Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Riorey RIOS Hardocded Password

🗓️ 08 Oct 2009 00:00:00Reported by Marek KroemekeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

Riorey "RIOS" Hardcoded Password Vulnerability, full device control via SS

Code
`Title: Riorey "RIOS" Hardcoded Password Vulnerability  
  
Severity: High (Full root access to the device)  
Date: 07 October 2009   
Versions Affected: RIOS 4.6.6 , 4.7.0 possibly others  
Discovered on: 25 July 2009  
Vendor URL: www.riorey.com  
Author: Marek Kroemeke  
  
Overview:  
  
Riorey DDoS mitigation appliences (www.riorey.com) are vulnerable to taking a full control  
over affected devices via a hardcoded username and password used to create  
a SSH tunnel between the RView application and the device itself.   
  
  
Details:  
  
Riorey devices running affected "RIOS" versions have a hardcoded username and password  
that is then used by the RView software to connect on port 8022 in order to create  
a SSH tunnel. This allows the attacker to login as user 'dbuser' using  
the hardcoded password, and due to an old Linux kernel version used - escalate privilages  
through several vulnerabilities and eventually take the full control over the device.  
  
Additionally - the web interface advices the user to reset the admin password for security reasons,  
but the RView application still uses the hardcoded password in order to create the SSH tunnel which  
may result in a false sense of security.  
  
Proof of Concept:  
  
Open your favorite SSH client and use the following detials in order to login:  
  
port: 8022  
username: dbadmin  
password: sq!us3r  
  
-- cut --  
root@rioreyXXXXXXX dbuser # id  
uid=0(root) gid=0(root) groups=0(root)  
root@rioreyXXXXXXX dbuser # uname -a  
Linux rioreyXXXXXXX 2.6.16.6 #23 SMP Fri Oct 24 19:29:08 EDT 2008 x86_64  
Dual-Core AMD Opteron(tm) Processor 1210 HE AuthenticAMD GNU/Linux  
-- cut --  
  
  
Mitigation:  
  
Login to the device via SSH using the above details, and reset the password using the 'passwd' command.  
  
  
Vendor Contact:  
30 July 2009 - Initial vendor contact  
31 July 2009 - Vendor replies advising to use a firewall in front of the device  
01 August 2009 - Vendor replies that next software release will address this problem, work in progress  
09 August 2009 - Vendor sends an email confirming that it's not ready yet but will be by the end of the month  
16 August 2009 - Confirmation about realease day of a patched version - 05 October 2009  
07 October 2009 - Releasing the vulnerability report.   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Oct 2009 00:00Current
0.1Low risk
Vulners AI Score0.1
rioreyrioshardcoded passwordssh tunnelddos mitigationdevice controlssh clientfull root accessvendor urlusernamepasswordsecurityprivilege escalationlinux kernelvulnerability reportversionfirmware updatevendor contactproof of concept
20