ID PACKETSTORM:141391 Type packetstorm Reporter Quentin Olagne Modified 2017-03-01T00:00:00
Description
`# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account
# Date: 27/02/2017
# Exploit Author: Quentin Olagne
# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html
# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html
# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)
# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device
# CVE : CVE-2017-6351
WiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password.
Once the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account.
This account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).
Here's the extract of the linux 'passwd' file:
root:x:0:0:root:/home:/bin/sh
abarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh
and the 'shadow':
root:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::
abarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::
This vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.
`
{"id": "PACKETSTORM:141391", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WePresent WiPG-1500 Backdoor Account", "description": "", "published": "2017-03-01T00:00:00", "modified": "2017-03-01T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/141391/WePresent-WiPG-1500-Backdoor-Account.html", "reporter": "Quentin Olagne", "references": [], "cvelist": ["CVE-2017-6351"], "lastseen": "2017-03-02T22:52:41", "viewCount": 26, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2017-03-02T22:52:41", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-6351"]}, {"type": "exploitdb", "idList": ["EDB-ID:41480"]}, {"type": "zdt", "idList": ["1337DAY-ID-27154"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C2C813FD4CBB8220E1CB193EF681C943"]}], "modified": "2017-03-02T22:52:41", "rev": 2}, "vulnersScore": 5.6}, "sourceHref": "https://packetstormsecurity.com/files/download/141391/wepresent-backdoor.txt", "sourceData": "`# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account \n# Date: 27/02/2017 \n# Exploit Author: Quentin Olagne \n# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html \n# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html \n# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7) \n# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device \n# CVE : CVE-2017-6351 \n \nWiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. \nOnce the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. \n \nThis account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON). \n \nHere's the extract of the linux 'passwd' file: \nroot:x:0:0:root:/home:/bin/sh \nabarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh \n \nand the 'shadow': \nroot:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7::: \nabarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7::: \n \nThis vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case. \n \n \n`\n"}
{"cve": [{"lastseen": "2021-02-02T06:36:48", "description": "The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacturer account that has a hardcoded username / password. Once the device is set to DEBUG mode, an attacker can connect to the device using the telnet protocol and log into the device with the 'abarco' hardcoded manufacturer account. This account is not documented, nor is the DEBUG feature or the use of telnetd on port tcp/5885.", "edition": 4, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-06T02:59:00", "title": "CVE-2017-6351", "type": "cve", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6351"], "modified": "2017-09-01T01:29:00", "cpe": ["cpe:/o:wepresent:wipg-1500_firmware:1.0.3.7"], "id": "CVE-2017-6351", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6351", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:wepresent:wipg-1500_firmware:1.0.3.7:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-04-09T09:50:20", "description": "Exploit for hardware platform in category remote exploits", "edition": 1, "published": "2017-03-01T00:00:00", "type": "zdt", "title": "WePresent WiPG-1500 - Backdoor Account Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6351"], "modified": "2017-03-01T00:00:00", "href": "https://0day.today/exploit/description/27154", "id": "1337DAY-ID-27154", "sourceData": "# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account \r\n# Date: 27/02/2017\r\n# Exploit Author: Quentin Olagne\r\n# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html\r\n# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html\r\n# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)\r\n# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device\r\n# CVE : CVE-2017-6351\r\n \r\nWiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. \r\nOnce the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. \r\n \r\nThis account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).\r\n \r\nHere's the extract of the linux 'passwd' file:\r\nroot:x:0:0:root:/home:/bin/sh\r\nabarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh\r\n \r\nand the 'shadow':\r\nroot:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::\r\nabarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::\r\n \r\nThis vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.\n\n# 0day.today [2018-04-09] #", "sourceHref": "https://0day.today/exploit/27154", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-03-01T15:11:08", "description": "WePresent WiPG-1500 - Backdoor Account. CVE-2017-6351. Remote exploit for Hardware platform", "published": "2017-02-27T00:00:00", "type": "exploitdb", "title": "WePresent WiPG-1500 - Backdoor Account", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6351"], "modified": "2017-02-27T00:00:00", "id": "EDB-ID:41480", "href": "https://www.exploit-db.com/exploits/41480/", "sourceData": "# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account \r\n# Date: 27/02/2017\r\n# Exploit Author: Quentin Olagne\r\n# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html\r\n# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html\r\n# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)\r\n# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device\r\n# CVE : CVE-2017-6351\r\n\r\nWiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. \r\nOnce the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. \r\n\r\nThis account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).\r\n\r\nHere's the extract of the linux 'passwd' file:\r\nroot:x:0:0:root:/home:/bin/sh\r\nabarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh\r\n\r\nand the 'shadow':\r\nroot:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::\r\nabarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::\r\n\r\nThis vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41480/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:55", "description": "\nWePresent WiPG-1500 - Backdoor Account", "edition": 1, "published": "2017-02-27T00:00:00", "title": "WePresent WiPG-1500 - Backdoor Account", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6351"], "modified": "2017-02-27T00:00:00", "id": "EXPLOITPACK:C2C813FD4CBB8220E1CB193EF681C943", "href": "", "sourceData": "# Exploit Title: CVE-2017-6351 - WePresent undocumented privileged manufacturer backdoor account \n# Date: 27/02/2017\n# Exploit Author: Quentin Olagne\n# Vendor Homepage: http://www.wepresentwifi.com/ or http://www.awindinc.com/products_wepresent_wipg_1500.html\n# Software Link: http://www.awindinc.com/products_wepresent_wipg_1500.html\n# Version: All versions of WiPG-1500 devices up to the latest firmware (1.0.3.7)\n# Tested on: Latest firmware (1.0.3.7) of WiPG-1500 device\n# CVE : CVE-2017-6351\n\nWiPG-1500 device embeds a firmware with a manufacturer account with hard coded username / password. \nOnce the device is set in DEBUG mode, an attacker can connect to the device using telnet protocol and log in the device with the 'abarco' hard-coded manufacturer account. \n\nThis account is not documented, neither the DEBUG feature nor the use of telnetd on a port TCP/5885 (when debug mode is ON).\n\nHere's the extract of the linux 'passwd' file:\nroot:x:0:0:root:/home:/bin/sh\nabarco:x:1000:0:Awind-Barco User,,,:/home:/bin/sh\n\nand the 'shadow':\nroot:$1$x1mFoD3w$uuvn.Z0p.XagX29uN3/Oa.:0:0:99999:7:::\nabarco:$1$JB0Pn5dA$sROUF.bZVoQSjVrV06fIx1:0:0:99999:7:::\n\nThis vulnerability has been reported to the vendor but this product (WiPG-1500) is no longer maintained. This means it's a #WONTFIX vulnerability. Vendor has removed the 'abarco' account on the newest models but don't worry, DEBUG mode is still there with telnetd and you can also use the r00t account with a home and /bin/sh on the other systems in any case.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
