ganeshen
Modified 2016-06-16T00:00:00

Description

                                        
                                            `+++++  
*Vulnerable Products*  
1. Papouch TME Ethernet thermometer  
2. Papouch TME multi: Temperature and humidity via Ethernet  
  
*All versions affected*  
  
*TME - Ethernet Thermometer*  
http://www.papouch.com/en/shop/product/tme-ip-ethernet-thermometer/  
  
*TME multi: Temperature and humidity via Ethernet*  
http://www.papouch.com/en/shop/product/tme-multi-temperature-humidity-via-ethernet/  
  
  
*Vulnerability Details*  
  
*1. Weak Credentials Management*  
  
Device have three security levels – user (temperature viewing) and  
administrator (configuration), superadmin (sensor calibration). Each level  
has own password.  
  
*Issue*  
According to device manual, Superadmin password cannot be cleared. The  
default password is 1234. This level allows you to access all settings  
including sensor calibration.  
  
-&gt; The application does not allow/enforce a mandatory, password change from  
default to strong password values.  
  
  
*2. Authentication Issues & Sensitive Information Leakage*  
  
By default, password authentication is not enabled on Telnet access. Telnet  
service runs on TCP 9999. Telnet to 9999t drops in setup mode and gives  
access to device configuration.  
  
Configuration reveals administrative password in clear-text without any  
authentication. Anyone can then use this password to gain administrative  
access to the device.  
  
-&gt; Telnet access must have authentication enabled by default, a mandatory  
password change must be enforced, and any login passwords and SNMP  
community strings must be hidden/masked/censured.  
  
*3. Vulnerable to Cross-Site Request Forgery*  
  
In Device Management portal, there is no CSRF Token generated per page and  
/ or per (sensitive) function. Successful exploitation of this  
vulnerability can allow silent execution of unauthorized actions on the  
device such as configuration parameter changes, and saving modified  
configuration.  
  
*Overall Impact*  
AFAIK, these products are typically used for monitoring temperatures in  
Data Center, Fuel Tanks, Heating system monitoring, AC failure monitoring,  
or performing Food / grain storage temperature monitoring etc. Therefore,  
impact due to device compromise can be severe depending upon the utility &  
environment where they are deployed.  
  
+++++  
--   
Best Regards,  
Karn Ganeshen  
  
  
`

JSON Vulners Source

Initial Source

{"sourceHref": "https://packetstormsecurity.com/files/download/137512/papouch-xsrfcred.txt", "sourceData": "`+++++ \n*Vulnerable Products* \n1. Papouch TME Ethernet thermometer \n2. Papouch TME multi: Temperature and humidity via Ethernet \n \n*All versions affected* \n \n*TME - Ethernet Thermometer* \nhttp://www.papouch.com/en/shop/product/tme-ip-ethernet-thermometer/ \n \n*TME multi: Temperature and humidity via Ethernet* \nhttp://www.papouch.com/en/shop/product/tme-multi-temperature-humidity-via-ethernet/ \n \n \n*Vulnerability Details* \n \n*1. Weak Credentials Management* \n \nDevice have three security levels \u2013 user (temperature viewing) and \nadministrator (configuration), superadmin (sensor calibration). Each level \nhas own password. \n \n*Issue* \nAccording to device manual, Superadmin password cannot be cleared. The \ndefault password is 1234. This level allows you to access all settings \nincluding sensor calibration. \n \n-> The application does not allow/enforce a mandatory, password change from \ndefault to strong password values. \n \n \n*2. Authentication Issues & Sensitive Information Leakage* \n \nBy default, password authentication is not enabled on Telnet access. Telnet \nservice runs on TCP 9999. Telnet to 9999t drops in setup mode and gives \naccess to device configuration. \n \nConfiguration reveals administrative password in clear-text without any \nauthentication. Anyone can then use this password to gain administrative \naccess to the device. \n \n-> Telnet access must have authentication enabled by default, a mandatory \npassword change must be enforced, and any login passwords and SNMP \ncommunity strings must be hidden/masked/censured. \n \n*3. Vulnerable to Cross-Site Request Forgery* \n \nIn Device Management portal, there is no CSRF Token generated per page and \n/ or per (sensitive) function. Successful exploitation of this \nvulnerability can allow silent execution of unauthorized actions on the \ndevice such as configuration parameter changes, and saving modified \nconfiguration. \n \n*Overall Impact* \nAFAIK, these products are typically used for monitoring temperatures in \nData Center, Fuel Tanks, Heating system monitoring, AC failure monitoring, \nor performing Food / grain storage temperature monitoring etc. Therefore, \nimpact due to device compromise can be severe depending upon the utility & \nenvironment where they are deployed. \n \n+++++ \n-- \nBest Regards, \nKarn Ganeshen \n \n \n`\n", "edition": 1, "references": [], "modified": "2016-06-16T00:00:00", "hash": "a54a032d952b1fe1d7c3ffa0ec51c422a89f09ea584f7971a7e0842f9e880c33", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/137512/Papouch-Backdoor-Account-CSRF-Missing-Authentication.html", "description": "", "id": "PACKETSTORM:137512", "reporter": "Karn Ganeshen", "lastseen": "2016-11-03T10:20:00", "published": "2016-06-16T00:00:00", "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:00"}, "vulnersScore": 6.8}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "Papouch Backdoor Account / CSRF / Missing Authentication", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "53de58ccab38ad64eff8ccc0cf76947f", "key": "href"}, {"hash": "948d610586ec8a1d610de65c4645d11f", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "948d610586ec8a1d610de65c4645d11f", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fc862ffdaa3afe20a9e84e0229ce1674", "key": "reporter"}, {"hash": "6a0dfd705e86f7a34152382c36cd47ac", "key": "sourceData"}, {"hash": "d989db8d5e033dcdc7859ca67c435f8a", "key": "sourceHref"}, {"hash": "9f6d52b681935203844749518d153c04", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}