It's not the first time that a manufacturer has a secret root account. It just got out
Jon Langeler Michwave Technologies, Inc. > On Nov 12, 2016, at 7:09 AM, Paul Stewart <p...@paulstewart.org> wrote: > > Yikes…. > > > > [+] Credits: Ian Ling > [+] Website: iancaling.com > [+] Source: http://blog.iancaling.com/post/153011925478/ > > Vendor: > ================= > www.trangosys.com > > Products: > ====================== > All models. Newer versions use a different password. > > Vulnerability Type: > =================== > Default Root Account > > CVE Reference: > ============== > N/A > > Vulnerability Details: > ===================== > > Trango devices all have a built-in, hidden root account, with a default > password that is the same across many devices and software revisions. This > account is accessible via ssh and grants access to the underlying embedded > unix OS on the device, allowing full control over it. Recent software updates > for some models have changed this password, but have not removed this > backdoor. See source above for details on how the password was found. > > The particular password I found is 9 characters, all lowercase, no numbers: > "bakergiga" > Their support team informed me that there is a different password on newer > devices. > > The password I found works on the following devices: > > -Apex <= 2.1.1 (latest) > -ApexLynx < 2.0 > -ApexOrion < 2.0 > -ApexPlus <= 3.2.0 (latest) > -Giga <= 2.6.1 (latest) > -GigaLynx < 2.0 > -GigaOrion < 2.0 > -GigaPlus <= 3.2.3 (latest) > -GigaPro <= 1.4.1 (latest) > -StrataLink < 3.0 > -StrataPro - all versions? > > Impact: > The remote attacker has full control over the device, including shell access. > This can lead to packet sniffing and tampering, bricking the device, and use > in botnets. > > > Disclosure Timeline: > =================================== > Vendor Notification: October 7, 2016 > Public Disclosure: November 10, 2016 > > Exploitation Technique: > ======================= > Remote > > Severity Level: > ================ > Critical >